Endpoints and Systems Pre-Assessment | CBROPS

Endpoints and Systems Pre-Assessment | CBROPS

1. Which one of the following best describes the output that the netstat command displays?

   • all the active mapped network drives
   • all the active connected users on the device
   • all the active TCP connections, ports on which the computer is listening
   • all the TCPdump statistics
     

     Explanation & Hint: The netstat command typically displays information about active network connections and listening ports on a computer. So, the most accurate description from the options you provided is: “all the active TCP connections, ports on which the computer is listening.” netstat provides information about active network connections, both TCP and UDP, as well as the status of network interfaces and listening ports on the computer. It does not directly display information about mapped network drives, connected users, or TCPdump statistics.

2. What statement best describes the process that can be used to edit the windows registry?

   • You cannot manually edit the registry.
   • Run the regedit command from the command line.
   • Double-click the task manager icon
   • Expand regedit from the system tray and edit the registry from the GUI.
     

     Explanation & Hint: The statement that best describes the process for editing the Windows Registry is: “Run the regedit command from the command line.” The Windows Registry Editor (regedit) allows you to manually edit the Windows Registry by running it from the command line or by searching for it in the Start menu. It provides a graphical user interface for editing the registry settings, and it’s a powerful tool that should be used with caution since incorrect changes can potentially harm your system.

3. Which one of the following options is most likely to provide fair and accurate information about operating systems and their known vulnerabilities?

   • www.cisco.com
   • www.microsoft.com
   • www.apple.com
   • nvd.nist.gov
     

     Explanation & Hint: The option that is most likely to provide fair and accurate information about operating systems and their known vulnerabilities is: nvd.nist.gov The National Vulnerability Database (NVD) provided by the National Institute of Standards and Technology (NIST) is a trusted and comprehensive source for information on known vulnerabilities in various operating systems and software. It is a reliable resource used by security professionals, researchers, and organizations to stay informed about vulnerabilities and their associated risks. Cisco, Microsoft, and Apple’s websites may provide information about their own products but may not be as comprehensive or impartial when it comes to vulnerabilities in other operating systems.

4. Given the following netstat output, which three statements about the local machine are true? (Choose three.)

   Proto Recv-Q Send-Q Local Address          Foreign Address    State
   tcp        0      0 0.0.0.0:22 0.0.0.0:*                      LISTEN
   tcp        0      0 192.168.0.254:49536    203.0.113.77:80    ESTABLISHED

   • It is acting as an HTTP client.
   • It is acting as an HTTP server.
   • It is acting as an SSH server.
   • It is acting as an SSH client.
   • It is hosting a service that is accessible on all interfaces.
     

     Explanation & Hint: Based on the provided netstat output, the following three statements about the local machine are true: It is acting as an SSH server: The first line with “0.0.0.0:22” in the “Local Address” column indicates that the machine is listening on port 22, which is the default port for SSH (Secure Shell) server. It is acting as an HTTP client: The second line with “192.168.0.254:49536” in the “Local Address” column indicates that the local machine has initiated an outgoing connection (ESTABLISHED) to an HTTP server at “203.0.113.77:80.” It is hosting a service that is accessible on all interfaces: The “0.0.0.0” in the “Local Address” column of the first line indicates that the SSH server is listening on all available network interfaces, which means it is accessible from all interfaces. The statements about it acting as an HTTP server and an SSH client are not supported by the provided information.

5. What command would you use to save a packet capture in PCAP format?

   • sudo tcpdump -s 0 -n >evidence.pcap
   • sudo tcpdump -s 0 -n >>evidence.pcap
   • sudo tcpdump -s 0 -n -w evidence.pcap
   • sudo tcpdump -s 0 -n --writeevidence.pcap
     

     Explanation & Hint: The command you would use to save a packet capture in PCAP (Packet Capture) format is: sudo tcpdump -s 0 -n -w evidence.pcap This command captures network traffic and writes it to a file named “evidence.pcap” in PCAP format. The -w option specifies the output file. The other options are used to control the capture, such as -s 0 to capture full packet data and -n to disable DNS name resolution.

6. How would you copy a file that is called evidence from the local system to a Linux host at 192.168.1.33?

   • scp evidence [email protected]:evidence
   • scp [email protected]:evidence evidence
   • ssh evidence [email protected]:evidence
   • ssh [email protected]:evidence evidence
     

     Explanation & Hint: To copy a file called “evidence” from the local system to a Linux host at 192.168.1.33, you would use the scp command, and the correct syntax is: scp evidence user@192.168.1.33:evidence This command specifies the source file (“evidence”) and the destination on the remote host (“[email protected]:evidence”). It will copy the local “evidence” file to the remote host in the user’s home directory.

7. After a file disposition changes from unknown to malicious, what is the next step that should be taken?

   • Run the file in a sandbox to verify if it is malicious and to determine the file behaviors.
   • Create a new IPS signature to detect the malicious file.
   • Go back to the system where the file was previously seen and quarantine the malicious file.
   • Run a file retrospective analysis in the cloud using machine learning to determine the file SHA.
     

     Explanation & Hint: After a file disposition changes from unknown to malicious, the next step that should be taken is: Go back to the system where the file was previously seen and quarantine the malicious file. Quarantining the file on the system where it was previously seen helps prevent any potential further damage or spread of the malicious file. This is an important step in containing and mitigating the threat. Additionally, it’s advisable to investigate the system to determine how the file entered the environment and whether there have been any related security breaches. Running the file in a sandbox or conducting retrospective analysis may also be part of the process, but the immediate action is to quarantine the file.

8. File integrity checking tools work by calculating hash values of important files, storing the hash values, and periodically comparing those hash values to hash values that it calculates later. If a file hash value comparison results in a mismatch, what does that indicate?

   • It means nothing; it is a mismatch because the files hashes were compiled on different days.
   • It means that one file did not calculate correctly and need to be recalculated.
   • It indicates that the file has been changed in some way and there may be an issue to be resolved.
   • It indicates that your organization has suffered a security breach and a full-scale investigation is needed as soon as possible.
     

     Explanation & Hint: If a file hash value comparison results in a mismatch, it indicates that the file has been changed in some way, and there may be an issue to be resolved. This discrepancy in hash values suggests that the file’s content has been altered since the initial hash was calculated. It could be due to accidental file corruption, software updates, or, in the context of security, it might indicate unauthorized changes or tampering with the file, potentially signaling a security issue. Further investigation is usually needed to determine the cause of the hash value mismatch and take appropriate action.

9. Which endpoint security technology should be used to prevent any incoming connections to the host?

   • host-based personal firewall
   • host-based antivirus
   • host-based IDS
   • host-based malware protection
     

     Explanation & Hint: The endpoint security technology that should be used to prevent any incoming connections to the host is: Host-based personal firewall A host-based personal firewall can control and filter incoming and outgoing network traffic on an individual host (computer). It allows you to configure rules to permit or block specific types of connections, which can include blocking incoming connections to prevent unauthorized access or external threats from reaching the host. This is a key component in protecting a host from potential security risks. Host-based antivirus, host-based IDS (Intrusion Detection System), and host-based malware protection are focused on different aspects of security and are not primarily designed for controlling network traffic and blocking incoming connections.