200-201 : Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) : Part 03

200-201 : Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) : Part 03

1. Which of the following is most likely to be used in a reflected DoS attack?

   • NTP
   • STP
   • ARP
   • IGMP
   Explanation:
   Network Time Protocol (NTP) servers are often used in a reflected attack, which if an attack bounced off a third to hit the target. This helps to hide the source of the attack. NTP is used to synchronize the clocks of computers on the network. Time synchronization is important in areas such as event logs, billing services, e-commerce, banking, and HIPAA security rules.

   While spanning tree protocol can be used in network attacks on switches, it is not a DoS type attack. STP uses the Spanning Tree Algorithm (STA) to help a switch or bridge by allowing only one active path at a time. STP can prevent network congestion and broadcast storms.

   There are two types of STP: spanning tree (802.1d) and rapid spanning tree (802.1w). 802.1d is an older standard that was designed when a minute or more of lost connectively was considered acceptable downtime.

   Address resolution protocol (ARP) is also used in attacks, especially man in the middle, but it is not a DoS attack. ARP tables show the relationship of IP address to MAC address. But they cannot be used for DNS and DHCP integration.

   Internet Group Messaging Protocol (IGMP) is not typically used in network attacks.

   Objective: Attack Methods
   Sub-Objective: Describe these network attacks: Denial of service, Distributed denial of service, Man-in-the-middle.

2. Which of the following represents a single set of sequential machine-code instructions that the processor executes?

   • forks
   • processes
   • threads
   • handles
   Explanation:
   A thread represents a single set of sequential machine-code instructions that the processor executes. A thread also may be thought of as a subset of a process, as a process may have multiple threads. Multithreading is when the processor can operate on more than one thread at a time.

   A process is a single application as seen from the perspective of the processor. Multithreading is the operation of more than one process at a time.

   Handles are logical associations with a shared resource like a file. When a thread opens a file, it establishes a “handle” to the file.

   A fork is an operation whereby a process creates a copy of itself. The fork operation creates a separate address space for the child. The child process has an exact copy of all the memory segments of the parent process.

   Objective: Host-Based Analysis
   Sub-Objective: Define these terms as they pertain to Microsoft Windows: Processes, threads, memory allocation, Windows Registry, WMI, Handles, Services

3. Which algorithm is a symmetric cipher?

   • ECC
   • EI Gamai
   • 3DES
   • RSA
   Explanation:
   Triple DES or 3DES is symmetric algorithm, which means they key used to encrypt is identical to the key used to decrypt. Triple DES is a later version of DES that performs three rounds of encryption. A 3DES takes longer due to the higher processing power required. Data Encryption Standard (DES) is also symmetric.

   The other algorithms are all asymmetric. Asymmetric cryptography involves the use of different keys to encrypt and decrypt the data. These keys are referred to as private and public keys, respectively. The public encryption key is used to ensure only the intended recipient can decrypt the cipher text. These algorithms use two keys that do not match, but are mathematically related such that if encryption is performed using one, the other is used for decryption. Asymmetric algorithms include Diffie-Hellman, RSA, EIGamal, Elliptic Curve Cryptosystem (ECC), CAST, and Knapsack.

   EIGamal is an asymmetric public key encryption algorithm based on the Diffie-Hellman key agreement. It is used for digital signatures, encryption of data, and key exchange.

   Rivest, Shamir, and Adleman (RSA) is used as the worldwide de facto standard for digital signatures. RSA is a public key algorithm that provides both encryption and authentication.

   Elliptic Curve Cryptosystem (ECC) serves as an alternative to the RSA algorithm and provides similar functionalities, but ECC has a higher strength per bit than RSA.

   Objective: Cryptography
   Sub-Objective: Describe the security impact of these commonly used encryption algorithms and secure communications protocols: DES, 3DES, AES, AES256-CTR, RSA, DSA, SSH, SSL/TLS

4. Which statement is FALSE with respect to access lists?

   • every rule is examined before a decision is made
   • the order of the rules is important
   • the rule in the list are examined from top to bottom
   • the first rule match is applied
   Explanation:
   Every rule is NOT necessarily examined. An access list is a list of rules defined in a specific order. The rules are examined from the top of the list to the bottom. When one of the rules is encountered which matches the traffic type of the packet being examined, the action specified in that rule is taken and no more rules are examined.

   The order of the rules is important. For example, examine this set of conceptual rules:

   Allow traffic from subnet 192.168.5.0/24
   Deny traffic from 192.168.5.5/24

   The second rule would never be invoked because the first rule would always match the traffic of 192.168.5.5.

   If all of the rules in a set are examined and none match the traffic type, the packet will be disallowed by an implied deny all at the end of each set. To counteract that, most of the time we configure an allow at the end of the set to counteract this implied rule.

   Objective: Network Concepts
   Sub-Objective: Describe the operation of ACLs applied filters on the interfaces of network devices

5. What type of data is displayed in the following output?

   Date flow start Duration Proto Scr IP Addr:Port Dst IP Addr: Port Packets Bytes Flows

   2010-09-01 00:00:00.459 0.000 UDP 127.0.0.1:24920 -> 192.168.0.1:22126 1 46 1
   2010-09-01 00:00:00.363 0.000 UDP 192.168.0.1:22126 > 127.0.0.1:24920 1 80 1

   • firewall log
   • traffic from a tap
   • mirrored traffic
   • NetFlow traffic
   Explanation:
   The traffic displayed is from a NetFlow capture. NetFlow can collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as netFlow records toward at least one NetFlow collector. Each flow is a unidirectional set of communication processes that share the following.

   – Ingress interface
   – Source IP address
   – Destination IP address
   – IP protocol
   – Source port for UDP or TCP, 0 for other protocols
   – Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols
   – IP Type of Service

   Traffic from a TAP or traffic mirrored to a SPAN port would not be organized in this way. Its output in a capture tool like Wireshark would provide the ability to open the packet and look at its parts.

   A network test access points (TAP) is an external monitoring device that mirrors the traffic that passes between two network nodes. A tap (test access point) is a hardware device inserted at a specific point in the network to monitor data.

   The SPAN feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer.

   A firewall log output would indicate whether traffic was allowed or denied according to the firewall rules, which is not indicated in the output provided.

   Objective: Network Concepts
   Sub-Objective: Compare and contrast the characteristics of data obtained from taps or traffic mirroring and NetFlow in the analysis of network traffic.

6. Which of the following provides the C in CIA?

   • redundancy
   • hashing
   • encryption
   • multiple components
   Explanation:
   CIA stands for Confidentiality, Integrity, and Availability. Confidentiality means preventing unauthorized access to data. One method of doing that is with encryption.

   Integrity is a security service that ensures that digital files have not been changed. Digital signatures are an example of an integrity security method. A digital signature provides integrity and non-repudiation. Non-repudiation ensures that the data’s origin is known. Availability is a security service that protects hardware and data from loss by ensuring that any needed data is available when necessary. Backups are an example of availability.

   Redundancy or the use of multiple components increases availability, the A in CIA. Redundancy ensures that there are multiple components increases multiple ways to control the static environment. Redundancy occurs when you have systems in place ready to come online when a system fails.

   Hashing algorithms generate hash values which can be compared to identify if data has changed. Protecting data from unauthorized change provides integrity. Hashing algorithms include MD2, MD4, MD5, HAVAL, and all of the Secure Hash Algorithm (SHA) variants.

   Using multiple components is a synonym for redundancy.

   Objective: Cryptography
   Sub-Objective: Describe the uses of encryption algorithms

7. Which of the following increases when additional functionality is added to an application?

   • threats
   • vulnerabilities
   • risk
   • attack surface
   Explanation:
   The attack surface consists of functionalities that a malicious individual might compromise. As you add functionality, you also increase the attack surface. Determining the attack surface will help you identify the different components that can be attacked, and reviewing the architecture one or more new ports to be opened on the firewall, which increases the attack surface of the organization.

   A vulnerability is a susceptibility to a threat that exists in a system.

   A threat is an external danger. A system may or may not be vulnerable to a specific threat. A threat is a potential danger that could take advantage of a system if it is vulnerable. For example, there might be threat to SQL servers but if you use Oracle, it is not a vulnerability, only a threat. Because threats are external, they are not affected by increasing functionality.

   Risk may be increased IF a vulnerability is created but not unless, therefore it is not the best answer. Risk is the likelihood that an external threat leverages an internal vulnerability. We reduce the risk of a breach when we apply controls that mitigate the likelihood or the impact of the threat.

   Objective: Attack Methods
   Sub-Objective: Compare and contrast an attack surface and vulnerability

8. What is the term for program or service in Linux?

   • handles
   • forks
   • processes
   • thread

   Explanation:

   A program or service in Linux is called a process, although services are also called daemons. A process is a single application as seen from the perspective of the processor. Multiprocessing is the operation pf more than one process at a time.

   A thread represents a single set of sequential machine-code instructions that the processor executes. A thread also may be thought of as a subset of a process as a process may have multiple threads.

   Handles are logical associations with a process creates a copy of itself. The fork operation creates a separate address space for the child. The child process has an exact copy of all the memory segments of the parent process.

   Objective: Host-Based Analysis
   Sub-Objective: Define these terms as they pertain to Linux: Processes, Forks, Permissions, Daemon

9. Which of the following is the technique used by Java that prevents certain functions when the applet is sent as part of a Web page?

   • segmentation
   • process isolation
   • sandboxing
   • reference monitor
   Explanation:
   Sandboxing is a technique used by Java as well as other applications to prevent the operation of the program from interfering with any other programs running.

   Sandboxing also refers to developing an application outside of the production environment. Sandboxing can also be useful to test a legacy operation system that may not have security patches. Virtual machines are often used to create the sandbox. Memory allocation issues may be discovered during sandbox testing, but are not directly a part of the sandbox functionality.

   Process isolation is a technique used by operating systems to isolate one running process from any other. It is not done in memory but in the processor queue.

   Reference monitor is an abstract concept implemented by the security kernel of the operating system. It manages access from untrusted component to those that are part of the trusted computer base.

   Segmentation is not a term used to discuss Java activities and operation.

   Objective: Host-Based Analysis
   Sub-Objective: Describe the functionality of these endpoint technologies in regards to security monitoring: Host-based intrusion detection, Antimalware and antivirus, Host-based firewall, Application-level whitelisting/blacklisting, Systems-based sandboxing (such as Chrome, Java, Adobe reader).

10. Which of the following would one NOT expect to find in a packet capture of an HTTP packet?

    • referrer header
    • SYN flag
    • user agent
    • host
    Explanation:
    SYN flags are seen in TCP packets that are part of the three-way TCP handshake. Once the connection setup is complete, the HTTP packets will not have this element.

    Among the elements in an HTTP packets are the following:

    – user agent – software (a software agent) that is acting on behalf of a user
    – referrer header – URL data from an HTTP header field identifying the Web link used to direct users to a Web page
    – host – sending device

    Objective: Security Monitoring
    Sub-Objective: Describe the function of these protocols in the context of security monitoring: DNS, NTP, SMTP/POP/IMAP, HTTP/HTTPS

11. When TCP packet is sent to an open port with the SYN flag set, what response would be expected from the open port?

    • a packet with the SYN and ACK flags set
    • a packet with an RST flag
    • no response
    • a packet with the ACK flag set
    Explanation: When the port is open, the receiver will send back a packet with the SYN and ACK flags set.
    Transmission Control Protocol (TCP) is a session-oriented or connection-based protocol. It uses a three-way handshake to ensure that every packet sent is successfully received and acknowledged by the destination. The handshake is performed at the start of each session by TCP, and contains a set of three segments (TCP “packets”).

    – The sender sends the first segment to the receiver with the Synchronization (SYN) flag enabled.
    – Step two: The receiver sends the second segment back to the sender with both the Acknowledgement flag (ACK) and the Synchronization (SYN) flag enabled.
    – Step three: The sender sends the third segment back to the receiver with just the Acknowledgement (ACK) flag enabled (in response to the server’s Synchronization request).

    A packet with the RST flag would be received if the port were closed. An open port responds with a SYN/ACK segment, while a closed port responds with a RST (reset) flagged segment.

    A packet with the ACK flag set would only follow a packet with the SYN and ACK flags set. The first step is to send a SYN packet. When the port is open, the receiver will send back a packet the YSN and ACK flags set.

    No response would occur only if the port were blocked on the firewall. Firewalls do not send diagnostic or error messages when blocking a transmission.

    Objective: Network Concepts
    Sub-Objective: Describe the operation of the following: IP, TCP, UDP, ICMP

12. Which of the following is a file that contains a reference to another file or directory in the form of an absolute or relative path?

    • symlink
    • handle
    • thread
    • fork
    Explanation:
    A symbolic link in Linux (also symlink or soft link) is a term for any file that contains a reference to another file or directory in the form of an absolute or relative path.

    A thread represents a single set of sequential machine-code instructions that the processor executes. A thread also may be thought of as a subset of a process as a process may have multiple threads.

    handles are logical associations with a shared resource like a file. When a thread opens a file, it establishes a “handle” to the file.

    A fork is an operation whereby a process creates a copy of itself. The fork operation creates a separate address space for the child. The child process has an exact copy of all the memory segments of the parent process.

    Objective: Host-Based Analysis
    Sub-Objective: Define these terms as they pertain to Linux: Processes, Forks, Permissions, Symlinks, Daemon

13. You have been tasked with protecting user’s medical records.

    What type of information are you protecting?

    • PCI-DSS
    • PII
    • PHI
    • HIPAA
    Explanation:
    Medical records are considered Personal Health Information (PHI) and must be protected from unauthorized disclosure.

    Personally identifiable (PII) is any piece of information that can be used to uniquely a person, such as full name, account name, phone number, license number, date of birth, social security number, or any other personal attribute.

    The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the act governs the handling of PHI.

    The Payment Card Industry Data Security Standard (PCI DSS) protects credit card information, not medical records.

    Objective: Security Concepts
    Sub-Objective: Describe these terms: Threat actor, Run Book Automation (RBA), Chain of custody (evidentiary), reverse engineering, Sliding windows anomaly detection, PII, PHI

14. What is DNS poisoning?

    • the practice of dispending IP addresses and host names with the goal of traffic diversion
    • the practice of many computers transmitting malformed packets to the DNS server to cause the server to crash
    • the practice of one computer transmitting malformed packets to the DNS server to cause the server to crash
    • the practice of continually sending a DNS server synchronization messages with spoofed packets
    Explanation:
    DNS poisoning is the practice of dispensing IP addresses and host names with the goal of traffic diversion. Properly configured DNS security (DNSSES) on the server can provide message validation, which. in turn, would prevent DNS poisoning.

    A SYN flood is the practice of continually sending a DNS server synchronization messages with spoofed packets. A SYN flood can transpire when a high number of half-open connections are established to a single computer.

    A DNS denial-of-service (DoS) attack is the practice of one computer transmitting malformed packets to the DNS server to cause the server to crash. A DNS distributed DoS (DDoS) attack is the practice of many computers transmitting malformed packets to the DNS server to cause the server to crash.

    Address resolution Protocol (ARP) poisoning is similar to DNS poisoning. In this attack, a malicious actor sends falsified ARP messages over a local area network.

    In a domain hijacking attack, the registration of a domain name is changed without the permission of the original registrant.

    Objective: Security Monitoring
    Sub-Objective: Describe the function of these protocols in the context of security monitoring: DNS, NTP, SMTP/POP/IMAP, HTTP/HTTPS

15. Which of the following is defined by the NIST in the FIPS 180-4 standard?

    • SHA-1
    • MD5
    • SHA-256
    • SHA-512
    Explanation:
    The SHA-256 hashing algorithm is defined in the FIPS 180-4 standard by the NIST. It is part of the SHA-2 family. The purpose of Secure Hash Algorithm (SHA) is to protect message integrity.

    SHA-256, also referred to as SHA-2, is a newer version of SHA and uses 256-bit checksums. SHA-256 should be used with a disk image to protect the image’s integrity so that image can be retained for forensic purposes.

    MD5 is hashing algorithm but it is not defined in the FIPS 180-4 standard by the NIST. MD5 is the least secure of the listed hashing algorithms. MD5 is a one-way hashing algorithm. One-way hashing refers to inserting a string of variable length into a hashing algorithm and producing a hash value of fixed length. This hash is appended to the end of the message being sent. This hash value is recomputed at the receivers end in the same fashion in which it was created by using the same computational logic. If the recomputed hash value is the same as the generated hash value, the message was not altered during the course of transmission.

    Secure hash algorithm (SHA)-1 is the first version of SHA, and is the least secure version of SHA hashing algorithm. SHA-1 is a hashing algorithm that creates a message digest, which can be used to determine whether a file has been changed since the message digest was created. An unchanged message should create the same message digest on multiple passes through a hashing algorithm. it is not defined in the FIPS 180-4 standard by the NIST.

    SHA-512 is a more secure version of SHA-256 and differs only in the number of rounds of computation. It is not defined in the FIPS 180-4 standard by the NIST.

    Objective: Cryptography
    Sub-Objective: Describe the uses of a hash algorithm

16. You are examining NetFlow records.

    What is the state of the connection when you receive a packet with the RST flag set in response to a packet with the SYN flag set?

    • the port is open
    • the port is blocked by the firewall
    • the connection is set up
    • the port is closed
    Explanation:
    Receiving a packet with the RST flag in response to a packet with the SYN flag means the port is closed. When a port is closed, the device answers back with a TCP packet with the RST flag set.

    If the port were open, the response packet would have the SYN and ACK flags set.

    Transmission Control Protocol (TCP) is a session-oriented or connection-based protocol. It uses a three-way handshake to ensure that every packet sent is successfully received and acknowledged by the destination. The handshake is performed at the start of each session by TCP, and contains a set of three segments (TCP “packets”).

    The sender sends the first segment to the receiver with the Synchronization (SYN) flag enabled.
    Step two: The receiver sends the second segment back to the sender with both the Acknowledgement flag (ACK) and the Synchronization (SYN) flag enabled.
    Step three: The sender sends the third segment back to the receiver with just the Acknowledgement (ACK) flag enabled (in response to the server’s Synchronization request).

    Were the connection successfully set up, the response packet would have the ACK flag set.

    If the port were blocked by the firewall, there would be no response. Firewalls do not send diagnostic or error messages when blocking a transmission.

    Objective: Security Monitoring
    Sub-Objective: Identify the types of data provided by these technologies: TCP Dump, NetFlow, Next-Gen firewall, Traditional stateful firewall, Application visibility and control, Web content filtering, Email content filtering.

17. In which access control model does the owner of the resource decide who has access to the resource?

    • MAC
    • RBAC
    • DAC
    • NDAC
    Explanation:
    Discretionary access control is used when the data owner configures the appropriate permission for each user.

    In the mandatory access control model (MAC), a central assigns a sensitivity label to each document, such as secret, top secret, and so on. Users can access sensitivity levels to which they have been given access. The least privilege principle is most commonly associated with mandatory access control. Under MAC, only an administrator can change the category or classification of a subject or object.

    In the non-discretionary access control (NDAC) model, a central body decides which users have access to which documents.

    In role-based access control (RBAC), access is based on the job roles to which a user belongs.

    Objective: Security Concepts
    Sub-Objective: Compare and contrast these access control models: Discretionary access control, mandatory access control, Nondiscretionary access control

18. Which of the following makes a command injection possible?

    • unneeded service ports left open
    • input is accepted without bounds checking
    • web server that accepts input from the user and passes it to a bash shell
    • two passwords that hash to the same value
    Explanation:
    When a web server accepts input and passes it to a bash shell (command line), an attacker might input a command as part of the input that might be accepted and processes by the web server.

    Two passwords that hash to the same value is called a hash collision, and can lead to either or both passwords being cracked. A Birthday attack captures hashed passwords from the network and uses brute force to try out different text strings using the same hashing algorithm, hoping to end up with a matching pair of hash values, referred to as a collision.

    When input is accepted without bounds checking an integer overflow can occur, which is when a value is entered that is larger than expected leading to the integer overflow, a type of buffer overflow. IT occurs when a mathematic operation attempts to create a numeric value that is too large for the available storage space.

    When unneeded service ports are left open, the attack surface of the device is increased. Increasing the attack surface makes more attacks possible, but does not make you more susceptible to command injection.

    Other injection attacks include SQL injection, LDAP injection, XML injection, and file injection.

    Objective: Attack Methods
    Sub-Objective: Describe these web application attacks: SQL injection, Command injection, Cross-site scripting

19. What is the recommended range of setting for virtual memory allocation in Windows?

    • 4 times the installed RAM
    • half of the installed RAM
    • 1 to 3 times installed RAM
    • the same as the installed RAM
    Explanation:
    While Windows can handle virtual memory allocation automatically and usually does a good job, increasing the allocation can improve performance. The virtual memory allocation should be between 1 and 3 times the size of the RAM.

    Virtual memory is space on the hard drive used as memory is maxed out. When memory contention arises, the virtual memory manager moves items out of memory to the hard drive to free up more memory. When that bit of information is found to missing in memory, the VMM goes back to the page file on the hard drive and moves it back into memory. This process of moving items back and forth from real memory to virtual memory is called paging.

    Objective: Host-based Analysis
    Sub-Objective: Define these terms as they pertain to Microsoft Windows: Processes, Threads, Memory allocation, Windows Registry, WMI, handles, Services

20. Which of the following metrics used to measure the effectiveness of a run book represents the average time to recover a system from a hardware failure?

    • MTTF
    • MTBF
    • MTTR
    • FIT
    Explanation:
    Mean time to recover (MTTR) is average time to recover a system from a hardware failure. Should a component or an entire system fail, it is important to know how long it would take to repair it, or how long it would be before a replacement could be up and running.

    The mean time between failures (MTBF) is the estimated amount of time that a piece of equipment should remain operational before failure. The MTBF is usually supplied by the hardware vendor or third party. MTBF can also be referred to as mean time to failure (MTTF).

    Mean time to failure (MTTF) is the average time until the first failure occurs in a piece of equipment.

    Failure in time (FIT) is another way of reporting MTBF. FIT reports the number of expected failures per one billion hours of operation for a device.

    Objective: Security Monitoring
    Sub-Objective: Describe these NextGen IPS event types: Connection event, Intrusion event, Host or endpoint event, Network discovery event, NetFlow event.