CIT Full Study Guide latest 2022

Document Content and Description Below

Antivirus/Antimalware - ANSWER comparing file signatures against a database of known malicious files The Three types of Data Loss Prevention (DLP): - ANSWER Token-based, Regular expression-based, U... ser custom signature-based Application Control/Allow Listing - ANSWER provides the ability to map a list of applications on an endpoint and control their use. Host-Based Intrusion Prevention/Detection System (HIPS/HIDS) - ANSWER Holds a database of system objects and their attributes. The system creates checksums—usually MD5, SHA1, or better—of the objects and stores them in a secure database to be later reviewed for the purposes of detecting or preventing changes made by an unknown, possibly malicious, entity. Token-based - ANSWER Uses fixed keywords/hashes for detection of malicious well-known attacks. Regular expression-based - ANSWER Uses different generic patterns to characterize well-known attacks such as WannaCry, a malicious attack targeting Windows Server Message Block (SMB) vulnerabilities. User custom signature-based - ANSWER Uses specific signatures related to the customer's needs. Communications Encryption - ANSWER The ability to establish a VPN over IPsec or other encrypted method of communication with every party looking to connect to the organizational network, whether from another branch of the organization or from an end-user device. Email & Phishing Protection - ANSWER Another necessary form of protecting communications is the ability to scan all incoming and outgoing email messages for possible malicious payloads in any part of the email itself (header, body, etc.) and in attached files. Logging and Monitoring - ANSWER Collecting security logs such as access violation and failed authentication to monitor end-user devices and identify threats in real-time or to perform analysis at a later time. Antivirus under the Hood: Scanning - ANSWER works by scanning files and comparing their signatures to a database of malicious file signatures. specific detection - ANSWER Looks for several things: String/Byte Signatures, Hash Signatures, Heuristic detection. String/Byte Signatures - ANSWER Executable files consist of bytes or strings of bytes in specific patterns. Hash Signatures - ANSWER A hash algorithm is a one-way function that takes input of any length and converts it into a fixed size string of unique text using a mathematical function. There are three components used in a hashing process - ANSWER the input, the hash function, and the hash value. Heuristic detection - ANSWER searches for unknown viruses by looking for known suspicious behavior or file structures. Common Vendors, Common Coverage - ANSWER Real-time protection • Host firewall • Application control • Device control • Web protection • Full disk encryption • USB protection • EDR • Sandbox • Antispam and phishing • Zero-day protection • Anti-ransomware • Centralized management What is a False Positives (FP) - ANSWER A test that indicates that a condition is true when it actually is not generating a false positive. What is a False Negatives (FN)? - ANSWER A false negative is when a test result falsely indicates the lack of a condition. False positives can be the result of several factors. - ANSWER Heuristics, Behavioral Analysis, Machine Learning, Zero-Day What is a zero-day exploit? - ANSWER zero-day exploit is a flaw in a program that either has not been discovered or has been discovered but has not been patched. Antivirus Bypass Techniques for Packing and Encryption - ANSWER To encrypt or compress an executable file, a method called packing is used. This method avoids signature-based detection by hiding the original executable file's signature with the compressed file. Antivirus Bypass Techniques for Code Mutation - ANSWER Mutations (faults) are automatically embedded in the malware code. Antivirus Bypass Techniques for Stealth Techniques - ANSWER Stealth techniques are used to alter or augment the behavior of an operating system, applications, or software programs by intercepting function calls, messages, or events passed between software components. Antivirus Bypass Techniques for Disabling Antivirus Updates - ANSWER the AV may allow new viruses to enter that are not listed in the current database. What is a Fileless Attack? - ANSWER Also known as zero footprint attacks or non-malware attacks, these types of attacks do not install new software on a user's computer, so antivirus tools are more likely to miss them. What is an Internal Firewall? - ANSWER known as a host-based firewall, an internal firewall is usually software-based, meaning it does not have its own hardware but rather utilizes the hardware of the machine it is installed on. Host-Based Intrusion Prevention/Detection System (HIDS/HIPS) - ANSWER works alongside the firewall. Its main function is to monitor and analyze the internal activities of a system and perform deep packet inspection on the interface of the network. What is a Sandbox? - ANSWER It is an isolated, replicated environment that was initially designed to mitigate advanced persistent threats (APT) Define BYOD - ANSWER Bring Your Own Device What Is EDR - ANSWER Endpoint Threat Detection and Response (EDR) provides high visibility on all endpoints in the organization. EDR Definition - ANSWER EDR includes an AV, but also contains behavioral analysis detection that is not signature-based. What is ClamAV? - ANSWER ClamAV is an open-source, cross-platform antivirus software. Signature Usage - ANSWER AVs rely on signatures to detect malicious files. Define the three Signature Types - ANSWER Body-Based Signature, Hash-Based Signatures ClamAV has a tool that can write signatures name that tool. - ANSWER Sigtool What is YARA Rules - ANSWER are a way of describing a pattern to identify certain files. YARA Rules Signature - ANSWER is limited to a maximum of 64 strings per rule. Define PhishSigs - ANSWER is a database of file signatures associated with phishing. What is Phishing? - ANSWER is an attempt to obtain information such as names, passwords, credit card details, etc., by posing as a legitimate partner in communication. Define AV Allow Listing - ANSWER is the explicit designation of a file signature as safe. What is Exclusions? - ANSWER allowed list signature database file extensions recognized by AV. What Is a Honeypot? - ANSWER is a trap that detects and counteracts attempts of unauthorized usage of company systems. What are Honeypot Attributes? - ANSWER they are all based on a common approach, which is to distribute different traps over the network that look like legitimate data. What are Honeypot Aims? - ANSWER The purpose of analysis is to discover how attackers penetrate a system and try to gain insight into attack methodologies so that a system can be better protected in the future. Production Honeypots - ANSWER are stored in the production network and interact with other production servers to enhance their security and reliability. Research Honeypots - ANSWER are used to manage research of the risks that companies face and to learn how to better protect against those risks. What does a Low-Interaction Honeypot do - ANSWER simulate only the services frequently requested by attackers, thereby reducing their complexity. High-Interaction Honeypot does what? - ANSWER mimic the activities of a production system that hosts a variety of services. What are Honeytokens? - ANSWER fabricated data to detect illegitimate data access Canary Traps - ANSWER expose information leaks by passing different versions of sensitive information to suspects and monitoring which version is leaked. Open-Source Honeypot Products - ANSWER Dionaea What Is Data? - ANSWER includes any information that is collected for the purposes of recordkeeping and analysis. Data Classification - ANSWER refers to the practice of categorizing, or classifying, data to indicate sensitivity levels. Data Leak Channels - ANSWER In general, data is prone to leaks, and there are many channels through which data can be leaked. What Is Regex? - ANSWER (DLP) software uses regular expressions to discover sensitive data, whether it is in transit or not. DLP Purpose - ANSWER Data leakage prevention objectives are intended to prevent organizational data from being shared with unauthorized parties, to prevent both intentional and unintentional data loss, and to comply with privacy laws and regulations like the General Data Protection Regulation (GDPR). How Data Loss Prevention (DLP) Works - ANSWER Most data loss prevention products work with a server engine and are used to create different rules that can be token-based for constant text or regular expression-based for complicated matching patterns. Block List - ANSWER - Everyone is allowed except exclusions. - Simple and lenient - Less restrictions = less secure Allow List - ANSWER - Everyone is forbidden except exclusions. - Complex and strict - More restrictions = limited functionality and creativity What Is OpenDLP? - ANSWER - It can be used as a virtual machine or a standalone application that has to be compiled. - It is free, open-source, multi-platform, centrally managed, and highly distributable. - It can run as agent-based or agentless and can concurrently scan thousands of operating systems. DLP Bypass Techniques - ANSWER DLP works using regex and token-based pattern recognition, hence drastically changing the known pattern of the data to fool DLP engines. steganography - ANSWER refers to data hidden in a file, image, message, or video. What Are DNS Records? - ANSWER Domain Name System, allows services, computers, and resources that are connected to a private network or the internet to access a decentralized, hierarchical naming system that translates recognizable domain names to numeric IP addresses and allows the access of data from those domains. DNS Information Stored? - ANSWER Domain registrars send information to the registry, which can assign names in the corresponding zone and publish domain name information. DNS Queries - ANSWER When a client requests information about a specific server, it sends a query. What is a MX Record - ANSWER Maps the domain name to the mail server Name Server (NS) Record - ANSWER Indicates the DNS servers that are assigned to a given zone; the NS records are located within the zone TXT Record - ANSWER Contains descriptive human-readable text in a DNS record that often includes contact and hosting information. What is A Record? - ANSWER Returns a 32-bit IPv4 address; used to map domain names to an IP address. CNAME Record - ANSWER Used for domain name aliases and to allow access to a domain with or without the www prefix. What is nslookup? - ANSWER command to query DNS records, create automated scripts, and perform DNS zone transfers. What is SMTP? - ANSWER (Simple Mail Transfer Protocol) is a method of exchanging information between a sender's server and a recipient's server. The protocol uses port 25. Telnet and netcat - ANSWER can be used to initiate a connection to the mail server with the following command: telnet <SMTP Server] 25. What is POP3? - ANSWER Stands for Post Office Protocol. POP3 is a simple, standardized method of delivering email messages. What Is Spoofing? - ANSWER is a method of fabricating malicious emails, SMS, phone calls, websites, or even network components, such as IP addresses, Domain Name System (DNS) servers, and Address Resolution Protocols (ARPs) to perpetrate an attack. Define Phishing - ANSWER is a common attack that targets organizations by using a spoof email intended to gain the trust of a victim. What is SPF? - ANSWER is the Sender Policy Framework (SPF). This method uses authentication that takes place during email delivery and detects addresses forged by the sender. DKIM - ANSWER security mechanism is DomainKeys Identified Mail (DKIM), an email authentication protocol that enables a sender to use a digital signature for outgoing email that can be verified by the recipient's mailbox provider through DNS. DMARC - ANSWER is Domain-Based Message Authentication, Reporting, and Conformance (DMARC). What Is an Email Header? - ANSWER It is a record of where the email traveled. The Mail Header contains the? - ANSWER routing information, email metadata, Return-Path, authentication details, Message-ID to identify, MIME-Version. What Is Mail Relay? - ANSWER also known as an email server, is a device that routes emails to their destinations. A mail/message transfer agent (MTA) - ANSWER is software that transfers email between the computers of a sender and recipient. Content Disarm & Reconstruction (CDR) - ANSWER which is a security technology that removes code regarded as malicious from files. Cybersecurity Threats - ANSWER Cyberspace and its underlying infrastructure are vulnerable to a wide range of risk stemming from both physical and cyber threats and hazards. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services. What is a Threat? - ANSWER indicates potential business risks a company might be exposed to, such as the leakage of sensitive customer data. Define an Asset? - ANSWER is the specific platform or technology related to the scope of the organization that could be impacted by a cybersecurity incident. What is a Vulnerability? - ANSWER is a security flaw in a specific asset that can be [Show More]

Last updated: 2 years ago

Preview 1 out of 14 pages