The WannaCry ransomware primarily exploited vulnerabilities in the SMB (Server Message Block) version 1 protocol to propagate across network systems. Microsoft had identified vulnerabilities in SMBv1, which were exploited by the EternalBlue exploit to spread the ransomware. This led to widespread infections, particularly in systems that had not applied the security updates released to patch the vulnerability.References:
Microsoft Security Bulletin MS17-010, "Security Update for Microsoft Windows SMB Server".
Question # 15
What type of protocol is represented by the number 6?
The protocol number 6 represents TCP (Transmission Control Protocol) in the Internet Protocol suite. TCP is a core protocol of the Internet Protocol suite and operates at thetransport layer, providing reliable, ordered, and error-checked delivery of a stream of bytes between applications running on hosts communicating via an IP network.References:
RFC 793, "Transmission Control Protocol," which specifies the detailed operation of TCP.
Question # 16
What type of communication protocol does Modbus RTU use?
Modbus RTU (Remote Terminal Unit) is a communication protocol based on a master-slave architecture that uses serial communication. It is one of the earliest communication protocols developed for devices connected over serial lines. Modbus RTU packets are transmitted in a binary format over serial lines such as RS-485 or RS-232.References:
Modbus Organization, "MODBUS over Serial Line Specification and Implementation Guide V1.02".
Question # 17
Which of the CVSS metrics refer to the exploit quotient of the vulnerability?
The Common Vulnerability Scoring System (CVSS) uses several metrics to assess the severity of vulnerabilities. Among them, the Temporal metric group specifically reflects the exploit quotient of a vulnerability.
Temporal metrics consider factors that change over time after a vulnerability is initially assessed. These include:
Exploit Code Maturity: This assesses the likelihood of the vulnerability being exploited based on the availability and maturity of exploit code.
Remediation Level: The level of remediation available for the vulnerability, which influences the ease of mitigation.
Report Confidence: This metric measures the reliability of the reports about the vulnerability.
These temporal factors directly affect the exploitability and potential threat posed by a vulnerability, adjusting the base score to provide a more current view of the risk.
References
Common Vulnerability Scoring System v3.1: User Guide.
"Understanding CVSS," by FIRST (Forum of Incident Response and Security Teams).
Question # 18
What step of the malware infection installs the malware on the target?
The term "Dropper" in cybersecurity refers to a small piece of software used in malware deployment that is designed to install or "drop" malware (like viruses, ransomware, spyware) onto the target system.
The Dropper itself is not typically malicious in behavior; however, it is used as a vehicle to install malware that will perform malicious activities without detection.
During the infection process, the Dropper is usually the first executable that runs on a system. It then unpacks or downloads additional malicious components onto the system.
References
Common Malware Enumeration (CME): http://cme.mitre.org
Microsoft Malware Protection Center:https://www.microsoft.com/en-us/wdsi
Question # 19
What type of protocol is considered connection-oriented?
TCP (Transmission Control Protocol) is a connection-oriented protocol used in the majority of internet communications.
Connection-oriented protocols like TCP require a connection to be established between the communicating devices before data is transmitted. This ensures reliable and ordered delivery of data.
TCP manages this by establishing a handshake mechanism (TCP three-way handshake) to set up the connection prior to transmitting data and properly terminating the connection once the communication session has completed.
References
"TCP/IP Illustrated, Volume 1: The Protocols" by W. Richard Stevens.
Postel, J., "Transmission Control Protocol," RFC 793.
Question # 20
Which type of Intrusion Prevention System can monitor and validate encrypted data?
A Network Intrusion Prevention System (NIPS) is capable of monitoring and validating encrypted data if it is integrated with technologies that allow it to decrypt the traffic.
Typically, network IPS can be set up with SSL/TLS decryption capabilities to inspect encrypted data as it traverses the network. This allows the IPS to analyze the content of encrypted packets and apply security policies accordingly.
Monitoring encrypted traffic is critical in detecting hidden malware, unauthorized data exfiltration, and other security threats concealed within SSL/TLS encrypted sessions.
References
"Network Security Technologies and Solutions," by Yusuf Bhaiji, Cisco Press.
"Decrypting SSL/TLS Traffic with IPS," by Palo Alto Networks.
Question # 21
How many IPsec rules are there in Microsoft Firewall configuration?
In the configuration of Microsoft Windows Firewall with Advanced Security, you can define IPsec rules as part of your security policy. Typically, these rules can be organized into four main categories: Allow connection, Block connection, Allow if secure (which can specify encryption or authentication requirements), and Custom. While the interface and features can vary slightly between Windows versions, four fundamental types of rules regarding how traffic is handled are commonly supported.References:
Microsoft documentation, "Windows Firewall with Advanced Security".
A network switch typically operates at Layer 2 of the OSI model, which is the Data Link layer. This layer is responsible for node-to-node data transfer—a function that involves handling data frames between physical devices on the same network or link. The switch uses MAC addresses to forward data to the appropriate destination within the network.References:
Andrew S. Tanenbaum, "Computer Networks".
Question # 23
Which of the following are not a part of the temporal score in the CVSS? (Select all that apply.)
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.
The temporal score in CVSS adjusts the base score of a vulnerability based on factors that change over time, such as the availability of exploits or the existence of patches.
The temporal score includes:
Remediation Level
Report Confidence
Attack Vector and User Interaction are part of the base score, not the temporal score, as they describe the fundamental characteristics of the vulnerability and do not typically change over time.
References
Common Vulnerability Scoring System v3.1: Specification Document.
"Understanding CVSS," by FIRST (Forum of Incident Response and Security Teams).
