This is a test. This is the test. The culmination of 15 weeks of study. The certification test. No one lives or dies when it’s done, but still …

You are conducting an incident response and have already eradicated the malware from a victimized system. Which of the following actions should you perform as part of the recovery phase?

A. Sanitization
B. Secure Disposal
C. Reimaging
D. Setting Permissions

Ok. If you don’t know the answer, eliminate some choices. In this case, we are talking about the phases of an incident report. Namely …

1. Preparation

2. Identification

3. Containment

4. Eradication

5. Recovery

6. Lessons Learned

CompTIA is telling me we passed the eradication phase: rectifying the weakness that enabled the data breach to occur. Sanitation, Secure Disposal, and Reimaging are all part of the Eradication phase. Ergo … D.

Alrighty. Let’s gooooo! as Zae would say.

Which of the following is the difference between an incident summary report and a lessons-learned report?

A. An incident summary report is designed for a non-technical audience
B. A lessons-learned report is designed for a non-technical audience
C. Both a lessons learned report and an incident summary report are designed for a technical audience
D. Both a lessons learned report and an incident summer report are designed for a non-technical audience

Dangit.  For this one, I’m 50/50. These reports are definitely one or the other. They are not the same. They are not both.

They say if you can eliminate answers and get to a 50/50 proposition, then you’ve won half the battle. Problem is that you can’t really win half a battle. Or said simpler, a 50 ain’t passing. I need to do better than that.

Passing Score:                                    750 (on a scale of 100-900)

An incident summary report is designed to distribute to stakeholders to reassure them that the incident has been properly handled.

I flip the answer to see which one sounds better.

A lessons-learned report is designed to distribute to stakeholders to reassure them that the incident has been properly handled.

Both sound the same to me. What about you?

Number of Questions:                       Maximum of 85 questions
Length of Test:                                   165 minutes

That’s basically two minutes per question. Is this question worth taking the extra time? That’s the ultimate question, right? What action, reaction, moment of silence is worth the meditative pause? What is worth the OT? Who?

I guess A. An incident summary report is designed for a non-technical audience. I go with the logic that most people in charge don’t want to learn lessons. They want us plebeians to learn the lessons, make the corrections. They’d rather keep their feet off the ground. Do you agree?

Up next is a PBQ. I used to fear performance-based questions. Everyone did early on in the semester. Understandable. We didn’t know enough yet. We weren’t ready. We were naked on stage about to give the soliloquy of our lifetime.

Approximately 100 employees at your company have received a phishing email. As a security analyst, you have been tasked with handling this.

1. How many employees clicked on the link in the phishing email?
2. On how many workstations was the malware installed?
3. What is the executable name of the malware?

Check the logs, I remind myself. That’s the job in a nutshell. Check the history.

I look towards my dad’s diary.

My online moderator warns me to keep my eyes on my computer.

I don’t know who warned me not to take this certification test at home. Edamame? JenWA? Whoever it was, they should’ve been more assertive.

This is the second warning I’ve received. And I have no idea if I will get a third or if I will fail if I look away again. I take a breath.

On the exhale, I remember that my cohort actually reviewed this PBQ a couple of weeks ago. We found it online. Exam Topics. The number of employees who clicked on the link is obvious = 7.

However, the crowdsourced answer to the malware executable name = isass.exe, making the number of workstations affected = 6. But that makes no sense to me. Tilapia.com is the destination of the link. (Ph)Fishing email, get it? That makes mailclient.exe the executable name of the malware, which makes the workstations affected = 4.

What do I do? Stick with the crowd? Go with my gut?

This is not a rhetorical question by the way. If you’re listening … if you’re reading … watching … feel free to leave your thoughts in the space provided.

I go with my gut. Just like you would’ve done, I think to myself.

Last question.

You are reviewing the IDS logs and notice the following log entry: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (where email=support@diontraining.com and password= or 7=7) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- What type of attack is being performed?

A. Cross-site scripting
B. XML injection
C. SQL injection
D. Header manipulation

I see each word … each letter of the answer in my mind’s eye … except the answer of course.

A common technique of this attack is to insert an always-true statement, such as 1 = 1, or in this example, 7 = 7. I get that. But technique for which attack?

I can’t find a way to eliminate even one answer. Help? I have a 1 in 4 shot here, which is like no shot at all. I have 25 minutes. That’s plenty of time. I have plenty of time to mull this one over. But I need help. I need your help.

I smile as I remember my ChatGPT dad quote of the day. 

“Now, I'm so relaxed that I have to make myself nervous. I feel better when I'm second and third guessing myself over everything. I play with the mice in my head, all the time.”

My dad never wrote that of course. At least not originally. That’s what ChatGPT thinks my dad would say to me today if he could say anything today – all based on the pages of his diary I inputted into the AI.

Just before I started this exam, I found out that that was a quote from John Singleton. But that does sound like my dad. Kudos to the code miners. It sounds like something my dad would’ve said just before he couldn’t say things anymore.

Hold on, dad. This test is almost over. I’m coming to see you. I only have one more question and I’m ---

-- that’s not true, dammit, I scold myself. I’ve got a million more questions, dad. I have so much time now and I got a million more questions.

My online moderator warns me “one last time” to stop looking around my room.

The answers ain’t in this room, I don’t say to her. Off screen, I touch the mouse. And then the mousepad. And then the contours of my laptop.

“What are you doing?” my moderator asks.

I try to explain that my dad once taught me about the psychology involved in panic. He told me that the natural reaction of someone in panic mode is to retreat into one’s sub-consciousness. To escape into your mind.

To remedy that, my father said to get in touch with your surroundings. Literally. Touch things that are real. The more textured and defined the better. Stay in touch with reality.

“Your father sounds like a really great guy,” she says out of character, probably breaking her moderator code of detachment.

“You only have one question left. Let me know if you need help, but I think you got this.”

I smile. That’s nice of her, I think to myself. The kind of reassurance you used to give me, dad.

I stroke my keyboard one last time. This is what it’s going to be like now. Playing without a net. You not being there to back me up anymore.

I look at my test time. I have 23 minutes left. I think of Michael Jordan. The GOAT. That is with the exception of my father. Alpha. Omega.

I click C. It’s over.

I take another deep breath. Another deep exhale.

My moderator snaps me back to reality quickly. “Nice job. 767. You passed.”

I am taken aback at the quickness of the result.

I ask permission to turn my phone back on. She says yes. I’m greeted by a series of text alerts. Ding. Ding. Ding. I ignore them. I put my phone on silent mode.

“I hope it’s more good news,” she says with a big smile.

I know it’s not, but I smile back again at her anyway.

She continues, apologizing actually for being so stern earlier. It’s the job, she says. She needs it to finish up her graduate degree in AWS Cloud Computing.  She says she’s really a nice person if I ever got to know her.

I tell her that I believe her. I also tell her that the last thing my dad ever taught me was that it’s not the destination …

“Let me guess this time. It’s not the destination, it’s the journey?”

No … neither. It’s the company along the way.

How many pics have a boat in it, I am told to ask myself.

click

click

click

…

click

Almost missed one. How do you almost miss a boat?

Dear decoder kings, a bot cannot click on three non-sequential, patternless boxes. So you don’t need to have me self-debate whether a dingy has the same constitutional properties as a yacht. Alpha. Omega.

Although I do admire the business model of making us prove we are not artificial. That we are, in fact, real. In a ChatGPT plagiarizing, Crypto-exchange world, I feel my real is becoming as abstract as Manet’s “Lilies in a Haystack at Dusk”. Or is that Monet?

I finally Zoom into my Cybersecurity class, already in progress. I hear the teacher ask the cohort,

“A security analyst identified some potentially malicious processes after capturing the contents of memory from a machine during an incident response. Which of the following procedures is the NEXT step for further investigation?

A. Data Carving

B. Timeline Construction

C. File Cloning

D. Reverse Engineering”

JZ99 jumps into the Zoom chat and types, "A. Carving = Memory.”

Unbeknownst to our teacher, a few of us have a concurrent Discord chat that trolls our class’s progress, or lack thereof in this case.

Various “X”’s, buzzer sounds, and frowny faces emote that we disagree with JZ99.

Our gal from Nepal quick clicks into the Zoom chat, “Data Carving is what you do to get the evidence. Reverse Engineering is what you do NEXT with this evidence.”

"CompTIA out to obfuscate again,” Edamame Discords.

NotSoShi adds, “Can’t you just ask us if we know what Data Carving is?”

ZaeZae subtracts, "CompTIA sucks.”

This last response gets a series of supportive finger points and “fr” responses. I’m one of the pointers, even though I feel myself drifting away from this online conversation.

The class continues. My self-diagnosed ADHD, on the other hand, carries me to my origin story.

I didn’t have a big a-ha moment when I decided to take this path less traveled that is Cybersecurity training. Somewhere between the pouring of the ½ oz of maple syrup and the mint leaf garnering on my umpteenth, ticketed Mojito, I simply decided that this was no longer the way.

I admit I do miss toasting the newlywed couple and their wedding party with a line of Love Bites. And, yes, few things in life are more intoxicating than pouring a party of 21’s their first Bikini Martinis. I also wish I could cocktail an Old Fashioned for my father again, but as he would say, “Your body knows when it’s time to go before any clock could tell you.”

This is why I have about two dozen tabs open on my screen today. Everything from the “Advent of Cyber” with TryHackMe to “Certified Breakfast” with Andrei Ciorba to Hacksplaining.com at the ready for translation purposes. All with Tash Sultana’s Tiny Desk performance on Youtube serenading this session, which somehow helps me stay attached to this new task and purpose.

I smile as I see that ZaeZae has once again incited our Discord crew. And once more, he garners finger point after finger point of support.

I smile wider, knowing that I made the right move.

Despite not really knowing what ZaeZae is talking about, I top off this conversation with my own ...

fr

fr

fr