CCNA CyberOps SECOPS (210-255) Cert Practice Exam Online

Hint

By using NTFS, Alternate Data Streams (ADSs) can be connected to a file as an attribute called $DATA. The command dir /r can be used to see if a file contains ADS data.

Hint

The swap file system is used by Linux when it runs out of physical memory. When needed, the kernel moves inactive RAM content to the swap partition on the hard disk. Storing and retrieving content in the swap partition is much slower than RAM is, and therefore using the swap partition should not be considered the best solution to improving system performance.

Hint

The Layer 4 header in a TCP segment is the TCP header, which is 20 bytes in length. This adds 20 bytes of overhead to the data from the application layer in the composition of a TCP segment.

Hint

The UPD header has four fields. Three of these fields are in common with the TCP header. These three fields are the source port, destination port, and checksum.

Hint

The combination of the source IP address and source port number, or the destination IP address and destination port number, is known as a socket. A socket is shown as the IP address and associated port number with a colon in between the two (IP_address:port_number).

Hint

Optional Layer 3 information about fragmentation, security, and mobility is carried inside of extension headers in an IPv6 packet. The next header field of the IPv6 header acts as a pointer to these optional extension headers if they are present.

Hint

Unlike IPv4, IPv6 routers do not perform fragmentation. Therefore, all three fields supporting fragmentation in the IPv4 header are removed and have no equivalent in the IPv6 header. These three fields are fragment offset, flag, and identification. IPv6 does support host packet fragmentation through the use of extension headers, which are not part of the IPv6 header.

Hint

Cisco AMP uses threat intelligence along with known file signatures to identify and block policy-violating file types and exploitations.

Hint

A network profile should include some important elements, such as the following:

• Total throughput – the amount of data passing from a given source to a given destination in a given period of time
• Session duration – the time between the establishment of a data flow and its termination
• Ports used – a list of TCP or UDP processes that are available to accept data
• Critical asset address space – the IP addresses or the logical location of essential systems or data

Hint

A network profile should include some important elements, such as the following:

• Total throughput – the amount of data passing from a given source to a given destination in a given period of time
• Session duration – the time between the establishment of a data flow and its termination
• Ports used – a list of TCP or UDP processes that are available to accept data
• Critical asset address space – the IP addresses or the logical location of essential systems or data

Hint

A server profile will often contain the following:

• Listening ports – the TCP and UDP daemons and ports that are allowed to be open on the server
• User accounts – the parameters defining user access and behavior
• Service accounts – the definitions of the type of service that an application is allowed to run on a server
• Software environment – the tasks, processes, and applications that are permitted to run on the server

Hint

A server profile should contain some important elements including these:

• Listening ports – the TCP and UDP daemons and ports that are allowed to be open on the server
• User accounts – the parameters defining user access and behavior
• Service accounts – the definitions of the type of service that an application is allowed to run on a server
• Software environment – the tasks, processes, and applications that are permitted to run on the server

Hint

The Common Vulnerability Scoring System (CVSS) is a vendor-neutral, industry standard, open framework for weighing the risks of a vulnerability using a variety of metrics. CVSS uses three groups of metrics to assess vulnerability, the Base Metric Group, Temporal Metric Group, and Environmental Metric Group. The Base Metric Group has two classes of metrics (exploitability and impact). The impact metrics are rooted in the following areas: confidentiality, integrity, and availability.

Hint

The attack vector is one of several metrics defined in the Common Vulnerability Scoring System (CVSS) Base Metric Group Exploitability metrics. The attack vector is how close the threat actor is to the vulnerable component. The farther away the threat actor is to the component, the higher the severity because threat actors close to the network are easier to detect and mitigate.

Hint

The CVSS Base Metric Group has the following metrics: attack vector, attack complexity, privileges required, user interaction, and scope. The user interaction metric expresses the presence or absence of the requirement for user interaction in order for an exploit to be successful.

Hint

The card verification value (CVV), or card verification code (CVC), or card security code (CSC) is a security feature of a credit card, usually 3 or 4 digits printed on the back of the card.

Hint

General security monitoring can identify when a malware attachment enters a network and which host is first infected. Retrospective analysis takes the next step and is the tracking of the behavior of the malware from that point forward.

Hint

The components of a 5-tuple include a source IP address and port number, destination IP address and port number, and the protocol in use.

Hint

Traditional firewalls commonly provide security event logs based on the 5-tuples of source IP address and port number, destination IP address and port number, and the protocol in use.

Hint

SIEM combines SEM and SIM tools to provide some useful functions, one of which is data normalization. Data normalization is the process of mapping log messages from different systems into a common data model in order to analyze related security events, even if they are initially logged in different source formats.

Hint

An IPS is an in-line security device that can analyze data as a normalized stream to reduce or eliminate the possibility of security evasions.

Hint

Security information and event management (SIEM) systems receive data from IPS devices, firewalls, NetFlow devices, servers, endpoints, and syslog infrastructure devices.

Hint

The output shown is from a web proxy.

Hint

The data flow recorded is ICMP traffic, indicated by the number 1 for IP PROTOCOL. Because ICMP is a Layer 3 protocol and has no need for a Layer 4 protocol such as TCP or UDP, the port numbers show a 0 within the NetFlow output.

Hint

The data flow shown is captured UDP traffic of a DNS response, indicated by the number 17 in the IP PROTOCOL output.

Hint

Some people may use the common word of “hacker” to describe a threat actor. A threat actor is an entity that is involved with an incident that impacts or has the potential to impact an organization in such a way that it is considered a security risk or threat.

Hint

A true positive occurs when an IDS and IPS signature is correctly fired and an alarm is generated when offending traffic is detected.

Hint

Deterministic analysis uses predefined conditions to analyze applications that conform to specification standards, such as performing a port-based analysis.

Hint

Probabilistic methods use powerful tools to create a probabilistic answer as a result of analyzing applications.

Hint

When data is converted into a universal format, it can be effectively structured for performing fast queries and event analysis.

Hint

The expression ^83 indicates any string that begins with 83 will be matched.

Hint

The Linux file command can be used to determine a file type, such as whether it is executable, ASCII text, or zip.

Hint

Indirect evidence cannot prove a fact on its own, but direct evidence can. Corroborative evidence is supporting information. Best evidence is most reliable because it is something concrete such as a signed contract.

Hint

A normal file copy does not recover all data on a storage device so an unaltered disk image is commonly made. An unaltered disk image preserves the original evidence, thus preventing inadvertent alteration during the discovery phase. It also allows recreation of the original evidence.

Hint

Hex encodes binary data in hexidecimal string format. Base64 encodes binary data in an ASCII string format. In this case, the characters are 0-9 and a-f, typical hexidecimal numbers.

Hint

The Cyber Kill Chain specifies seven steps (or phases) and sequences that a threat actor must complete to accomplish an attack:

• Reconnaissance – The threat actor performs research, gathers intelligence, and selects targets.
• Weaponization – The threat actor uses the information from the reconnaissance phase to develop a weapon against specific targeted systems.
• Delivery – The weapon is transmitted to the target using a delivery vector.
• Exploitation – The threat actor uses the weapon delivered to break the vulnerability and gain control of the target.
• Installation – The threat actor establishes a back door into the system to allow for continued access to the target.
• Command and Control (CnC) – The threat actor establishes command and control (CnC) with the target system.
• Action on Objectives – The threat actor is able to take action on the target system, thus achieving the original objective.

Hint

Once a target system is compromised, the threat actor will establish a back door into the system to allow for continued access to the target. Adding services and autorun keys is a way to create a point of persistent access.

Hint

To prepare for launching a DDoS attack, a threat actor will compromise many hosts on the Internet, called zombies. The threat actor will then install attack software on zombies and establish a two-way communications channel to CnC infrastructure with zombies. The threat actor will issue the command to zombies through the CnC to launch a DDoS attack against a target system.

Hint

In the top-level element incident description of the VERIS schema, VERIS uses the A4 threat model that was developed by the RISK team at Verizon to describe an incident completely.

Hint

In the VERIS schema, risk is defined as the intersection of four landscapes of threat, asset, impact, and control. Information from each landscape helps to understand the level of risk to the organization.

Hint

Vocabulary for Event Recording and Incident Sharing (VERIS) was created to provide a common language for describing security incidents. VERIS addresses the problems of dealing with different security tools and the tendency of humans to refer to incidents and events inconsistently.

Hint

The VERIS Community Database (VCDB) is an open and free collection of publicly-reported security incidents in VERIS format. The VCDB is in a universal format that allows for manipulation and transformation.

Hint

There are many different types of computer security incident response teams (CSIRTs) and related information security organizations. Analysis centers use data from many sources to determine security incident trends that can help predict future incidents and provide early warning.

Hint

There are many different types of computer security incident response teams (CSIRTs) and related information security organizations. Vendor CSIRT teams provide remediation for vulnerabilities in the software or hardware of an organization and often handle customer reports concerning security vulnerabilities.

Hint

According to the guideline defined in the NIST Incident Response Life Cycle, several actions should be taken during the preparation phase including (1) creating and training the CSIRT and (2) acquiring and deploying the tools needed by the team to investigate incidents.

Hint

There are two categories for the signs of an incident:

• Precursor – a sign that an incident might occur in the future
• Indicator – a sign that an incident might already have occurred or is currently occurring

Hint

As an incident category, the precursor is a sign that an incident might occur in the future. Examples of precursors are log entries that show a response to a port scan or a newly-discovered vulnerability in web servers using Apache.

Hint

The following actions can help identify an attacking host during a security incident:Use incident databases to research related activity.
Validate the IP address of the threat actor to determine if it is a viable one.
Use an Internet search engine to gain additional information about the attack.
Monitor the communication channels that some threat actors use, such as IRC.

Hint

The policy element of the NIST incident response plan details how incidents should be handled based on the mission and function of the organization.

Hint

NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC. One component of the plan element is to develop metrics for measuring the incident response capability and its effectiveness.

Hint

The management team creates the policies, designs the budget, and is in charge of staffing all departments. Management is also responsible for coordinating the incident response with other stakeholders and minimizing the damage of an incident.

Hint

IT support best understands the technology used in the organization and can perform the correct actions to minimize the effectiveness of the attack and preserve evidence.

Hint

The human resources department may be called upon to perform disciplinary measures if an incident is caused by an employee.

Hint

To recover infected user workstations, use clean and recent backups or rebuild the PCs with installation media if no backups are available or they have been compromised. Also, fully update and patch the operating system and installed software of all hosts. All users are encouraged to change their passwords for the workstation or workstations they use. Rebuilding DHCP servers is needed only if they are affected by the incident.Also not all devices need to change the name and password configuration setting unless they are affected by the incident.

Hint

In the detection and analysis phase of the NIST incident response process life cycle, the CSIRT should immediately perform an initial analysis to determine the scope of the incident, such as which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring.