Cyber Threat Management (CyberTM) Course Final Exam Answers

Explanation: The nine Freedom of Information Act (FOIA) exemptions include the following:

1. National security and foreign policy information

2. Internal personnel rules and practices of an agency

3. Information specifically exempted by statute

4. Confidential business information

5. Inter- or intra-agency communication subject to deliberative process, litigation, and other privileges

6. Information that, if disclosed, would constitute a clearly unwarranted invasion of personal privacy

7. Law enforcement records that implicate one of a set of enumerated concerns

8. Agency information from financial institutions

9. Geological and geophysical information concerning wells

Explanation: An organization needs to establish clear and detailed security policies. Some of these policies are:
Password policy- Defines minimum password requirements, such as the number and type of characters used and how often they need to be changed.
Acceptable use policy- Highlights a set of rules that determine access to and use of network resources. It may also define the consequences of policy violations.
Remote access policy- Sets out how to remotely connect to the internal network of an organization and explains what information is remotely accessible.
Data policy- Sets out measurable rules for processing data within an organization, such as specifying where data is stored, how data is classified, and how data is handled and disposed of.

Explanation: A cybersecurity specialist needs to be familiar with the different frameworks and models for managing information security.

Explanation: The Computer Fraud and Abuse Act (CFAA) provides the foundation for US laws criminalizing unauthorized access to computer systems.

Explanation: Place the options in the following order:

Explanation: There are many security tests that can be used to assess a network. Penetration testing is used to determine the possible consequences of successful attacks on the network. Integrity checking is used to detect and report changes made to systems. Vulnerability scanning is used to find weaknesses and misconfigurations on network systems. Network scanning is used to discover available resources on the network.

Explanation: Nmap is a low-level network scanner that is available to the public and which has the ability to perform port scanning, to identify open TCP and UDP ports, and perform system identification. It can also be used to identify Layer 3 protocols that are running on a system.

Explanation: There are various network security tools available for network security testing and evaluation. L0phtcrack can be used to perform password auditing and recovery. SuperScan is a Microsoft port scanning software that detects open TCP and UDP ports on systems. Nmap and Zenmap are low-level network scanners available to the public.

Explanation: Place the options in the following order:

Explanation: Place the options in the following order:

Explanation: FireEye is a security company that uses a three-pronged approach combining security intelligence, security expertise, and technology. FireEye offers SIEM and SOAR with the Helix Security Platform, which use behavioral analysis and advanced threat detection.

Explanation: CybOX is an open standards set of standardized schemata for specifying, capturing, characterizing, and communicating events and properties of network operations that support many cybersecurity functions.

Explanation: Talos maintains the security incident detection rule sets for the Snort.org, ClamAV, and SpamCop network security tools.

Explanation: The MITRE Corporation maintains a list of common vulnerabilities and exposures (CVE) used by prominent security organizations.

Explanation: The SysAdmin, Audit, Network, Security (SANS) Institute has many resources. One of them is called NewsBites, the weekly digest of news articles about computer security.

Explanation: A network profile should include some important elements, such as the following:
Total throughput – the amount of data passing from a given source to a given destination in a given period of time
Session duratio n – the time between the establishment of a data flow and its termination
Ports used – a list of TCP or UDP processes that are available to accept data
Critical asset address space – the IP addresses or the logical location of essential systems or data

Explanation: A server profile will often contain the following:
* Listening ports – the TCP and UDP daemons and ports that are allowed to be open on the server
* User accounts – the parameters defining user access and behavior
* Service accounts – the definitions of the type of service that an application is allowed to run on a server
* Software environment – the tasks, processes, and applications that are permitted to run on the server

Explanation: There are four potential strategies for responding to risks that have been identified:
* Risk avoidance – Stop performing the activities that create risk.
* Risk reduction – Decrease the risk by taking measures to reduce vulnerability.
* Risk sharing – Shift some of the risk to other parties.
* Risk retention – Accept the risk and its consequences.

Explanation: The Base Metric Group of CVSS represents the characteristics of a vulnerability that are constant over time and across contexts. It contains two classes of metrics:
* Exploitability metrics – features of the exploit such as the vector, complexity, and user interaction required by the exploit
* Impact metrics – the impacts of the exploit rooted in the CIA triad of confidentiality, integrity, and availability

Explanation: There are six steps in the vulnerability management life cycle:
– Discover
– Prioritize assets
– Assess
– Report
– Remediate
– Verify

Explanation: A cybersecurity specialist must be aware of the technologies and measures that are used as countermeasures to protect the organization from threats and vulnerabilities.

Explanation: The three steps of risk assessment in order are as follows:

– Identify threats and vulnerabilities and the matching of threats with vulnerabilities.
– Establish a baseline to indicate risk before security controls are implemented.
– Compare to an ongoing risk assessment as a means of evaluating risk management effectiveness.

Explanation: Place the options in the following order:

Explanation: A qualitative or quantitative risk analysis is used to identify and prioritize threats to the organization.

Explanation: Risk management is the identification, evaluation, and prioritization of risks. Organizations manage risk in one of four ways, avoidance, mitigation, transfer, or accept. In this scenario, implementing multi-factor authentication can reduce the risk of employee credential compromise, which is a mitigation action. Installing fingerprint or retinal scanners eliminates the risk, which is avoidance. Purchasing an insurance policy is transferring the financial risk to the insurance company.

Explanation: Place the options in the following order:

Explanation: When a threat actor prepares a weapon for an attack, the threat actor chooses an automated tool (weaponizer) that can be deployed through discovered vulnerabilities. Malware that will carry desired attacks is then built into the tool as the payload. The weapon (tool plus malware payload) will be delivered to the target system. By using a zero-day weaponizer, the threat actor hopes that the weapon will not be detected because it is unknown to security professionals and detection methods are not yet developed.

Explanation: One tactic of weaponization used by a threat actor after the vulnerability is identified is to obtain an automated tool to deliver the malware payload through the vulnerability.

Explanation: The management team creates the policies, designs the budget, and is in charge of staffing all departments. Management is also responsible for coordinating the incident response with other stakeholders and minimizing the damage of an incident.

Explanation: The meta-feature element results are used to delineate what the adversary gained from the intrusion event.

Explanation: Preventive security controls prevent unwanted or unauthorized activities from occurring and/or apply restrictions to authorized users.

Explanation: The steps in the Vulnerability Management Life Cycle include these:

• Discover – inventory all assets across the network and identify host details, including operating systems and open services to identify vulnerabilities
• Prioritize assets – categorize assets into groups or business units, and assign a business value to asset groups based on their criticality to business operations
• Assess – determine a baseline risk profile to eliminate risks based on asset criticality, vulnerability threats, and asset classification
• Report – measure the level of business risk associated with your assets according to your security policies. Document a security plan, monitor suspicious activity, and describe known vulnerabilities
• Remediate – prioritize according to business risk and fix vulnerabilities in order of risk
• Verify – verify that threats have been eliminated through follow-up audits

Explanation: The Base Metric Group of CVSS represents the characteristics of a vulnerability that are constant over time and across contexts. It contains two classes of metrics, Exploitability and Impact.

Explanation: Indirect evidence cannot prove a fact on its own, but direct evidence can. Corroborative evidence is supporting information. Best evidence is most reliable because it is something concrete such as a signed contract.

Explanation: The security policy of an organization accomplishes several tasks:

• It demonstrates the commitment to security by an organization.
• It sets the rules for expected behavior.
• It ensures consistency in system operations, and software and hardware acquisition use and maintenance.
• It defines the legal consequences of violations.
• It gives security staff the backing of management.

Explanation: A chain of custody refers to the proper accounting of evidence collected about an incident that is used as part of an investigation. The chain of custody should include the location of all evidence, the identifying information of all evidence such as serial numbers and hostnames, identifying information about all persons handing the evidence, and the time and date that the evidence was collected.

Explanation: Methodology – This is used to classify the general type of event, such as port scan, phishing, content delivery attack, syn flood, etc.

Explanation: Business continuity controls are more than just backing up data and providing redundant hardware. Creating a business continuity plan starts with carrying out a business impact analysis (BIA) to identify critical business processes, resources, and relationships between systems. The BIA focuses on the consequences of the interruption to critical business functions and examines the key considerations listed here: RTOs, RPOs, MTTR, and MTBF. The National Institute of Standards and Technology (NIST) developed best practices in relation to business continuity.

Explanation: Detective measures include controls that discover unwanted events. These measures uncover new potential threats.