PBQs

2 of my performance based question were much more detailed than the ones that the practice exam offered:

  1. reviewing actual logs and having to use a linux command line to correct and remove threats.

  2. knowing the most efficient linux commands to create a new ssh key pair for a remote server login, including uploading to the server and verifying success.

    • I was only familiar with this because I have done the exact same thing several times on the server that I set up to host the bristolctf wiki and ctf platform, BUT I still don’t know if I got all the steps correct, because of course, I did not have the process memorized.

My NCL experience absolutely helped me understand and complete 3 out of 4 the performance based question

4 performance based questions

1 ssh

from a linux command line, know the most efficient process to create a new ssh key pair for a user, upload the public key to a server from a remote host. I was given choices of possible commands, and had to put the correct ones in order.

2 dmz

Internet
   ↓
 ???
   ↓
 ???
   ↓
 ???
   ↓
Firewall
   ├── User1
   ├── User2
   ├── User3
   └── ??? → Application Server
												  
Create a secure segmented network by filling in the ??? with the correct technology:
									  
Choices:
(each can be used only once or not at all)
- Switch
- WAF
- Web Application
- PKI
- Load Balancer
- Firewall

And this one was just ??? :
chatGPT and I still can’t quite figure out what it should be:

Internet
   ↓
 ???
   ↓
 ???
   ↓
 ???
   ↓
Firewall
   ├── User1
   ├── User2
   ├── User3
   └── ??? → Application Server
 
Create a secure segmented network by filling in the ??? with the correct choice:

Choices:
(each can be used only once or not at all)
- Switch
- WAF
- Web Application
- PKI Server
- Load Balancer
- Firewall

chatGPT thinks:

Internet  
↓  
Firewall  
↓  
WAF  
↓  
Load Balancer  
↓  
Firewall  
├── User1  
├── User2  
├── User3  
└── Web Application → Application Server

Reasoning:

PBQ 3 - Inspect threat feeds

Given your role in ( industry ), inspect the threat feeds to see if any apply to your systems, and remove any threats, processes and files

Given Host and Peer Feeds, with source IPs and affected host IPs, services, confidence level, and severity level,

use the command line to enumerate the system and remove the threats that exist and any other artifacts

3A) Web Server command line

limited commands available …

  • ls -l
  • kill
  • psof
  • rm
  • netstat -o
  • service

3B) CRM server Command line

limited commands available …

  • ls -l
  • kill
  • psof
  • rm
  • netstat -o
  • service

PBQ 4 host event logs

inspect the event logs (antivirus / ID&PS / SIEM ) on 5 hosts,
for each host choose whether it was the source of the malware, if it is currently affected by the malware, or if it is clean.

svchost.exe

I could see a scvhost.exe download, followed by disabled antivirus on the source machine of the infection

I could see entries showing ‘unable to download updated antivirus signatures’ and ‘unable to perform scans’ on the machines that were still affected

could see a log of quarantined files in the clean machines

multiple choice questions

FDE = Full Disk Encryption, data at rest

AUP - Acceptable Use Policy = managerial controls