Cyber Security Assessment

This is a high level assessment to help gauge the visitor's knowledge regarding certain specific cyber security-related topics, tools, scenarios, and overall instruction-following capability.

WARNING! DO NOT REFRESH! CONTENTS ARE NOT SAVED!



Enter Your First and Last Name:




Caesar Cipher

With the following partial encryption (aka “shift key”)…

Plaintext A Q U Y O R C E
Ciphertext D T X B R U F H


Plaintext A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Ciphertext


What does the following encoded message translate to?

Plaintext
Ciphertext D W W D F N D W G D Z Q



Password Strength

Using the following online tool passwordmeter, please answer the following questions (you can copy/paste the italicized passwords into the tool):

According to the web tool, is this password considered strong? If so, what complexity does it get?

Winter

Yes/No Complexity


According to the web tool, is this password considered strong? If so, what complexity does it get?

Qa pla!Vor tir 1nine

Yes/No Complexity



Steganography

Using the following online tool, Manytools Steganography, please answer the following questions:

Do any of these images contain data exfiltration? If so, check which one does.



If so, what are its contents?



What are the threats/risks associated with data exfiltration?




Spoofing

Given the below simulated email, is it legitimate or spoofed?



Legitimate
Not Legitimate


How do you know? Why did you choose the answer above?




Root Cause Analysis

 I Investigation

A User Behaviour Analytics (UBA) alert kicked-off (email) indicating an employee’s credentials were successfully accessed from outside The United States. Your company doesn’t have employees who work internationally. Your company doesn't permit work-issued equipment to be taken overseas. All mobile endpoints are encrypted and tracked.

Using the below map, event log, and web tool, determine the possible root cause(s) of this alert.



The event log shows the following:


Feb 25, 2020
New Asset Logon Event
4:24:13 AM GMT
User Mark Wooferd logged into dal6yt.company.com for the first time with a NETWORK logon.
First Ingress by mark.wooferd
4:22:58 AM GMT
Account mark.wooferd successfully authenticated to Office365 for the first time by IP 14.139.54.208


You can use the following tool to help learn more information: SpeedGuide

What conclusion can you come to (more than one answer may apply)?

1 Mark Wooferd is traveling out of country ..using his personal laptop ..using a company-owned asset
2 .A malicious actor has obtained Mark's credentials ..is accessing Mark's O365 account from a foreign country ..is accessing Mark's O365 account from a VPN spoof of New York, NY
3 This alert can be ignored ..so this is a false positive ..so this is a false negative
4 Mark is logging-onto O365 webmail ..from New York, NY ..from company network


Why did you choose the selections above? What more did you conclude? Are there other possibilities not listed above?



  II Process of Elimination

A machine and/or user account may have been compromised and you need to confirm what is a possible root cause of the compromise. Based on the below events, which is the most likely root cause (choose one)?

Item No. Why? What caused all of this?






Malware Analysis

You receive an alert from the endpoint protection tool.

What severity rating would you give this below alert (HIGH, MEDIUM, LOW, N/A)? Is it legitimate or a false positive? Note: you may need to inspect the analysis results further below before deciding.



Malware analysis tools show what the email attachment would look like if actually opened (sandbox):



Malware analysis tools also show the following indicators:



What severity would you give this?

Severity
False Positive?


Why did you come to your conclusion above? Did you use any other web tools to investigate this? What did you use?






 III Vulnerabilities

i. Given the below information, which machine(s) should be given HIGH priority regarding patch management/remediation (e.g. opening a ticket for patching to be applied within a HIGH SLA)?

5...Critical   4...High   3...Medium   2...Low   1...Informational

CVE ID Vulnerability Title Severity Assets
CVE-2008-2752 DoS Exec Code Mem. Corr. 5 2
CVE-2011-0096 XSS 5 1
CVE-1999-0179 Exec Code 2 3

Check the box next to the machine(s) in the table below that have the highest severity and need to be remediated.:

Priority Machine Name Vuln CVE ID State/Status
DAL1924CVE-1999-0179Online/Active
DAL4041 CVE-2008-2752Online/Active
DAL1330 CVE-1999-0179Online/Active
DAL1005 CVE-2008-2752Offline/Inactive
DAL0014CVE-1999-0179Online/Active
DAL2828CVE-2011-0096Offline/E-cycled


Why did you select the machine(s)? What tool(s) did you use to determine the CVE ID/Priority/Vulnerability?



ii. Identify which machine(s) is the most vulnerable based on the following risk-based ranking chart:

- is externally exposed (internet-facing)
- is a Domain Controller
- missing EDR
- has exploitable vulnerabilities

Selection Machine Name OS Type Role Internet Number Exp Vulns EDR Installed Status
JWRed Win Serv 2012 R2 server domain controller no 4 no offline
JWBlue Win Serv 2019 Std server prod web server yes 1 yes online
DSB002 Win 10 Pro 1709 laptop workstation yes 2 yes online
EMund022 Win 10 Pro 1709 laptop workstation yes 2 yes online
MAC-011 Mac OS X 12.6.1 mac workstation yes 0 yes online

Why did you select the machine(s)?



iii. What can you tell us about this webpage?


ELDMBR



Submission of Results

Please click the PRINT button below and printer select Save as PDF then send the PDF via email to us.

Print (PDF)