CTM Checkpoint Exam: Module 4-6

A company has had several incidents involving users downloading unauthorized software, using unauthorized websites, and using personal USB devices. The CIO wants to put in place a scheme to manage the user threats. What three things might be put in place to manage the threats?

- Use content filtering.

- Disable CD and USB access.

- Provide security awareness training.

Which threat is mitigated through user awareness training and tying security awareness to performance reviews?

user-related threats

What is the workforce framework category that includes highly specialized review and evaluation of incoming cybersecurity information to determine if it is useful for intelligence?

Analyze

A breach occurs in a company that processes credit card information. Which industry specific law governs credit card data protection?

PCI DSS

As part of HR policy in a company, an individual may opt-out of having information shared with any third party other than the employer. Which law protects the privacy of personal shared information?

GLBA

What type of network security test can detect and report changes made to network systems?

integrity checking

A security professional is asked to perform an analysis of the current state of a company network. What tool would the security professional use to scan the network only for security risks?

vulnerability scanner

What information does the SIEM network security management tool provide to network administrators?

real time reporting and analysis of security events

What type of network security test uses simulated attacks to determine the feasibility of an attack as well as the possible consequences if the attack occurs?

penetration testing

What network testing tool would an administrator use to assess and validate system configurations against security policies and compliance standards?

Tripwire

Which statement describes Trusted Automated Exchange of Indicator Information (TAXII)?

It is the specification for an application layer protocol that allows the communication of CTI over HTTPS.

How does AIS address a newly discovered threat?

by enabling real-time exchange of cyberthreat indicators with U.S. Federal Government and the private sector

Which organization defines unique CVE Identifiers for publicly known information-security vulnerabilities that make it easier to share data?

MITRE

In addressing an identified risk, which strategy aims to decrease the risk by taking measures to reduce vulnerability?

risk reduction

Which step in the Vulnerability Management Life Cycle determines a baseline risk profile to eliminate risks based on asset criticality, vulnerability threat, and asset classification?

assess

When establishing a network profile for an organization, which element describes the time between the establishment of a data flow and its termination?

session duration

Which security management plan specifies a component that involves tracking the location and configuration of networked devices and software across an enterprise?

asset management

A security analyst is investigating a cyber attack that began by compromising one file system through a vulnerability in a custom software application. The attack now appears to be affecting additional file systems under the control of another security authority. Which CVSS v3.0 base exploitability metric score is increased by this attack characteristic?

scope

What are the steps in the vulnerability management life cycle?

discover, prioritize assets, assess, report, remediate, verify

Why would an organization perform a quantitative risk analysis for network security threats?

so that the organization can focus resources where they are most needed

The team is in the process of performing a risk analysis on the database services. The information collected includes the initial value of these assets, the threats to the assets and the impact of the threats. What type of risk analysis is the team performing by calculating the annual loss expectancy?

quantitative analysis

Based on the risk management process, what should the cybersecurity team do as the next step when a cybersecurity risk is identified?

Assess the risk

In which situation would a detective control be warranted?

when the organization needs to look for prohibited activity

Which risk mitigation strategies include outsourcing services and purchasing insurance?

transfer

In quantitative risk analysis, what term is used to represent the degree of destruction that would occur if an event took place?

exposure factor

Which two values are required to calculate annual loss expectancy?

annual rate of occurrence

single loss expectancy

What are the three impact metrics contained in the CVSS 3.0 Base Metric Group?

confidentiality

integrity

availability

ports used

a list of TCP or UDP processes that are available to accept data

critical asset address space

the IP addresses or the logical location of essential systems or data

session duration

the time between the establishment of a data flow and its termination

total throughput

the amount of data passing from a given source to a given destination in a given period of time

risk management

the comprehensive analysis of impacts of attacks on core company assets and functioning

configuration management

the inventory and control of hardware and software configurations of systems

asset managment

the implementation of systems that track the location and configuration of networked devices and software across an enterprise

vulnerability management

the security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization

Which type of data would be considered an example of volatile data?

memory registers

Keeping data backups offsite is an example of which type of disaster recovery control?

preventive

Which NIST-defined incident response stakeholder is responsible for coordinating incident response with other stakeholders and minimizing the damage of an incident?

management

What type of exercise interrupts services to verify that all aspects of a business continuity plan are able to respond to a certain type of incident?

Operational exercise

network path used to establish and maintain command and controlk

infrastructure

a tool or technique used to attack the victim

capability

the parties responsible for the intrusion

adversary

the target of the attack

victim

What is a chain of custody?

the documentation surrounding the preservation of evidence related to an incident

According to the Cyber Kill Chain model, after a weapon is delivered to a targeted system, what is the next step that a threat actor would take?

exploitation

In which step of the NIST incident response process does the CSIRT perform an analysis to determine which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring?

scoping

Which task describes threat attribution?

determining who is responsible for the attack

reconnaissance

Step 1

weaponization

step 2

delivery

step 3

exploitation

step 4

installation

step 5

command and control

step 6

action on objectives

step 7

preserves attack evidence

IT support

Designs the budget

management

reviews policies for local or federal guideline violations

legal department

perfoms disciplinary measures

human resources

develops firewall rules

information assurance

A company is applying the NIST.SP800-61 r2 incident handling process to security events. What are two examples of incidents that are in the category of precursor?

- log entries that show a response to a port scan

- a newly-discovered vulnerability in Apache web servers

What will a threat actor do to create a back door on a compromised target according to the Cyber Kill Chain model?

Add services and autorun keys.

What is the objective the threat actor in establishing a two-way communication channel between the target system and a CnC infrastructure?

to allow the threat actor to issue commands to the software that is installed on the target

Which type of evidence supports an assertion based on previously obtained evidence?

corroborating evidence

What is specified in the plan element of the NIST incident response plan?

metrics for measuring the incident response capability and effectiveness

A cybersecurity analyst has been called to a crime scene that contains several technology items including a computer. Which technique will be used so that the information found on the computer can be used in court?

unaltered disk image

According to NIST, which step in the digital forensics process involves identifying potential sources of forensic data, its acquisition, handling, and storage?

collection

Which activity is typically performed by a threat actor in the installation phase of the Cyber Kill Chain?

Install a web shell on the target web server for persistent access.

Total throughput

the amount of data passing from a given source to a given destination in a given period of time

Session duration

time between the establishment of a data flow and its termination

Ports used

a list of TCP or UDP processes that are available to accept data

Critical asset address space

logical location of essential systems or data

Privileges required

CVSS metric captures the level of access that is required for a successful exploit of the vulnerability

Attack complexity

Which CVSS metric expresses the number of components, software, hardware, or networks, that are beyond the attacker’s control and that must be present for a vulnerability to be successfully exploited?

Scope

Which CVSS metric expresses whether multiple authorities must be involved in an exploit?

Attack vector

Which CVSS metric reflects the proximity of the threat actor to the vulnerable component?

User interaction

Which CVSS metric expresses whether human action is required for the exploit to succeed?

Enterprise patch management

Which management activity is the most effective way to mitigate software vulnerabilities and is required by some security compliance regulations?

Configuration management

Which device management activity addresses the inventory and control of hardware and software configurations?

Asset management

Which device management activity involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise?

Vulnerability management

Which device management activity is designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization?

Mobile device management

Which device management activity has measures that can disable a lost device, encrypt the data on the device, and enhance device access with more robust authentication measures?

service accounts

In profiling a server, what defines what an application is allowed to do or run on a server?

risk analysis

In network security assessments, which type of test is used to evaluate the risk posed by vulnerabilities to a specific organization including assessment of the likelihood of attacks and the impact of successful exploits on the organization?

session duration

When a network baseline is being established for an organization, which network profile element indicates the time between the establishment of a data flow and its termination?

risk analysis

Which type of evaluation includes the assessment of the likelihood of an attack, the type of threat actor likely to perpetrate such an attack, and what the consequences could be to the organization if the exploit is successful?

user interaction

A cybersecurity analyst is performing a CVSS assessment on an attack where a web link was sent to several employees. Once clicked, an internal attack was launched. Which CVSS Base Metric Group Exploitability metric is used to document that the user had to click on the link in order for the attack to occur?

Impact

Which metric class in the CVSS Basic Metric Group identifies the impacts on confidentiality, integrity, and availability?

the proximity of the threat actor to the vulnerability

Which metric in the CVSS Base Metric Group is used with an attack vector?

It is the identification of threats and vulnerabilities and the matching of threats with vulnerabilities.

Which statement describes the threat-vulnerability (T-V) pairing?

risk sharing

In addressing an identified risk, which strategy aims to shift some of the risk to other parties?

prioritize assets

Which step in the Vulnerability Management Life Cycle categorizes assets into groups or business units, and assigns a business value to asset groups based on their criticality to business operations?

developing a network baseline

What is an action that should be taken in the discovery step of the vulnerability management life cycle?

Frame the Risk

Assess the Risk

Respond to the Risk

Monitor the Risk

A few of the employees ask about why this is being done — they don’t understand what this has to do with them and their work. Can you highlight why risk management is so important by selecting the correct answers from this list?

Risk can be internal, external or both, and its impact can ripple through the whole organization, also affecting other external entities.Risk management reduces threat of damage to an acceptable level and implements controls to maintain that level of risk.

Preventive security controls

stop unwanted and unauthorized activity from happening and/or apply restrictions for authorized users.

Deterrent controls

aims to discourage something from happening. Cybersecurity professionals and organizations use deterrents to limit or mitigate an action or behavior — but deterrents cannot stop them completely.

Detective controls

Access control detection identifies different types of unauthorized activity. Detective controls are not a preventive measure and instead focus on the discovery of a security breach after it has occurred.