Appendix C
Answers to Lab Exercises
Chapter 1: Today's Cybersecurity Analyst
Solution to Activity 1.4: Recognize Security Tools
| Firewall | Filters network connections based on source, destination, and port |
| Decompiler | Attempts to recover source code from binary code |
| Antivirus | Scans a system for malicious software |
| NAC | Determines what clients may access a wired or wireless network |
| GPO | Deploys configuration settings to multiple Windows systems |
| Hash | Creates a unique fingerprint of a file |
| Honeypot | System intentionally created to appear vulnerable |
| WAF | Protects against SQL injection attacks |
Chapter 2: Using Threat Intelligence
Solution to Activity 2.3: Intelligence Gathering Techniques
| Requirements gathering | Assess missing controls from a recent breach |
| Threat data collection | Download data via STIX |
| Threat data analysis | Convert manually gathered threat data to STIX format |
| Threat intelligence dissemination | Provide information about a threat to an IPS administrator |
| Gathering feedback | Update requirements for your intelligence gathering program |
Chapter 3: Reconnaissance and Intelligence Gathering
Solution to Activity 3.3: Intelligence Gathering Tools
| Route to a system | traceroute |
| Open services via a network | Nmap |
| IP traffic flow and volume | netflow |
| Organizational contact information associated with domain registration | Whois |
| Connections listed by protocol | netstat |
| Zone transfer | Dig |
| Packet capture | Wireshark |
| Social media geotagging | Creepy |
Chapter 5: Analyzing Vulnerability Scans
Solution to Activity 5.2: Analyze a CVSS Vector
The CVSS vector for the IKE vulnerability shown in Figure 5.23 is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. Breaking this down piece by piece gives us the following:
- AV:N indicates that an attacker may exploit the vulnerability remotely over a network. This is the most serious value for this metric.
- AC:L indicates that exploiting the vulnerability does not require any specialized conditions. This is the most serious value for this metric.
- PR:N indicates that attackers do not need any authenticated privileges. This is the most serious value for this metric.
- UI:N indicates that no user interaction is necessary to exploit the vulnerability.
- S:U indicates that the access gained by exploiting this vulnerability is limited to the scope of control of the compromised component.
- C:L indicates that a successful exploitation of this vulnerability would yield partial access to information. This is the middle value for this metric.
- I:N indicates that a successful exploitation of this vulnerability would not allow the unauthorized modification of information. This is the least serious value for this metric.
- A:N indicates that a successful exploitation of this vulnerability would have no availability impact. This is the least serious value for this metric.
Based on this CVSS analysis, the first vulnerability in Figure 5.22 is more serious. They have identical CVSS vectors except for the integrity metric, which is higher for the SSL vulnerability.
Chapter 7: Infrastructure Security and Controls
Solution to Activity 7.3: Security Architecture Terminology
| Air gap | A physical separation between devices or networks to prevent access. |
| Containerization | A technology that bundles together an application and the files, libraries, and other dependencies it needs to run, allowing the application to be deployed to multiple platforms or systems. |
| VPC | A logically isolated segment of a cloud that provides you with control of your own environment. |
| Cloud access security broker | Software or service that enforces security for cloud applications. |
| Blacklisting | An access control mechanism that permits all things to pass through except those that are specifically blocked. |
| Asset tagging | Labeling or otherwise identifying systems, devices, or other items. |
| NAC | A system that validates systems and sometimes users before they connect to a network. |
| Data loss prevention | A system that scans outbound traffic and prevents it from being transmitted if it contains specific content types. |
Chapter 8: Identity and Access Management Security
Solution to Activity 8.1: Federated Security Scenario
Part 1: You should identify two major problems: use of HTTP, rather than HTTPS, and the development team's creation of their own OAuth libraries.
Part 2: Answers may vary but should include detail similar to:
- What recommendations and advice would you provide to the implementation team?
The implementation team should use open source or Facebook-provided libraries and code and should follow recommended best practices for implementation. Secure connections should be required for all authentication and authorization traffic.
A strong answer might also reference the OWASP Facebook development guide at
www.owasp.org/index.php/Facebook. - What should Example Corp.'s incident response plan include to handle issues involving Facebook Login?
Responses will vary but should take into account the fact that Example Corp. will now be relying on a third party and will need to know how to contact Facebook, what they will do if Facebook is compromised, and how individual account issues will be handled.
- Does using Facebook Login create more or less risk for Example Corp.? Why?
Responses will vary but should take into account use of a third-party authentication service and lack of control of accounts versus the utility of a third-party service provider.
Solution to Activity 8.2: On-site Identity Issues Scenario
Part 1: You should suggest solutions involving local authentication with appropriate monitoring, logging, and management to ensure that local accounts are secure.
Part 2: You should suggest a central identity and access management system to centrally manage credentials and rights, and administrative policies and controls that ensure that roles and rights are updated when users change positions or roles.
Part 3: Answers are left to your own analysis of your work.
Solution to Activity 8.3: Identity and Access Management Terminology
| TACACS+ | A Cisco-designed authentication protocol. |
| Identity | The set of claims made about an account holder. |
| ADFS | Microsoft's identity federation service. |
| Privilege creep | This issue occurs when accounts gain more rights over time due to role changes. |
| Directory service | LDAP is deployed in this role. |
| OAuth 2.0 | An open standard for authorization used for websites and applications. |
| SAML | An XML-based protocol used to exchange authentication and authorization data. |
| RADIUS | A common AAA system for network devices. |
| Privilege management | The practice of managing and controlling identities and rights. |
| Multifactor authentication (MFA) | The combination of multiple means of proving an identity to authenticate. |
| Single sign-on (SSO) | A technical system that allows access to many different systems or services with a single authentication event. |
| Federation | The linking of an individual's identity across multiple identity management systems. |
| Role-based | An access control scheme based on an individual's job duties or other position in an organization. |
| Attribute-based | Access control based on elements like things that describe the user (role, title), what action is being attempted, or other similar data |
| Mandatory | An access control scheme where the operating system constrains the ability of the user or subject to take action. |
| Manual review | Checking rights without an automated system. |
Chapter 9: Software and Hardware Development Security
Solution to Activity 9.3: Security Tools
| Subversion | A source control management tool |
| Agile | An SDLC model that relies on sprints to accomplish tasks based on user stories |
| Dynamic code analysis | A code analysis that is done using a running application |
| Fuzzing | A code analysis done using a running application that relies on sending unexpected data to see if the application fails |
| Fagan inspection | A formal code review process that relies on specified entry and exit criteria for each phase |
| Over-the-shoulder | A code review process that requires one developer to explain their code to another developer |
| Waterfall | The first SDLC model, replaced in many organizations but still used for very complex systems |
| Backlog | An Agile term that describes the list of features needed to complete a project |
Chapter 10: Security Operations and Monitoring
Solution to Activity 10.3: Security Architecture Terminology
| Heuristics | A technique used to find previously unknown malware by observing behaviors common to malicious software |
| DMARC | An email authentication, policy, and reporting protocol |
| Reverse engineering | The process of disassembling or decompiling a malware package to understand what it does |
| Digital signature | A means of providing assurance that an email has not been modified and that it was sent by the correct sender that relies on a certificate and public key cryptography |
| UEBA | A technology designed to monitor end user behavior to prevent targeted attacks and insider threats |
| DKIM | An email authentication method designed to detect forged sender addresses |
| SOAR | A technique used to find previously unknown malware by observing behaviors common to malicious software |
| SPF | An email authentication technique that detects forged sender addresses |
Chapter 11: Building an Incident Response Program
Solution to Activity 11.1: Incident Severity Classification
The functional impact of this incident is high because the organization has lost the ability to sell products to customers. This fits the definition of the “organization is no longer able to provide some critical services to any users.”
The economic impact of this incident is high. The organization expects to lose $2 million per day. This fits the definition of the high category: “The organization expects to experience a financial impact of $500,000 or more.”
The recoverability effort of this incident is extended. The organization has exhausted all internal resources and is seeking a consultant to assist. This fits the extended category definition of “Time to recovery is unpredictable; additional resources and outside help are needed.”
The information impact of this incident is none. The attack described in this scenario is a denial-of-service attack, and there is no indication of the compromise of sensitive information. This fits the none category definition of “No information was exfiltrated, changed, deleted or otherwise compromised.”
Solution to Activity 11.2: Incident Response Phases
| Activity | Phase |
| Conducting a lessons learned review session | Postincident Activity |
| Receiving a report from a staff member about a malware infection | Detection and Analysis |
| Upgrading the organization's firewall to block a new type of attack | Preparation |
| Recovering normal operations after eradicating an incident | Containment, Eradication, and Recovery |
| Identifying the attacker(s) and attacking system(s) | Containment, Eradication, and Recovery |
| Interpreting log entries using a SIEM to identify a potential incident | Detection and Analysis |
| Assembling the hardware and software required to conduct an incident investigation | Preparation |
Chapter 12: Analyzing Indicators of Compromise
Solution to Activity 12.3: Security Tools
| Flows | A Linux command that displays processes, memory utilization, and other details about running programs |
| Resmon | Traffic sent to a command and control system by a PC that is part of a botnet |
| iPerf | A Windows tool that monitors memory, CPU, and disk usage |
| PRTG | A protocol for collecting information like status and performance about devices on a network |
| Beaconing | A set of packets passing from a source system to a destination in a given time interval |
| SNMP | A network management and monitoring tool that provides central visibility into flows and SNMP data for an entire network |
top |
A Windows tool that monitors a wide range of devices and services, including energy, USB, and disk usage |
| Perfmon | A tool for testing the maximum available bandwidth for a network |
Chapter 13: Performing Forensic Analysis and Techniques
Solution to Activity 13.2: Conduct the NIST Rhino Hunt
You can find a complete answer to the NIST Rhino hunt from Activity 13.2 at www.cfreds.nist.gov/dfrws/DFRWS2005-answers.pdf.
Solution to Activity 13.3: Security Tools
| dd | A Linux tool used to create disk images |
| md5sum | Used to determine whether a drive is forensically sound |
| Volatility Framework | A memory forensics and analysis suite |
| FTK | A full-featured forensic suite |
| Eraser | A drive and file wiping utility sometimes used for anti-forensic purposes |
| Write blocker | A device used to prevent forensic software from modifying a drive while accessing it |
| WinDbg | A tool used to review Windows memory dumps |
| Forensic drive duplicator | A device used to create a complete forensic image and validate it without a PC |
| Wireshark | A GUI network traffic sniffer |
| tcpdump | A command-line network packet sniffer |
Chapter 14: Containment, Eradication, and Recovery
Solution to Activity 14.1: Incident Containment Options
Network segmentation
Network isolation
Network removal
Solution to Activity 14.2: Incident Response Activities
| Response activity | CompTIA category |
| Patching | Validation |
| Sanitization | Eradication |
| Lessons learned | Postincident Activities |
| Reimaging | Eradication |
| Secure disposal | Eradication |
| Isolation | Containment |
| Scanning | Validation |
| Removal | Containment |
| Reconstruction | Eradication |
| Permission verification | Validation |
| User account review | Validation |
| Segmentation | Containment |
Solution to Activity 14.3: Sanitization and Disposal Techniques
Chapter 15: Risk Management
Solution to Activity 15.1: Risk Management Strategies
| Risk avoidance | Changing business activities to eliminate a risk |
| Risk transference | Shifting the impact of a risk to another organization |
| Risk mitigation | Implementing security controls that reduce the probability and/or magnitude of a risk |
| Risk acceptance | Choosing to continue operations as normal despite the potential risk |
Chapter 16: Policy and Compliance
Solution to Activity 16.1: Policy Documents
| Policy | Provides high-level requirements for a cybersecurity program |
| Standard | Offers detailed requirements for achieving security control objectives |
| Guideline | Includes advice based on best practices for achieving security goals that are not mandatory |
| Procedure | Outlines a step-by-step process for carrying out a cybersecurity activity |
Solution to Activity 16.3: Compliance Auditing Tools
The testing procedures for PCI DSS requirement 8.2.3 instruct auditors to inspect system configuration settings and verify that the user password/passphrase requirements are set to require a minimum length of at least seven characters and to require that passwords contain both alphabetic and numeric characters.