Friday, February 15, 2019

Quiz Chapter 11-13 CyberOps Version 1 CCNA



1. Which statement describes an operational characteristic of NetFlow?
NetFlow collects metadata about the packet flow, not the flow data itself.

2. What is the purpose of Tor?
to allow users to browse the Internet anonymously

3. Threat actors may attack the    infrastructure in order to corrupt network log timestamps and disguise any traces that they have left behind.

4. Which type of server daemon accepts messages sent by network devices to create a collection of log entries?
syslog

5. A NIDS/NIPS has identified a threat. Which type of security data will be generated and sent to a logging device?
alert

6. Which statement describes the tcpdump tool?
It is a command-line packet analyzer.

7. What type of server can threat actors use DNS to communicate with?
 CnC

8.  A security analyst reviews network logs. The data shows user network activities such as user name, IP addresses, web pages accessed, and timestamp. Which type of data is the analyst reviewing?
transaction

9. Which Windows host log event type describes the successful operation of an application, driver, or service?
information

10. Which two protocols may devices use in the application process that sends email? (Choose two.)
SMTP
 DNS

11. In a Cisco AVC system, in which module is NBAR2 deployed?
Application Recognition

12. True or False?
ICMP can be used inside the corporation to pose a threat.
true

13. Which Windows tool can be used to review host logs?
Event Viewer


14. Which type of security data can be used to describe or predict network behavior?
statistical

15. Refer to the exhibit. A network administrator is reviewing an Apache access log message. What does the hyphen symbol (-) before "jsmith" indicate?
The client information is unavailable or unreliable.

16. True of False?
Sguil is optimized to provide cyberoperations workflow management to large operations with many employees.
false

17. What is the host-based intrusion detection tool that is integrated into Security Onion?
OSSEC

18. Which alert classification indicates that exploits are not being detected by installed security systems?
false negative

19. Which two technologies are used in the Enterprise Log Search and Archive (ELSA) tool? (Choose two.)
MySQL
Sphinx Search

20. Fill in the blank.
Cisco  provides an interactive dashboard that allows investigation of the threat landscape.

21. True or False?
Modern cybersecurity tools are sophisticated enough to detect and prevent all exploits.
false

22. Fill in the blank.
The act of determining the individual, organization, or nation responsible for a successful intrusion or attack incident is known as threat  ?

23. What is the purpose for data normalization?
to simplify searching for correlated events

24. Which two strings will be matched by the regular expression? (Choose two.)
Level2
Level4

25. Which term describes evidence that is in its original state?
 best evidence

26.  Fill in the blank.
A  positive alert classification wastes the time of cybersecurity analysts who end up investigating events that turn out not to pose a threat.

27. True or False?
Source and destination MAC addresses are part of the five-tuple used to track the conversation between a source and destination application.
false

28. A cybersecurity analyst is going to verify security alerts using the Security Onion. Which tool should the analyst visit first?
Sguil

29. Fill in the blank.
Decision makers can use deterministic analysis to evaluate risk based on what is known about a vulnerability.

30. According to NIST, which step in the digital forensics process involves drawing conclusions from data?
analysis

31. Which field in the Sguil application window indicates the priority of an event or set of correlated events?
 ST

32.Which top-level element of the VERIS schema would allow a company to document the incident timeline?
incident tracking

33. What is a chain of custody?
the documentation surrounding the preservation of evidence related to an incident

34. When dealing with a security threat and using the Cyber Kill Chain model, which two approaches can an organization use to help block potential exploitations on a system? (Choose two.)
Train web developers for securing code.
 Perform regular vulnerability scanning and penetration testing.

35. VERIS……. is a set of metrics designed to create a way to describe security incidents in a structured and repeatable way.

36. Which meta-feature element in the Diamond Model describes tools and information (such as software, black hat knowledge base, username and password) that the adversary uses for the intrusion event?
Resources

37. Which NIST incident response life cycle phase includes continuous monitoring by the CSIRT to quickly identify and validate an incident?
detection and analysis

 38. What type of CSIRT organization is responsible for determining trends to help predict and provide warning of future security incidents?
analysis center

39. Which NIST incident response life cycle phase includes training for the computer security incident response team on how to respond to an incident?
preparation

40. After a threat actor completes a port scan of the public web server of an organization and identifies a potential vulnerability, what is the next phase for the threat actor in order to prepare and launch an attack as defined in the Cyber Kill Chain?
Weaponization


41. Match the intrusion event defined in the Diamond Model of intrusion to the description.



42. In the NIST incident response process life cycle, which type of attack vector involves the use of brute force against devices, networks, or services?
attrition


43. According to NIST standards, which incident response stakeholder is responsible for coordinating an incident response with other stakeholders to minimize the damage of an incident?
management

44. Which three aspects of a target system are most likely to be exploited after a weapon is delivered? (Choose three.)
applications
user accounts
OS vulnerabilities

45. Which approach can help block potential malware delivery methods, as described in the Cyber Kill Chain model, on an Internet-faced web server?
Analyze the infrastructure storage path used for files.

46. Which activity is typically performed by a threat actor in the installation phase of the Cyber Kill Chain?
Install a web shell on the target web server for persistent access.




EmoticonEmoticon