Section 1: True or False Questions (20 pts. Total, 2 pts/question)

1. T/F. Secure Shell (SSH) is used as a more secure replacement for legacy remote connection protocol Telnet and is used through programs such as Putty to remotely administer computers running various operating systems.

2. T/F. The Windows Firewall by default log all in-bound and out-bound traffic requests.

3. T/F. PsExec is the most secure way of remoting into Windows systems and, as a result, it is used most often by system administrators.

4. T/F. Attackers use zero day exploits more frequently than publicly known n-day exploits and, as a result, are more successful in their operations.

5. T/F. Enterprises and individual users who applied vendor issued security protection patches would have been immune to the May 2017 WannaCry ransomware attack.

6. T/F. In most organizations, the Chief Information Security Officer (CISO) is the position responsible for all cyber security at a company.

7. T/F. Under discretionary access control, a third-party security administrator determines what users have access to certain network and system resources.

8. T/F. When establishing firewall rules, the most prudent configuration is to implicitly deny by blocking all traffic by default then rely on business need and justification to create new rules as exceptions.

9. T/F. By default, all virtual private network (VPN) software employs encryption.

10. T/F. The security of public key cryptography is predicated on the ability to securely exchange a shared key in an out-of-band channel.

Section 2: Fill in the Blank and Multiple Choice Questions (20 pts. Total, 2 pts/question)

Note: Some multiple choice questions may have more than 1 correct answer. Partial credit will be given for identifying one of potentially many correct answers.

11. In Linux, the __________ command allows us to query a file or output from another command to words, phrases, or other strings that match a specific pattern. 12. What is the symbolic representation for a directory with permissions 641? _______________

13. The ___________ command on Windows will display a listing of all open network connections on a computer and, with additional parameters, will also provide the corresponding processs number that is instantiating the connection.

14. A ____________ is the term used to describe the combination of an IP address concatenated with its corresponding port number.

15. __________________ is the name for an attack where the attacker modifies entries in the Windows Host file to redirect web traffic from certain address to one that the attacker controls.

16. During a log review, you discover a series of logs that shows the following multiple failed login attempts:

Jan 31 11:39:20 ip-10.0.0.2 sshd[10102]: Invalid user admin from remotehost passwd=orange Jan 31 11:39:20 ip-10.0.0.2 sshd[10108]: Invalid user admin from remotehost passwd=orangf Jan 31 11:39:20 ip-10.0.0.2 sshd[10114]: Invalid user admin from remotehost passwd=orangg Jan 31 11:39:20 ip-10.0.0.2 sshd[10118]: Invalid user admin from remotehost passwd=orangh Jan 31 11:39:20 ip-10.0.0.2 sshd[10120]: Invalid user admin from remotehost passwd=orangi What type(s) of attack have you discovered?

1. A brute force attack
2. A rainbow table attack
3. A man-in-the-middle attack
4. A dictionary attack

17. The term Advanced Persistent Threat (APT) describes which of the following:

1. Sophisticated cyber criminal activity
2. Unleashing ransomware on private businesses, usually on competitors networks
3. Espionage from State-sponsored actors
4. Cyber activity that occurs only on the dark net

18. You are working on a Linux system and receive an access denied error when attempting to open a file you just created. Which command would you use to change the files attributes to allow you to open it?

1. pwd
2. sudo
3. icacls
4. chmod

19. Which of the following represent approaches that enterprises can use to prioritize which cyber security threats to address given limited resources.

a. Quantitative Risk Assessment b. Monte Carlo Simulations c. Patch and Pray d. Qualitative Risk Assessment

20. Use the following output from an ipconfig /all to answer the question below.

Windows IP Configuration

Host Name . . . . . . . . . . . . : Shinigami-PC

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : fios-router.home

Ethernet adapter Npcap Loopback Adapter:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Npcap Loopback Adapter

Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::9c3b:8934:f5d7:124e%35(Preferred)

Autoconfiguration IPv4 Address. . : 169.254.18.78(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . :

DHCPv6 IAID . . . . . . . . . . . : 771883084

DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-CD-C6-A9-00-22-B0-E8-6C-56

DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1

fec0:0:0:ffff::2%1

fec0:0:0:ffff::3%1

NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)

Physical Address. . . . . . . . . : 68-17-29-8E-81-D5

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection 9:

Connection-specific DNS Suffix . : fios-router.home

Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 2230

Physical Address. . . . . . . . . : 68-17-29-8E-81-D1

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::e5cf:9935:4b41:f%30(Preferred)

IPv4 Address. . . . . . . . . . . : 192.168.1.160(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Lease Obtained. . . . . . . . . . : Saturday, October 13, 2018 4:59:46 AM

Lease Expires . . . . . . . . . . : Sunday, October 14, 2018 5:11:36 PM

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DHCPv6 IAID . . . . . . . . . . . : 828905257

DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-CD-C6-A9-00-22-B0-E8-6C-56

DNS Servers . . . . . . . . . . . : 192.168.1.1

NetBIOS over Tcpip. . . . . . . . : Enabled

Which of the following would we expect to see if we refined the query by running ipconfig /all | findstr "IP"?

a.

02-00-4C-4F-4F-50

68-17-29-8E-81-D5

68-17-29-8E-81-D1

b.

fe80::9c3b:8934:f5d7:124e%35(Preferred)

169.254.18.78(Preferred)

fe80::e5cf:9935:4b41:f%30(Preferred)

192.168.1.160(Preferred)

c.

Media disconnected

Media disconnected

Media disconnected

d.

fios-router.home

fec0:0:0:ffff::1%1

192.168.1.1

Section 3: Short Answer Questions (60 pts. Total, 10 pts/question)

Pick 6 out of the 7 questions to answer

21. What is the purpose of a Domain Controller in an enterprise environment and why would an attacker want to compromise a Domain Controller? What is the name of the file and its location that stores the user credentials and associations? What ways could an attack acquire the file or its content and what dependencies, tools, and techniques would be required?

22. What is Kerberos, how does it work, which information security services does it provide, and are there any limitations/security considerations to consider with Kerberos tickets? What are some vulnerabilities with Kerberos that an attacker could exploit i.e. what type of attacks exist Kerberos, how do they work, and what do they provide an attacker?

23. Explain how a users password is stored on a local Windows system, how it is stored on a domain, and then the process used by each of these to authenticate a user when they attempt to login.

24. Explain the role of Group Policy, how it works, what purpose it serves in an enterprise environment, and why we would want to use it.

25. Explain the purpose of Active Directory (AD), the name of the server active directory resides on, its naming schema and organizational structure, how it is implemented by organizations, and the relationship between AD and LDAP.

26. Explain what a hash value is, how it is used in information security with at least three examples, and why it is considered to be a highly unique.

27. What is an indicator of compromise (IOC)? Provide at least four examples of different kinds of actionable indicators of compromise and explain how they are implemented by enterprise cyber security teams. Note: Much like in the discussion board posting, I am not looking for behavioral indicators.