Cyber Threat Management (CyberTM) Course Final Exam Answers

Cyber Threat Management (CyberTM) Course Final Exam Answers

1. What are three disclosure exemptions that pertain to the FOIA? (Choose three.)

  • law enforcement records that implicate one of a set of enumerated concerns
  • information specifically non-exempt by statue
  • confidential business information
  • non-geological information regarding wells
  • national security and foreign policy information
  • public information from financial institutions

Explanation: The nine Freedom of Information Act (FOIA) exemptions include the following:

1. National security and foreign policy information

2. Internal personnel rules and practices of an agency

3. Information specifically exempted by statute

4. Confidential business information

5. Inter- or intra-agency communication subject to deliberative process, litigation, and other privileges

6. Information that, if disclosed, would constitute a clearly unwarranted invasion of personal privacy

7. Law enforcement records that implicate one of a set of enumerated concerns

8. Agency information from financial institutions

9. Geological and geophysical information concerning wells

2. A company is developing security policies. Which security policy would address the rules that determine access to and use of network resources and define the consequences of policy violations?

  • data policy
  • remote access policy
  • acceptable use policy
  • password policy

Explanation: An organization needs to establish clear and detailed security policies. Some of these policies are:
Password policy- Defines minimum password requirements, such as the number and type of characters used and how often they need to be changed.
Acceptable use policy- Highlights a set of rules that determine access to and use of network resources. It may also define the consequences of policy violations.
Remote access policy- Sets out how to remotely connect to the internal network of an organization and explains what information is remotely accessible.
Data policy- Sets out measurable rules for processing data within an organization, such as specifying where data is stored, how data is classified, and how data is handled and disposed of.

3. Which framework should be recommended for establishing a comprehensive information security management system in an organization?

  • ISO/IEC 27000
  • ISO OSI model
  • CIA Triad
  • NIST/NICE framework

Explanation: A cybersecurity specialist needs to be familiar with the different frameworks and models for managing information security.

4. If a person knowingly accesses a government computer without permission, what federal act laws would the person be subject to?

  • SOX
  • ECPA
  • GLBA
  • CFAA

Explanation: The Computer Fraud and Abuse Act (CFAA) provides the foundation for US laws criminalizing unauthorized access to computer systems.

5. Match the roles in the data governance program to the description.

Cyber Threat Management (CyberTM) Course Final Exam 5

Cyber Threat Management (CyberTM) Course Final Exam 5


Explanation: Place the options in the following order:

a person who oversees the data protection strategy of an organization Data protection officer
a person or organization who processes personal data on behalf of the data controller Data processor
a person who determines the purposes for which, and the way in which, personal data is processed Data controller
a person who ensures that data supports the business needs of an organization and meets regulatory requirements Data steward
a person who ensures compliance with policies and procedures, assigns the proper classification to information assets, and determines the criteria for accessing information assets Data owner
a person who implements the classification and security controls for the data in accordance with the rules set out by the data owner. Data custodian

6. What type of security test uses simulated attacks to determine possible consequences of a real threat?

  • penetration testing
  • integrity checking
  • network scanning
  • vulnerability scanning

Explanation: There are many security tests that can be used to assess a network. Penetration testing is used to determine the possible consequences of successful attacks on the network. Integrity checking is used to detect and report changes made to systems. Vulnerability scanning is used to find weaknesses and misconfigurations on network systems. Network scanning is used to discover available resources on the network.

7. What are two tasks that can be accomplished with the Nmap and Zenmap network tools? (Choose two.)

  • Identification of Layer 3 protocol support on hosts
  • Password recovery
  • TCP and UDP port scanning
  • Validation of IT system configuratio
  • Password auditing

Explanation: Nmap is a low-level network scanner that is available to the public and which has the ability to perform port scanning, to identify open TCP and UDP ports, and perform system identification. It can also be used to identify Layer 3 protocols that are running on a system.

8. Which network security tool can detect open TCP and UDP ports on most versions of Microsoft Windows?

  • L0phtcrack
  • Zenmap
  • SuperScan
  • Nmap

Explanation: There are various network security tools available for network security testing and evaluation. L0phtcrack can be used to perform password auditing and recovery. SuperScan is a Microsoft port scanning software that detects open TCP and UDP ports on systems. Nmap and Zenmap are low-level network scanners available to the public.

9. Match the network security testing tool with the correct function. (Not all options are used.)

Cyber Threat Management (CyberTM) Course Final Exam 9

Cyber Threat Management (CyberTM) Course Final Exam 9


Explanation: Place the options in the following order:

used to assess if network devices are compliant with network security policies Tripwire
used to scan systems for software vulnerabilities Nessus
used for Layer 3 port scanning Nmap

10. Match the command line tool with its description.

Cyber Threat Management (CyberTM) Course Final Exam 10

Cyber Threat Management (CyberTM) Course Final Exam 10


Explanation: Place the options in the following order:

Displays TCP/IP settings (IP address, subnet mask, default gateway, DNS, and MAC information. ipconfig
Gathers information from TCP and UDP network connections and can be used for port scanning, monitoring, banner grabbing, and file copying. netcat
Assembles and analyzes packets for port scanning, path discovery, OS fingerprinting, and firewall testing. hping
Queries a DNS server to help troubleshoot a DNS database. nslookup

11. What three services are offered by FireEye? (Choose three.)

  • deploys incident detection rule sets to network security tools
  • creates firewall rules dynamically
  • identifies and stops email threat vectors
  • identifies and stops latent malware on files
  • subjects all traffic to deep packet inspection analysis
  • blocks attacks across the web

Explanation: FireEye is a security company that uses a three-pronged approach combining security intelligence, security expertise, and technology. FireEye offers SIEM and SOAR with the Helix Security Platform, which use behavioral analysis and advanced threat detection.

12. What is a characteristic of CybOX?

  • It is the specification for an application layer protocol that allows the communication of CTI over HTTPS.
  • It enables the real-time exchange of cyberthreat indicators between the U.S. Federal Government and the private sector.
  • It is a set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations.
  • It is a set of specifications for exchanging cyberthreat information between organizations.

Explanation: CybOX is an open standards set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations that support many cybersecurity functions.

13. What three security tools does Cisco Talos maintain security incident detection rule sets for? (Choose three.)

  • ClamAV
  • Snort
  • Socat
  • NetStumbler
  • SpamCop

Explanation: Talos maintains the security incident detection rule sets for the Snort.org, ClamAV, and SpamCop network security tools.

14. Which security organization maintains a list of common vulnerabilities and exposures (CVE) and is used by prominent security organizations?

  • CIS
  • SecurityNewsWire
  • MITRE
  • SANDS

Explanation: The MITRE Corporation maintains a list of common vulnerabilities and exposures (CVE) used by prominent security organizations.

15. As a Cybersecurity Analyst, it is very important to keep current. It was suggested by some colleagues that NewsBites contains many good current articles to read. What network security organization maintains this weekly digest?

  • MITRE
  • CIS
  • SANDS
  • (ISC)2

Explanation: The SysAdmin, Audit, Network, Security (SANS) Institute has many resources. One of them is called NewsBites, the weekly digest of news articles about computer security.

16. A network administrator is creating a network profile to generate a network baseline. What is included in the critical asset address space element?

  • the IP addresses or the logical location of essential systems or data
  • the time between the establishment of a data flow and its termination
  • the TCP and UDP daemons and ports that are allowed to be open on the server
  • the list of TCP or UDP processes that are available to accept data

Explanation: A network profile should include some important elements, such as the following:
Total throughput – the amount of data passing from a given source to a given destination in a given period of time
Session duratio n – the time between the establishment of a data flow and its termination
Ports used – a list of TCP or UDP processes that are available to accept data
Critical asset address space – the IP addresses or the logical location of essential systems or data

17. When a server profile for an organization is being established, which element describes the TCP and UDP daemons and ports that are allowed to be open on the server?

  • service accounts
  • listening ports
  • software environment
  • critical asset address space

Explanation: A server profile will often contain the following:
* Listening ports – the TCP and UDP daemons and ports that are allowed to be open on the server
* User accounts – the parameters defining user access and behavior
* Service accounts – the definitions of the type of service that an application is allowed to run on a server
* Software environment – the tasks, processes, and applications that are permitted to run on the server

18. The IT security personnel of an organization notice that the web server deployed in the DMZ is frequently targeted by threat actors. The decision is made to implement a patch management system to manage the server. Which risk management strategy method is being used to respond to the identified risk?

  • risk retention
  • risk sharing
  • risk reduction
  • risk avoidance

Explanation: There are four potential strategies for responding to risks that have been identified:
* Risk avoidance – Stop performing the activities that create risk.
* Risk reduction – Decrease the risk by taking measures to reduce vulnerability.
* Risk sharing – Shift some of the risk to other parties.
* Risk retention – Accept the risk and its consequences.

19. Which class of metric in the CVSS Base Metric Group defines the features of the exploit such as the vector, complexity, and user interaction required by the exploit?

  • Exploitability
  • Exploit Code Maturity
  • Impact
  • Modified Base

Explanation: The Base Metric Group of CVSS represents the characteristics of a vulnerability that are constant over time and across contexts. It contains two classes of metrics:
* Exploitability metrics – features of the exploit such as the vector, complexity, and user interaction required by the exploit
* Impact metrics – the impacts of the exploit rooted in the CIA triad of confidentiality, integrity, and availability

20. In what order are the steps in the vulnerability management life cycle conducted?

  • discover, prioritize assets, assess, remediate, report, verify
  • discover, prioritize assets, assess, remediate, verify, report
  • discover, assess, prioritize assets, report, remediate, verify
  • discover, prioritize assets, assess, report, remediate, verify

Explanation: There are six steps in the vulnerability management life cycle:
– Discover
– Prioritize assets
– Assess
– Report
– Remediate
– Verify

21. An organization has implemented antivirus software. What type of security control did the company implement?

  • detective control
  • compensative control
  • deterrent control
  • recovery control

Explanation: A cybersecurity specialist must be aware of the technologies and measures that are used as countermeasures to protect the organization from threats and vulnerabilities.

22. What is the first step taken in risk assessment?

  • Identify threats and vulnerabilities and the matching of threats with vulnerabilities.
  • Compare to any ongoing risk assessment as a means of evaluating risk management effectiveness.
  • Establish a baseline to indicate risk before security controls are implemented.
  • Perform audits to verify threats are eliminated.

Explanation: The three steps of risk assessment in order are as follows:

– Identify threats and vulnerabilities and the matching of threats with vulnerabilities.
– Establish a baseline to indicate risk before security controls are implemented.
– Compare to an ongoing risk assessment as a means of evaluating risk management effectiveness.

23. Match the stages in the risk management process to the description.

Explanation: Place the options in the following order:

Develop an action plan to reduce overall organization risk exposure. Management should rank and prioritize threats and a team determines how to respond to each threat. Respond to the risk.
Once a risk has been identified, it is assessed and analyzed to determine the severity that the threat poses. Assess the risk.
Continuously review risk reductions due to elimination, mitigation and transfer actions. Monitor the risk.
Identify the threats throughout the organization that increase risk. Frame the risk.

24. Your risk manager just distributed a chart that uses three colors to identify the level of threat to key assets in the information security systems. Red represents high level of risk, yellow represents average level of threat and green represents low level of threat. What type of risk analysis does this chart represent?

  • qualitative analysis
  • quantitative analysis
  • loss analysis
  • exposure factor analysis

Explanation: A qualitative or quantitative risk analysis is used to identify and prioritize threats to the organization.

25. A company manages sensitive customer data for multiple clients. The current authentication mechanism to access the database is username and passphrase. The company is reviewing the risk of employee credential compromise that may lead to a data breach and decides to take action to mitigate the risk before further actions can be taken to eliminate the risk. Which action should the company take for now?

  • Install fingerprint or retinal scanners.
  • Implement multi-factor authentication.
  • Purchase an insurance policy.
  • Enhance data encryption with an advanced algorithm.

Explanation: Risk management is the identification, evaluation, and prioritization of risks. Organizations manage risk in one of four ways, avoidance, mitigation, transfer, or accept. In this scenario, implementing multi-factor authentication can reduce the risk of employee credential compromise, which is a mitigation action. Installing fingerprint or retinal scanners eliminates the risk, which is avoidance. Purchasing an insurance policy is transferring the financial risk to the insurance company.

26. Match the security incident stakeholder with the role.

Cyber Threat Management (CyberTM) Course Final Exam 26

Cyber Threat Management (CyberTM) Course Final Exam 26


Explanation: Place the options in the following order:

performs disciplinary measures human resources
changes firewall rules information assurance
preserves attack evidence IT support
designs the budget management
reviews policies for local or federal guideline violations legal department

27. Why would threat actors prefer to use a zero-day attack in the Cyber Kill Chain weaponization phase?

  • to launch a DoS attack toward the target
  • to get a free malware package
  • to avoid detection by the target
  • to gain faster delivery of the attack on the target

Explanation: When a threat actor prepares a weapon for an attack, the threat actor chooses an automated tool (weaponizer) that can be deployed through discovered vulnerabilities. Malware that will carry desired attacks is then built into the tool as the payload. The weapon (tool plus malware payload) will be delivered to the target system. By using a zero-day weaponizer, the threat actor hopes that the weapon will not be detected because it is unknown to security professionals and detection methods are not yet developed.

28. A threat actor has identified the potential vulnerability of the web server of an organization and is building an attack. What will the threat actor possibly do to build an attack weapon?

  • Create a point of persistence by adding services.
  • Install a webshell on the web server for persistent access.
  • Obtain an automated tool in order to deliver the malware payload through the vulnerability.
  • Collect credentials of the web server developers and administrators.

Explanation: One tactic of weaponization used by a threat actor after the vulnerability is identified is to obtain an automated tool to deliver the malware payload through the vulnerability.

29. According to NIST standards, which incident response stakeholder is responsible for coordinating an incident response with other stakeholders to minimize the damage of an incident?

  • IT support
  • human resources
  • legal department
  • management

Explanation: The management team creates the policies, designs the budget, and is in charge of staffing all departments. Management is also responsible for coordinating the incident response with other stakeholders and minimizing the damage of an incident.

30. Which meta-feature element in the Diamond Model describes information gained by the adversary?

  • resources
  • results
  • direction
  • methodology

Explanation: The meta-feature element results are used to delineate what the adversary gained from the intrusion event.


guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x