A security administrator has been tasked with improving an organization’s security stance. The administrator has collected and processed data and used the information to establish a hypothesis. What process is the administrator performing?
Threat hunting is a complex and often expensive process, and for most organizations, it requires the use of outside security professionals
Threat Hunting
Threat hunting is used to identify man-made or natural events that could adversely impact an organization | Threat hunting aims to identify threats that are not easily recognizable or are difficult to detect using common security or risk analysis tools | Once threats to an org are identified, the organization’s vulnerability to those threats can be evaluated and modeled.
What is Threat modeling?
Threat modeling the process of identifying and evaluating threats | This is an important part of risk analysis
What is the primary benefit of TPM technology?
The primary benefit of TPM is that it facilitates whole disk encryption
What is the role of continuous integration in streamlining the software development process?
To roll validated changes back into the main branch more quickly
What information should be used when determining how best to prioritize response actions to identified vulnerabilities?
- Include compliance and regulatory requirements
- Use CVSS ratings provided by vulnerability scans
Being out of compliance could lead to legal liabilities, which could result in fines and other actions
What technology can an administrator use to mitigate the risk of sensitive data being vulnerable to sniffing?
The administrator can use IPsec to mitigate the risk of a sniffing attack
Other protocols such as IPsec encrypt all data between two nodes, regardless of the application being used
How is bus encryption used in PCs?
One use of bus encryption in PCs is to help enforce digital rights management (DRM), which are access control techniques that are used to protect copyrighted materials and proprietary hardware.
Bus encryption uses encrypted program instructions on a computer data bus | Bus encryption is used on PCs that are running Microsoft OS(s) to help protect certificates, passwords, and program authenticity | Bus encryption is also used in electronic systems that need high security, such as ATMs
Notes on PowerShell
PowerShell is a shell, or CLI, and scripting language that can be run on Windows, Linux, and MacOS operating systems.
Unlike most shells, PowerShell can ingest, process, and return objects that are structured data
What is Email Harvesting?
Email harvesting the process of using different means to collect email addresses
The addresses can then be used to launch a phishing attack, which is a deceptive communication attack that is used to steal personal information or login credentials
What is the most appropriate vulnerability scanner solution that must include computers deployed in the company’s DMZ, support remote offices with limited bandwidth connections, as well as meet vulnerability management requirements?
Agent-based scans
An agent-based solution proves the best support when scans must include remote locations with limited bandwidth connections and computers deployed in the DMZ | Agent-based scans are also best suited to providing threat management and continuous scans | Agent-based solutions rely on an agent installed on the scanned devices and they are based on pull technology
What are some indicators of data exfiltration?
- Intermittent spontaneous restarts
- Increased internal traffic with network servers outside of normal business hours
- Increased outgoing traffic with an unfamiliar internet location outside of business hours
Data exfiltration refers to the unauthorized movement of data to an external recipient or destination | Spontaneous restarts are not directly related to data exfiltration but could be an indicator of the malware orchestrating the data exfiltration or a symptom of overloading the host’s resources
What is Fingerprinting?
Fingerprinting the process of scanning networks and hosts in order to identify node OS(s), running services, and active security mechanisms
What are two technologies or methods that an org can use to passively monitor all inbound and outbound network traffic?
- Network tap: a method of mirroring network traffic to a monitoring device
- Port mirror: a feature offered by network switches, firewalls, and other devices that copies all traffic from a source port to a destination port
What is Fuzzing (Fuzz testing)?
Fuzzing is used to test software, OS(s) and networks to find and report vulnerabilities | Fuzzing is not effective in identifying other types of vulnerabilities that DO NOT result in system crashes from data input
Fuzzing a type of dynamic analysis that is used to look for coding errors or security vulnerabilities by inputting random data
Fuzzing works by flooding the test subject with massive amounts of data in an attempt to make the program crash | Result reporting provides information about vulnerabilities that can be exploited through:
- XSS
- DoS
- SQL injection
- Buffer overflow
What should cybersecurity team use to help them determine the criticality of an incident?
The team should use the Maximum Tolerable Downtime (MTD), which is also known as Maximum Allowable Downtime (MAD) to help them determine criticality
MTD refers to the maximum amount of time an organization can tolerate the loss of a resource
What are the typical criticality ratings?
- Non-esential should be restored within 30 days
- Normal should be restored within 7 days
- Important should be restored within 72 hours
- Urgent should be restored within 24 hours
- Critical should be restored within minutes or hours, but less than 24 hours
Explain the difference between patch management vs configuration management
- Patch management - is used to check the patch status of target devices, deploy missing patches, and track and report patching stats. It checks for and automatically installs critical firmware updates on network devices, systems, and servers
- Configuration management - is used to ensure a secure baseline configuration on a system and to detect and report configuration changes
What does attack surface mean?
Attack surface the ways in which your network can be exploited by attackers, and it is often defined as the sum of your network’s vulnerabilities
Reducing your network’s vulnerabilities helps to reduce its attack surface
What are some types of static code analysis?
- Hoare Logic
- Data Flow Analysis
- Symbolic Execution
Remember: Static analysis is the process of examining the program code without executing it
What is the difference between netstat and nmap?
- netstat - used to capture and display network connections and communication statistics | cannot be used to capture & read network packets
- nmap - used to collect information about a network and network hosts | no option for capturing individual packets
Which command should be used to capture network packets and write them to a text file?
tcpdump command should be used to capture network packets and write them to a text file
tcpdump command can also be used to print packet contents and to read packets from a saved packet file
What is a lightweight data interchange format that has become a popular alternative to XML due to its simplicity and flexibility?
JavaScript Object Notation (JSON)
Which programming language is commonly used for vulnerability scanning, malware analysis, network scanning and reconnaissance, web application penetration testing, and data analysis in cybersecurity?
Python
-
Linux Material for CySA+152
-
Windows Material for CySA+92
-
Practice Test Notes23
-
Managing Risk, Cryptography & PKI40
-
OS Process Management13
-
Threat Actor Concepts & Active Threats50
-
Threat Intelligence Information31
-
Managing Network Settings26
-
Authentication & Authorization39
-
Security & Network Monitoring19
-
Data Security Standards & Data Privacy25
-
Compliance Requirements & Vulnerability Scanning21
-
Firewalls & Intrusion Detection26
-
Vulnerability & Penetration Testing42
-
Business Continuity Planning25
-
Digital Forensics35
-
Malware Threats32
-
Hardening Techniques47
-
Vulnerability Assessment Tools & Analyzing Web Vulnerabilities29
