PBQs
2 of my performance based question were much more detailed than the ones that the practice exam offered:
-
reviewing actual logs and having to use a linux command line to correct and remove threats.
-
knowing the most efficient linux commands to create a new ssh key pair for a remote server login, including uploading to the server and verifying success.
- I was only familiar with this because I have done the exact same thing several times on the server that I set up to host the bristolctf wiki and ctf platform, BUT I still don’t know if I got all the steps correct, because of course, I did not have the process memorized.
My NCL experience absolutely helped me understand and complete 3 out of 4 the performance based question
4 performance based questions
1 ssh
from a linux command line, know the most efficient process to create a new ssh key pair for a user, upload the public key to a server from a remote host. I was given choices of possible commands, and had to put the correct ones in order.
2 dmz
Internet
↓
???
↓
???
↓
???
↓
Firewall
├── User1
├── User2
├── User3
└── ??? → Application Server
Create a secure segmented network by filling in the ??? with the correct technology:
Choices:
(each can be used only once or not at all)
- Switch
- WAF
- Web Application
- PKI
- Load Balancer
- Firewall
And this one was just ??? :
chatGPT and I still can’t quite figure out what it should be:
Internet
↓
???
↓
???
↓
???
↓
Firewall
├── User1
├── User2
├── User3
└── ??? → Application Server
Create a secure segmented network by filling in the ??? with the correct choice:
Choices:
(each can be used only once or not at all)
- Switch
- WAF
- Web Application
- PKI Server
- Load Balancer
- Firewall
chatGPT thinks:
Internet
↓
Firewall
↓
WAF
↓
Load Balancer
↓
Firewall
├── User1
├── User2
├── User3
└── Web Application → Application Server
Reasoning:
PBQ 3 - Inspect threat feeds
Given your role in ( industry ), inspect the threat feeds to see if any apply to your systems, and remove any threats, processes and files
Given Host and Peer Feeds, with source IPs and affected host IPs, services, confidence level, and severity level,
use the command line to enumerate the system and remove the threats that exist and any other artifacts
3A) Web Server command line
limited commands available …
- ls -l
- kill
- psof
- rm
- netstat -o
- service
3B) CRM server Command line
limited commands available …
- ls -l
- kill
- psof
- rm
- netstat -o
- service
PBQ 4 host event logs
inspect the event logs (antivirus / ID&PS / SIEM ) on 5 hosts,
for each host choose whether it was the source of the malware, if it is currently affected by the malware, or if it is clean.
svchost.exe
I could see a scvhost.exe download, followed by disabled antivirus on the source machine of the infection
I could see entries showing ‘unable to download updated antivirus signatures’ and ‘unable to perform scans’ on the machines that were still affected
could see a log of quarantined files in the clean machines
multiple choice questions
FDE = Full Disk Encryption, data at rest
AUP - Acceptable Use Policy = managerial controls