1.2 Compare and contrast types of attacks Flashcards

1
Q

A social engineer convinced a victim to visit a malicious website, which allowed the attacker to exploit vulnerabilities on the victim’s web browser. Which of the following best describes this type of attack?

A

A Man-in-the-Browser (MitB) attack

A MitB attack occurs when the web browser is compromised by installing malicious plug-ins, scripts or intercepting API calls. Vulnerability exploit kits can be installed to a website and will actively try to exploit vulnerabilities in clients browsing the site.

HTTP Response Splitting occurs when the attacker would craft a malicious URL and convince the victim to submit it to the web server.

XSRF is a malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser.

LSOs, or Flash cookies, are data that is stored on a user’s computer by websites that use Adobe Flash Player. A site may be able to track a user’s browsing behavior through LSOs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is a way that a Denial of Service (DoS) attack cannot be performed?

A

Use web application firewall processing rules to filter traffic.

A web application firewall (WAF) is one designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks. WAFs use application-aware processing rules to filter traffic.

DoS attacks can prevent network access by knocking out the directory server.

Spoofed routing information (route injection). Routing protocols that have weak or no authentication are vulnerable to route table poisoning. This can mean that traffic is misdirected to a monitoring port (sniffing), sent to a blackhole (non-existent address), or continuously looped around the network, causing DoS.

DoS attacks focus on overloading a service by using up CPU, system RAM, disk space, or network bandwidth (resource exhaustion).

previous

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

If a social engineer dresses up as an internet technician, and then proceeds to enter a place of business once granted permission, what type of social engineering attack does this describe?

A

Impersonation

Impersonation is a social engineering attack, in which the attacker pretends to be someone else.

In a hoax attack, an email alert or web pop-up will claim to have identified a security problem, such as a virus infection, and offer a tool to fix the problem. The tool, of course, will be a Trojan application.

Pharming relies on corrupting the way the victim’s computer performs Internet name resolution, which redirects the user from the genuine site to the malicious one.

Tailgating is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A group of college students receive a phone call from someone claiming to be from a debt consolidation firm. The solicitor tried to convince the students that for a limited time, a rare offer will expire, which could erase their student loan debt if they provide their Social Security Number and other personally identifiable information (PII). Which of the following tactics did the caller use?

A

Scarcity and urgency

Creating a false sense of scarcity or urgency can disturb ordinary decision-making processes by demanding a quick response. For example, the social engineer might try to get the target to sign up for a “limited time” or “invitation-only” offer.

Social engineers can try to intimidate their target by pretending to be someone else, such as someone of authority or superior in rank or expertise.

With consensus/social proof, an attacker fools users into believing that a malicious website is legitimate by posting fake reviews. The victims believe the reviews and place their trust in the website.

One of the basic tools of a social engineer is to be likable, and to present the requests they make as completely reasonable and unobjectionable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following is a way to protect against birthday attacks?

A

Encryption algorithms, demonstrating collision avoidance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following social engineering techniques has less of a chance of arousing suspicion and getting caught? (Select two)

A

Familiarity

Liking

Familiarity is low risk. If the request is refused, it is unlikely to cause suspicion and the social engineer can move to a different target without being detected.

Liking is low risk. If the request is refused, it is less likely to cause suspicion and the social engineer can move on to a different target without being detected.

Compared to using a familiarity/liking approach, the authority tactic is riskier as there is a greater chance of arousing suspicion and the target reporting the attack attempt.

Compared to using a familiarity/liking approach, the intimidation tactic is riskier as there is a greater chance of arousing suspicion and the target reporting the attack attempt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is a way to protect against birthday attacks?

A

Encryption algorithms, demonstrating collision avoidance

(hash: one-way cryptographic function which takes an input and produces a unique message digest)

To protect against the birthday attack, encryption algorithms must demonstrate collision avoidance (that is, to reduce the chance that different inputs will produce the same output).

Operating system hardening is process of making the OS configuration secure by enabling and allowing access to only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the OS is patched to be secure against software exploits.

Implementing a captive portal requiring login credentials helps protect against unauthorized users accessing your Wi-Fi hotspot.

Understanding the use of environmental controls helps provide suitable conditions for server equipment and protect against fire risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

If a system is vulnerable, to which of the following can an attacker (with system access) be able to obtain keys from system memory?

A

Privilege escalation

An attacker with system access is able to obtain keys from system memory or pagefiles/scratch disks. Privilege escalation is the practice of exploiting flaws in an operating system or other application, to gain a greater level of access than was intended for the user or application.

An SQL injection attack inserts an SQL query as part of user input, which allows an attacker to extract or insert information into the database or execute arbitrary code.

Directory traversal occurs when the attacker gets access to a file outside the web server’s root directory.

Transitive access describes the problem of authorizing a request for a service that depends on an intermediate service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A security analyst’s scans and network logs show that unauthorized devices are connecting to the network. After tracing this down, the analyst discovered a tethered smartphone creating a backdoor to gain access to the network. Which of the following describes this device?

A

A rogue access point (AP)

If scans or network logs show that unauthorized devices are connecting, determine whether the problem is an access point with misconfigured or weak security or whether there is some sort of rogue AP.

A spectrum analyzer is a device that can detect the source of jamming (interference) on a wireless network. It usually has a directional antenna, so that the exact location of the interference can be pinpointed.

RFID devices encode information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else.

With a SPAN port, the sensor is attached to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following is an example of why viruses are destructive? (Select two)

A

Viruses can spread via social engineering techniques.

Viruses can exploit zero days.

Viruses can be categorized by their virulence. Some viruses are destructive since they exploit a previously unknown system vulnerability (a “zero day” exploit).

Some attackers utilize particularly effective social engineering techniques to persuade users to open an infected file (an infected email attachment with the subject “I Love You” being one of the best examples of the breed).

Worms spread through memory and network connections rather than infecting files. Viruses spread from computer to computer, usually by “infecting” executable applications or program code.

Worms are memory-resident viruses that replicate over network resources. Viruses spread from computer to computer, usually by “infecting” executable applications or program code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A penetration tester cracked a company’s Wired Equivalent Privacy (WEP) access point (AP) by making the AP generate a large amount of initialization vector (IV) packets, by replaying Address Resolution Protocol (ARP) packets at it. What type of attack did the pen tester use to crack the AP?

A

Replay

In a replay attack the attacker intercepts authentication data and reuses it to re-establish a session. To crack WEP, a type of replay attack is used.

War driving is the practice of using a Wi-Fi sniffer to detect WLANs and then either making use of them or trying to break into them (using WEP and WPA cracking tools).

A Wi-Fi jamming attack can be performed by setting up an AP with a stronger signal. Wi-Fi jamming devices are illegal to use and to sell. The attacker needs to gain fairly close physical proximity to the wireless network.

Skimming is an RFID attack where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A hacker used a Man-in-the-Middle (MitM) attack to capture a user’s authentication cookie. The attacker disrupted the legitimate user’s session and then re-sent the valid cookie to impersonate the user and authenticate to the user’s account. What type of attack is this?

A

Replay

In a replay attack, the attacker captures some data used to log on or start a session legitimately. The attacker then disrupts the legitimate session and resends the captured data to re-enable the connection.

A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. This type of attack can be used for the purpose of forging a digital signature.

A downgrade attack can be used to facilitate a Man-in-the-Middle (MitM) attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths.

A Man-in-the-Middle (MitM) attack is a form of eavesdropping in which the attacker makes an independent connection between two victims and steals information to use fraudulently.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A social engineer used vishing and polite behavior to persuade a target to visit a fake website with fake reviews. The attacker then persuaded the victim to enter personally identifiable information (PII) in a web form. Which of the following did the attacker use to make the site appear more legitimate? (Select two)

A

Consensus/social proof

Familiarity/liking

With consensus/social proof impersonation, an attacker fools users into believing that a malicious website is legitimate by posting fake reviews. The victims believe the reviews and place their trust in the website.

One of the tools of social engineers is to be likable, and to present the requests they make as completely reasonable.

Many people find it difficult to refuse a request by someone they perceive as superior to them. Social engineers can try to exploit this behavior to intimidate their target by pretending to be someone of authority.

Creating a false sense of urgency can disturb people’s ordinary decision-making process. The social engineer can try to pressure his or her target by demanding a quick response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

After a social engineer used Open Source Intelligence (OSINT) to gather information about the victim, the attacker then used this information to email the victim, personalizing the message and convincing the victim to click a malicious link. What type of social engineering attack does this describe?

A

Spear phishing

Spear phishing refers to a phishing scam where the attacker has some information that makes an individual target more likely to be fooled by the attack. The attacker might know the details that help convince the target that the communication is genuine.

Phishing is a type of email-based social engineering attack. The attacker sends email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim.

Vishing describes a phishing attack conducted through a voice channel (telephone or VoIP, for instance).

SMiShing refers to fraudulent SMS texts. Other vectors could include instant messaging or social media sites.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following attacks would allow an attacker to sniff all traffic on a switched network?

A

Address Resolution Protocol (ARP) poisoning

To sniff all traffic on a switched network, the switch must be overcome using ARP poisoning. ARP poisoning occurs when an attacker, with access to the network, redirects an IP address to the MAC address of an unintended computer.

Domain Name System (DNS) spoofing is an attack that compromises the name resolution process, and can be used to facilitate pharming or Denial of Service (DoS) attacks.

IP spoofing occurs when an attacker sends IP packets from a false (or spoofed) source address to communicate with targets.

Transmission Control Protocol/Internet Protocol (TCP/IP) hijacking is a type of spoofing attack where the attacker disconnects a host, then replaces it with his or her own machine, spoofing the original host’s IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Through what method can malware evade antivirus software detection so that the software no longer identifies the malware by its signature?

A

Refactoring

Refactoring means the code performs the same function by using different methods. Refactoring means that the antivirus software may no longer identify the malware by its signature.

Improper input handling exposes software to input validation attacks. When an attacker exploits improper input handling, it crashes the process hosting the code, perform Denial of Services (DoS), obtain elevated privileges, or facilitate data exfiltration.

DLL injection is not a vulnerability of an application, but of the way the operating system allows one process to attach to another, and then force it to load a malicious link library.

Shimming is the process of developing and implementing additional code between an application and the operating system to enable functionality that would otherwise be unavailable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following describes a social engineering technique an attacker can use if the attacker wanted the end-user to click on a link as soon as possible?

A

Urgency

A false sense of urgency can disturb people’s ordinary decision-making process. The social engineer can try to pressure his or her target by demanding a quick response.

With consensus/social proof impersonation, an attacker fools users into believing that a malicious website is legitimate by posting fake reviews. The victims believe the reviews and place their trust in the website.

One of the tools of social engineers is to be likable, and to present the requests they make as completely reasonable.

Many people find it difficult to refuse a request by someone they perceive as superior to them. Social engineers can try to exploit this behavior to intimidate their target by pretending to be someone of authority.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A social engineer impersonated an IT security staff member of a company, and called an employee to extract personally identifiable information (PII) from the employee. Which of the following attacks did the impersonator conduct?

A

Vishing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following attacks can the use of once-only tokens and timestamping sessions help prevent? (Select more than one)

A
  • replay
  • pass-the-hash

Pass-the-hash occurs when the attacker steals hashed credentials and uses them to authenticate to the network. This type of attack is prevented by using once-only session tokens or timestamping sessions.

A replay attack consists of intercepting a key or password hash, then reusing it to gain access to a resource. This type of attack is prevented by using once-only session tokens or timestamping sessions.

A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. This type of attack can be used for forging a digital signature.

A downgrade attack is used to facilitate a Man-in-the-Middle (MitM) attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What type of brute force attack aims at exploiting collisions in hash functions?

A

Birthday attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

An attacker bought a domain similar to the domain name of a legitimate company. The attacker then used the fake domain to host malware and launch pharming attacks. Which of the following did the attacker use?

A

URL hijacking (also called typosquatting) relies on users navigating to misspelled domains. An attacker registers a domain name with a misspelling of an existing domain. Users who misspell a URL in a web browser are taken to the attacker’s website.

Domain hijacking is a type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Sometimes referred to as brandjacking.

TCP/IP hijacking is a spoofing attack where attackers disconnect a host, then replaces it with their own machine, spoofing the original host’s IP address.

Mutual authentication helps in avoiding session hijacking attacks and is a security mechanism that requires each party to verify each other’s identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following can perform a Denial of Service (DoS) attack against a wireless network? (Select two)

A
  • disassociation
  • deauthentication

Similar to a deauthentication attack, a disassociation attack uses disassociation packets to perform DoS attacks.

Similar to a disassociation attack, a deauthentication attack uses deauth frames to perform DoS attacks.

An evil twin is a rogue access point (AP) masquerading as a legitimate one, and can have a similar Service Set Identifier (SSID) name as the legitimate AP. The evil twin can harvest information from users entering their credentials.

Bluesnarfing refers to using an exploit in Bluetooth to steal information from someone else’s phone/mobile device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following attacks would allow an attacker to sniff all traffic on a switched network?

A

ARP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

An attacker used an exploit to steal information from a mobile device, which allowed the attacker to circumvent the authentication process. Which of the following attacks is the mobile device vulnerable to?

A

Bluesnarfing (STEALING INFO)

Bluesnarfing refers to using an exploit in Bluetooth to steal information from someone else’s phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism.

A Bluetooth-discoverable device is vulnerable to bluejacking, similar to spam, where someone sends you an unsolicited text (or picture/video) message or vCard (contact details). This can be a vector for Trojan malware.

Skimming is an RFID attack where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card.

A rogue AP masquerading as a legitimate one is called an evil twin or sometimes wiphishing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A social engineer impersonated an IT security staff member of a company, and called an employee to extract personally identifiable information (PII) from the employee. Which of the following attacks did the impersonator conduct?

A

Vishing

Vishing describes a phishing attack conducted through a voice channel (telephone or VoIP, for instance).

SMiShing refers to fraudulent SMS texts. Other vectors could include instant messaging or social media sites.

Phishing is a type of email-based social engineering attack. The attacker sends email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim.

Pharming is a means of redirecting users from a legitimate website to a malicious one. Pharming relies on corrupting the way the victim’s computer performs Internet name resolution, which redirects the user from the genuine site to the malicious one.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

A social engineer used a phishing attack to trick users into visiting a website. Once users visit the site, a vulnerability exploit kit installs, which actively exploits vulnerabilities on the client. What type of attack did the users become a victim of?

A

A Man-in-the-Browser (MitB) attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

If an attacker performs open source intelligence (OSINT) gathering and social engineering on the CEO and creates an email scam for the upper management department of a company, what type of attack occurs?

A

Whaling

A spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other “big beasts”) is sometimes called whaling.

Tailgating is a social engineering technique to gain access to a building by following someone else (or persuading them to “hold the door”).

If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system (often described as a lunchtime attack).

A watering hole attack is a type of directed social engineering attack. It relies on the circumstance that a group of targets may use an unsecure third-party website.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

An attacker hosted an exploit script on a malicious website and injected it into a trusted website. The attacker then sent the link to the victim and used open source information gathering (OSINT) and social engineering tactics, such as spear phishing, to convince the victim to click the link, which compromised the user browsing to the site. Which of the following best describes this type of attack?

A

Cross-site scripting (XSS)

A spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other “big beasts”) is sometimes called whaling.

Tailgating is a social engineering technique to gain access to a building by following someone else (or persuading them to “hold the door”).

If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system (often described as a lunchtime attack).

A watering hole attack is a type of directed social engineering attack. It relies on the circumstance that a group of targets may use an unsecure third-party website.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

An attacker can exploit a weakness in a password protocol, to calculate the hash of a password. Which of the following can the attacker match the hash to, as a means to obtain the password? (Select two)

A

rainbow table

dictionary word

Password crackers can exploit weaknesses in a protocol, to calculate the hash and match it to a dictionary word or brute force it.

Rainbow tables are associated with attacks where an attacker uses a set of related plaintext passwords and their hashes to crack passwords.

A Pre-Shared Key (PSK) refers to using a passphrase to generate the key that is used to encrypt communications. It is also referred to as group authentication, since a group of users share the same secret.

Wi-Fi Protected Access (WPA) is an encryption scheme for protecting Wi-Fi communications, designed to replace WEP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

A residential internet consumer wants to add a wireless network to their home. To automate and simplify the setup process, the user installed a wireless access point capable of Wi-Fi Protected Setup (WPS) with an eight-character Personal Identification Number (PIN). What type of attack is this installation vulnerable to?

A

brute force

WPS is vulnerable to brute force attacks. The PIN is eight characters, but these separate PINs are simple to brute force.

In a dictionary attack, software enumerates values in a dictionary wordlist. Enforcing password complexity and varying the characters makes passwords difficult to guess and compromise.

A rainbow table attack is where an attacker uses a set of related plaintext passwords and their hashes to crack passwords. Values are computed in chains and only the first and last values need to be stored.

A hybrid password attack is targeted against naively strong passwords. The password cracking algorithm tests dictionary words and names in combination with numeric prefixes and/or suffixes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

An attacker exploited a vulnerability on a website frequently visited by a group of bank employees. Once the employees visit the site, the attacker’s malware infects their computers. What type of attack did the employees fall for?

A

A watering hole attack

A watering hole attack is a directed social engineering attack. It relies on the circumstance that a group of targets may use an unsecure third party website.

In a hoax attack, an email alert or web pop-up will claim to have identified some sort of security problem, like a virus infection, and offer a tool to fix the problem, but the tool will be some sort of Trojan application.

Pharming relies on corrupting the way the victim’s computer performs Internet name resolution, so that they are redirected from the genuine site to the malicious one.

If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system (often described as a lunchtime attack).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following, if implemented, will NOT help mitigate the threat of tailgating?

A

Installing non-discretionary privilege management

Nondiscretionary privilege management models are aimed to mitigate the problem of regulating the access control of privileged admin accounts.

The risk of tailgating may be mitigated by installing a turnstile (a type of gateway that only allows one person through at a time).

The risk of tailgating may be mitigated by implementing surveillance (whether by camera or guard) on the gateway.

Where security is critical and cost is no object, a mantrap could be employed to mitigate tailgating. A mantrap is where one gateway leads to an enclosed space protected by another barrier.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

By modifying query traffic, an attacker compromised a legitimate site’s web server via a Denial of Service (DoS) attack and redirected traffic, intended for the legitimate domain to go instead to the attacker’s malicious IP address. What type of attack did the hacker perform?

A

DNS Server Cache poisoning

DNS Server Cache poisoning is a redirection attack, that aims to corrupt the records held by the DNS server itself. The intention is to redirect traffic for a legitimate domain to a malicious IP address.

Domain Name System (DNS) spoofing is an attack that compromises the name resolution process, and can be used to facilitate pharming or Denial of Service (DoS) attacks.

Address Resolution Protocol (ARP) poisoning occurs when an attacker, with access to the network, redirects an IP address to the MAC address of a computer that is not the intended recipient.

IP spoofing occurs when an attacker sends IP packets from a false (or spoofed) source address to communicate with targets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Mutual authentication prevents a client from inadvertently submitting confidential information to a non-secure server. Mutual authentication also helps avoid which of the following? (Select two)

A

Man-in-the-Middle attacks

Session hijacking attacks

Mutual authentication is a security mechanism that requires that each party in a communication verifies each other’s identity and helps in avoiding Man-in-the-Middle attacks.

Mutual authentication helps in avoiding session hijacking attacks, and is a security mechanism that requires that each party in a communication verifies each other’s identity.

Address Resolution Protocol (ARP) poisoning occurs when an attacker, with access to the network, redirects an IP address to the MAC address of a computer that is not the intended recipient.

IP spoofing occurs when an attacker sends IP packets from a false (or spoofed) source address to communicate with targets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

A social engineer, impersonating a suppliant, rummaged through the garbage of a high-ranking loan officer, hoping to find discarded documents and removable media containing personally identifiable information (PII). Which of the following social engineering techniques did the attacker utilize?

A

dumpster diving

Dumpster diving refers to combing through an organization’s (or individual’s) garbage to try to find useful documents (or even files stored on discarded removable media).

Piggy backing is a situation where the attacker enters a secure area with an employee’s permission.

If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system (often described as a lunchtime attack).

Shoulder surfing refers to stealing a password or PIN (or other secure information) by watching the user type it, either in close proximity or remotely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

A social engineer, after performing reconnaissance on a victim, spoofed the phone number of the doctor’s office the target frequently visits. Posing as the receptionist, the attacker called the victim, and requested the victim’s Social Security Number (SSN). What type of social engineering attack did the social engineer exercise?

A

Authority

Many people find it difficult to refuse a request by someone they perceive as superior to them. Social engineers can try to exploit this behavior to intimidate their target by pretending to be someone of authority.

With consensus/social proof impersonation, an attacker fools users into believing that a malicious website is legitimate by posting fake reviews. The victims believe the reviews and place their trust in the website.

Creating a false sense of urgency can disturb people’s ordinary decision-making process. The social engineer can try to pressure his or her target by demanding a quick response.

One of the tools of social engineers is to be likable, and to present the requests they make as completely reasonable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

A user entered credentials into a web application login page. Unfortunately, the login form contained a malicious invisible iFrame, that allowed the attacker to intercept the user’s input. What type of attack is this known as?

A

Clickjacking

Clickjacking is a hijacking attack that forces a user to unintentionally click a link that is embedded in or hidden by other web page elements.

A MitB attack is where the web browser is compromised by installing malicious plug-ins or scripts or intercepting API calls. Vulnerability exploit kits can be installed to a website and actively try to exploit vulnerabilities in clients browsing the site.

XSRF is a malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser.

Session IDs are generated using patterns (such as IP address with the date and time), making the session vulnerable to eavesdropping and possibly hijacking, by replaying the cookie to re-establish the session.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

By compromising a Windows XP application that ran on a Windows 10 machine, an attacker installed persistent malware on a victim computer with local administrator privileges. What should the attacker add to the registry, along with its files added to the system folder, to execute this malware?

A

A shim

The code library to enable legacy mode is a shim. The shim must be added to the registry and its files added to the system folder. The shim database is a way that allows malware to run with persistence.

A pointer is a reference to an object in memory. Attempting to access that memory address is called dereferencing.

An integer is a positive or negative whole number. An integer overflow attack causes the target software to calculate a value that exceeds the upper and lower bounds.

A race condition is a software vulnerability that occurs when the execution processes is dependent on the timing of certain events, and those events fail to execute in the order and timing intended.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

A malicious user sniffed credentials exchanged between two computers by intercepting communications between them. What type of attack did the attacker execute?

A

A Man-in-the-Middle attack

A Man-in-the-Middle attack is a form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.

A replay attack consists of intercepting a key or password hash, then reusing it to gain access to a resource, such as the pass-the-hash attack.

A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. This type of attack can be used for the purpose of forging a digital signature.

A downgrade attack can be used to facilitate a Man-in-the-Middle (MitM) attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

An attacker stole a website name by gaining control of and altering its registration information. The attacker then changed the IP address associated with the site, to the IP of a web server the attacker owned. What is this exploit of the website registration process known as?

A

Domain hijacking

Domain hijacking is a type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Sometimes referred to as brandjacking.

Typosquatting relies on users navigating to misspelled domains. An attacker registers a domain name with a common misspelling of an existing domain. Users who misspell a URL in web browsers are taken to the attacker’s website.

Kiting is the act of continually registering, deleting, and reregistering a name within the five-day grace period without having to pay for it.

Tasting is a Domain Name Server (DNS) exploit that involves registering a domain temporarily to see how many hits it generates within the five-day grace period.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which of the following type of packets does an attacker generate to crack a Wired Equivalent Privacy (WEP) access point?

A

Address Resolution Protocol (ARP) packets

To crack WEP, a replay attack is used to make the AP generate a large number of IV packets, usually by replaying ARP packets at it, and cycle through IV values quickly.

IP packets are used in IP spoofing which occurs when an attacker sends IP packets from a false (or spoofed) source address to communicate with targets.

TLS packets are used during the TLS handshake to create the establishment of a secure session. Once the session is established, client and server exchange encrypted data in SSL/TLS records, which are placed into transport layer packets for delivery.

Mirroring mode allows another VM to sniff the unicast packets addressed to a remote interface (like a spanned port on a hardware switch).

42
Q

An adversary spoofs a victim’s IP address and attempts to open connections with multiple servers. If those servers direct their SYN/ACK (Synchronize/Acknowledge) responses to the victim server, and rapidly consume the victim’s bandwidth, what has happened?

A

A Distributed Reflection Denial of Service (DRDoS) attack

In a DRDoS attack, the adversary spoofs the victim’s IP address and attempts to open connections with multiple servers. Those servers direct their SYN/ACK responses to the victim server. This rapidly consumes the victim’s available bandwidth.

A botnet is a set of computers that has been infected to enable attackers to exploit computers to mount attacks.

In a Smurf attack, the adversary spoofs the victim’s IP address and pings the broadcast address of a third-party network. Each host directs its echo responses to the victim server.

A Denial of Service (DoS) attack causes a service to become unavailable.

43
Q

Which of the following can perform a Denial of Service (DoS) attack against a wireless network? (Select two)

A

A disassociation attack

A deauthentication attack

Similar to a deauthentication attack, a disassociation attack uses disassociation packets to perform DoS attacks.

Similar to a disassociation attack, a deauthentication attack uses deauth frames to perform DoS attacks.

An evil twin is a rogue access point (AP) masquerading as a legitimate one, and can have a similar Service Set Identifier (SSID) name as the legitimate AP. The evil twin can harvest information from users entering their credentials.

Bluesnarfing refers to using an exploit in Bluetooth to steal information from someone else’s phone/mobile device.

44
Q

Which of the following does NOT provide encryption and is therefore, vulnerable to eavesdropping and Man-in-the-Middle attacks?

A

NFC

NFC (Near Field Communications) does not provide encryption, so eavesdropping and Man-in-the Middle attacks are possible, if the attacker can find some way of intercepting the communication and other software services are not encrypting the data.

Radio Frequency ID (RFID) is a means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else.

Bluetooth devices have known security issues such as device discovery, pairing authentication, and worms and exploits.

Wireless communications are easily intercepted and must be encrypted. WEP, WPA and WPA2 are examples of wireless encryption.

45
Q

An attacker remotely crashed a server with a Denial of Service (DoS) attack. After searching their Security Information and Event Management (SIEM) application, the IT security team could not discover the origin of the attack. Which of the following would aid the attacker in masking the origin in this way?

A

Use IP spoofing

IP spoofing is an attack in which an attacker sends IP packets from a false (or spoofed) source address to communicate with targets. The technique is also used in most DoS attacks to mask the origin of the attack and make it harder for the target system to block packets.

An SQL injection attack inserts SQL queries as part of user input, which allows an attacker to extract or insert information into the database or execute arbitrary code.

Fingerprinting is port scanning, which can reveal the presence of a router and what dynamic routing and management protocols it is running.

A brute force attack attempts every possible combination in the key space, to derive a plaintext password from a hash.

46
Q

A malicious actor discovered that a company’s storing and processing of data were insecure. The attacker deciphered encrypted data without authorization and impersonated a person within the organization by appropriating their encryption keys. What type of critical vulnerability did the attacker exploit?

A

The use of weak cipher suites and implementations

Attacks on encryption are made to decipher encrypted data without authorization, and to impersonate a person or organization by appropriating their encryption keys due to the use of weak cipher suites and implementations.

A trapdoor function is a mathematical cipher that is simple to perform one way, but difficult to reverse. The aim is to reduce the attacker to blindly guessing the correct value.

A recommendation on minimum key length for an algorithm is made by the length of time it would take to “brute force” the key, given current processing resources.

Some ciphers are vulnerable to cracking by frequency analysis, which depends on the fact that some letters and groups of letters appear more frequently in language than others.

47
Q

Which of the following attacks do security professionals expose themselves to, if they do not salt passwords with a random value?

A

Rainbow table attacks

Passwords not “salted” with a random value, make the ciphertext vulnerable to rainbow table attacks. A rainbow table attack is a type of password attack where an attacker uses a set of plaintext passwords and their hashes to crack passwords.

In a dictionary attack, software enumerates values in a dictionary wordlist. Enforcing password complexity makes passwords difficult to guess and compromise. Varying the characters in the password makes it more resistant to these attacks.

A brute force attack attempts every possible combination in the key space, to derive a plaintext password from a hash.

A hybrid password attack is targeted against naively strong passwords. The password cracking algorithm tests dictionary words and names in combination with numeric prefixes and/or suffixes.

48
Q

An attacker remotely compromised a closed-circuit television (CCTV) server and used it to steal a user’s password. Which of the following can help prevent this type of shoulder surfing?

A

A privacy filter

An attacker can use CCTV to directly observe a target remotely and steal their PIN or password. A privacy filter is a security control that allows only the user to see the screen contents, thus preventing shoulder surfing.

A colocation is a data center that contains racks with networking equipment owned by different companies.

An ID (identification) badge showing name and access details is one of the cornerstones of building security. Anyone moving through secure areas of a building should be wearing an ID badge.

An access list held at each secure gateway records who is allowed to enter. An electronic lock may be able to log access attempts or a security guard can manually log movement.

49
Q

An attacker came within close proximity of a victim and sent the mobile device user spam of an unsolicited text message. Once the user clicked the link in the message, the user’s device was infected with Trojan malware. What type of attack did the hacker most likely infect the mobile user with?

A

Bluejacking

A Bluetooth-discoverable device is vulnerable to bluejacking, similar to spam, where someone sends an unsolicited text (or picture/video) message or vCard (contact details). This can also be a vector for Trojan malware.

Bluesnarfing refers to using an exploit in Bluetooth to steal information from someone else’s phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism.

Skimming is an RFID attack where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card.

A rogue AP masquerading as a legitimate one is called an evil twin or sometimes wiphishing.

50
Q

An attacker bought a domain similar to the domain name of a legitimate company. The attacker then used the fake domain to host malware and launch pharming attacks. Which of the following did the attacker use?

A

URL Hijacking

URL hijacking (also called typosquatting) relies on users navigating to misspelled domains. An attacker registers a domain name with a misspelling of an existing domain. Users who misspell a URL in a web browser are taken to the attacker’s website.

Domain hijacking is a type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Sometimes referred to as brandjacking.

TCP/IP hijacking is a spoofing attack where attackers disconnect a host, then replaces it with their own machine, spoofing the original host’s IP address.

Mutual authentication helps in avoiding session hijacking attacks and is a security mechanism that requires each party to verify each other’s identity.

51
Q

An attacker modified the HTML code of a legitimate password-change webform, then hosted the .html file on the attacker’s web server. The attacker then emailed a URL link of the hosted file to a real user of the webpage. Once the user clicked the link, it changed the user’s password to a value the attacker set. Based on this information, what type of attack is the website vulnerable to?

A

Cross-site Request Forgery (XSRF)

A Cross-site Request Forgery (XSRF) is a malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser. This is successful if the server does not check if the user actually made the request.

Reflected Cross-Site Scripting (XSS) is a server-side input validation exploit that injects a script into a website. Once the victim visits the infected website, the malicious code executes in the user’s browser.

Stored (or persistent) Cross-Site Scripting (XSS) is a server-side script attack that inserts code into a back-end database used by the trusted site.

Document Object Model (DOM) Cross-Site Scripting (XSS) exploits vulnerabilities in client-side scripts to modify the content and layout of a web page.

52
Q

Through backdoor Trojan malware infections, an attacker compromised multiple computers to form zombie agent PCs with tools to create a botnet. Which of the following attacks can the hacker launch?

A

Distributed Denial of Service (DDoS)

A DDoS attack is a DoS that is launched from multiple, compromised computers. Handlers are used to compromise multiple zombie (agent) PCs with DoS tools (bots) forming a botnet.

In a Smurf attack, the adversary spoofs the victim’s IP address and pings the broadcast address of a third-party network. Each host directs its echo responses to the victim server.

Spyware is a program that monitors user activity and sends the information to someone else. This can occur with or without the user’s knowledge.

Worms are memory-resident viruses that replicate over network resources. The primary effect of a worm infestation is to rapidly consume network bandwidth as the worm replicates.

53
Q

A registry has a code library added to it, to include its files to the system folder, which can intercept and redirect calls to enable legacy mode functionality. This is a way that malware, with local administrator privileges, can run on reboot. Which of the following represents this code library?

A

A shim

The code library to enable legacy mode is a shim. The shim must be added to the registry and its files added to the system folder. The shim database is a way that allows malware to run with persistence.

A pointer is a reference to an object in memory. Attempting to access that memory address is called dereferencing.

An integer is a positive or negative whole number. An integer overflow attack causes the target software to calculate a value that exceeds the upper and lower bounds.

A race condition is a software vulnerability that occurs when the execution processes is dependent on the timing of certain events, and those events fail to execute in the order and timing intended.

54
Q

A hacker corrupted the name:IP records held on the HOSTS file on a server to divert traffic for a legitimate domain to a malicious IP address. What type of attack did the hacker perform?

A

Domain Name System (DNS) server cache poisoning

DNS Server Cache poisoning is a redirection attack, that aims to corrupt the records held by the DNS server itself. The intention is to redirect traffic for a legitimate domain to a malicious IP address.

IP spoofing occurs when an attacker sends IP packets from a false (or spoofed) source address to communicate with targets.

Domain Name System (DNS) spoofing is an attack that compromises the name resolution process, and can be used to facilitate pharming or Denial of Service (DoS) attacks.

Address Resolution Protocol (ARP) poisoning occurs when an attacker, with access to the network, redirects an IP address to the MAC address of a computer that is not the intended recipient.

55
Q

An attacker exploited a vulnerability on a website frequently visited by a group of bank employees. Once the employees visit the site, the attacker’s malware infects their computers. What type of attack did the employees fall for?

A

A watering hole attack

A watering hole attack is a directed social engineering attack. It relies on the circumstance that a group of targets may use an unsecure third party website.

In a hoax attack, an email alert or web pop-up will claim to have identified some sort of security problem, like a virus infection, and offer a tool to fix the problem, but the tool will be some sort of Trojan application.

Pharming relies on corrupting the way the victim’s computer performs Internet name resolution, so that they are redirected from the genuine site to the malicious one.

If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system (often described as a lunchtime attack).

56
Q

Which of the following defeats a jamming attack and prevents disruption of a wireless network when a hacker uses an illegal access point (AP) with a very strong signal in close proximity? (Select two)

A

Locate the offending radio source and disable it.

Boost the signal of the legitimate equipment.

A wireless network can be disrupted by interference from other radio sources. One way to defeat a jamming attack is to locate the offending radio source and disable it.

A wireless network can be disrupted by interference from other radio sources. One way to defeat a jamming attack is to boost the signal of the legitimate equipment.

The source of interference will only be detected using a spectrum analyzer, and does not defeat or prevent it.

A Personal Area Network (PAN) is a network that connects two to three devices with cables and is most often seen in small or home offices.

57
Q

What type of attack can facilitate a Man-in-the-Middle attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths?

A

A downgrade attack

A downgrade attack can be used to facilitate a Man-in-the-Middle attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths.

A replay attack consists of intercepting a key or password hash then reusing it to gain access to a resource, such as the pass-the-hash attack.

A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. This type of attack can be used for the purpose of forging a digital signature.

A replay attack consists of intercepting a key or password hash then reusing it to gain access to a resource, such as the pass-the-hash attack.

58
Q

An attacker performed a Denial of Service (DoS) attack against a server, crashing it. What could the attacker do to mask the origin of the attack and make it harder for the security team to find the source of the attack?

A

Use IP spoofing

IP spoofing is an attack in which an attacker sends IP packets from a false (or spoofed) source address to communicate with targets. The technique is also used in most DoS attacks to mask the origin of the attack and make it harder for the target system to block packets.

An SQL injection attack inserts SQL queries as part of user input, which allows an attacker to extract or insert information into the database or execute arbitrary code.

Fingerprinting is port scanning, which can reveal the presence of a router and what dynamic routing and management protocols it is running.

A brute force attack attempts every possible combination in the key space, to derive a plaintext password from a hash.

59
Q

Which of the following attacks do security professionals expose themselves to, if they do not salt passwords with a random value?

A

Rainbow table attacks

Passwords not “salted” with a random value, make the ciphertext vulnerable to rainbow table attacks. A rainbow table attack is a type of password attack where an attacker uses a set of plaintext passwords and their hashes to crack passwords.

In a dictionary attack, software enumerates values in a dictionary wordlist. Enforcing password complexity makes passwords difficult to guess and compromise. Varying the characters in the password makes it more resistant to these attacks.

A brute force attack attempts every possible combination in the key space, to derive a plaintext password from a hash.

A hybrid password attack is targeted against naively strong passwords. The password cracking algorithm tests dictionary words and names in combination with numeric prefixes and/or suffixes.

60
Q

A company’s computer has a mobile device tethered to it, which creates a remote backdoor into the network. What does this device become?

A

A rogue access point (AP)

If scans or network logs show that unauthorized devices are connecting, determine whether the problem is an access point with misconfigured or weak security, or whether there is a rogue AP.

A spectrum analyzer is a device that can detect the source of jamming (interference) on a wireless network. It usually has a directional antenna, which pinpoints the exact location of the interference.

RFID devices encode information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else.

With a SPAN port, the sensor is attached to a specially configured port on the switch that receives copies of frames addressed to nominated access ports (or all the other ports).

61
Q

A social engineer intercepted an end-user’s phone call to an internet service provider (ISP) about a home internet outage. Pretending to be the caller reporting the outage, the attacker immediately contacted the ISP to cancel the service call, dressed up as an internet tech, and then proceeded to enter the end-user’s home with permission. What type of social engineering attack did the ISP and end-user fall victim to?

A

Impersonation

Impersonation is a social engineering attack, in which the attacker pretends to be someone else.

In a hoax attack, an email alert or web pop-up will claim to have identified some sort of security problem, such as a virus infection, and offer a tool to fix the problem. The tool, of course, will be some sort of Trojan application.

Pharming relies on corrupting the way the victim’s computer performs Internet name resolution, so that they are redirected from the genuine site to the malicious one.

Tailgating is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint.

62
Q

If a system is vulnerable, to which of the following can an attacker (with system access) be able to obtain keys from system memory?

A

Privilege escalation

An attacker with system access is able to obtain keys from system memory or pagefiles/scratch disks. Privilege escalation is the practice of exploiting flaws in an operating system or other application, to gain a greater level of access than was intended for the user or application.

An SQL injection attack inserts an SQL query as part of user input, which allows an attacker to extract or insert information into the database or execute arbitrary code.

Directory traversal occurs when the attacker gets access to a file outside the web server’s root directory.

Transitive access describes the problem of authorizing a request for a service that depends on an intermediate service.

63
Q

An end-user received a web pop-up that claimed to identify a virus infection on their computer. The pop-up offered a link to download a program to fix the problem. After clicking the link, the security operations center (SOC) received an alert from the computer that the user downloaded a Trojan. Which of the following is most likely true about the pop-up?

A

The tool claiming to fix the problem was actually a hoax attack.

In a hoax attack, an email alert or web pop-up will claim to have identified some sort of security problem, such as a virus infection, and offer a tool to fix the problem. The tool, of course, will be some sort of Trojan application.

Spyware is a program that monitors user activity and sends the information to someone else. This can occur with or without the user’s knowledge.

Phishing is a combination of social engineering and spoofing, where the attacker sets up a spoof website to imitate a trusted one.

Rogueware is a fake antivirus web pop-up that claims to have detected viruses on the computer and prompts the user to initiate a full scan, which installs the attacker’s Trojan.

64
Q

A malicious actor discovered that a company’s storing and processing of data were insecure. The attacker deciphered encrypted data without authorization and impersonated a person within the organization by appropriating their encryption keys. What type of critical vulnerability did the attacker exploit?

A

The use of weak cipher suites and implementations

Attacks on encryption are made to decipher encrypted data without authorization, and to impersonate a person or organization by appropriating their encryption keys due to the use of weak cipher suites and implementations.

A trapdoor function is a mathematical cipher that is simple to perform one way, but difficult to reverse. The aim is to reduce the attacker to blindly guessing the correct value.

A recommendation on minimum key length for an algorithm is made by the length of time it would take to “brute force” the key, given current processing resources.

Some ciphers are vulnerable to cracking by frequency analysis, which depends on the fact that some letters and groups of letters appear more frequently in language than others.

65
Q

A malicious user sniffed credentials exchanged between two computers by intercepting communications between them. What type of attack did the attacker execute?

A

A Man-in-the-Middle attack

A Man-in-the-Middle attack is a form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.

A replay attack consists of intercepting a key or password hash, then reusing it to gain access to a resource, such as the pass-the-hash attack.

A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. This type of attack can be used for the purpose of forging a digital signature.

A downgrade attack can be used to facilitate a Man-in-the-Middle (MitM) attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths.

66
Q

After an attacker gathered Open Source Intelligence (OSINT) from a social media site on an employee, the attacker called the employee and extracted important information, regarding the company the employee works for. Which of the following did the social engineer successfully perform?

A

Trust

To be convincing (or to establish trust) usually depends on the attacker obtaining privileged information. An impersonation attack is much more effective if the attacker knows the information about the employee.

Shoulder surfing refers to stealing a password or PIN (or other secure information) by watching the user type it, either in close proximity or remotely.

If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system (often described as a lunchtime attack).

Tailgating is a means of entering a secure area without authorization, by following close behind the person that has been allowed to open the door or checkpoint.

67
Q

An attacker remotely compromised a closed-circuit television (CCTV) server and used it to steal a user’s password. Which of the following can help prevent this type of shoulder surfing?

A

A privacy filter

An attacker can use CCTV to directly observe a target remotely and steal their PIN or password. A privacy filter is a security control that allows only the user to see the screen contents, thus preventing shoulder surfing.

A colocation is a data center that contains racks with networking equipment owned by different companies.

An ID (identification) badge showing name and access details is one of the cornerstones of building security. Anyone moving through secure areas of a building should be wearing an ID badge.

An access list held at each secure gateway records who is allowed to enter. An electronic lock may be able to log access attempts or a security guard can manually log movement.

68
Q

An attacker stole a website name by gaining control of and altering its registration information. The attacker then changed the IP address associated with the site, to the IP of a web server the attacker owned. What is this exploit of the website registration process known as?

A

Domain hijacking

Domain hijacking is a type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Sometimes referred to as brandjacking.

Typosquatting relies on users navigating to misspelled domains. An attacker registers a domain name with a common misspelling of an existing domain. Users who misspell a URL in web browsers are taken to the attacker’s website.

Kiting is the act of continually registering, deleting, and reregistering a name within the five-day grace period without having to pay for it.

Tasting is a Domain Name Server (DNS) exploit that involves registering a domain temporarily to see how many hits it generates within the five-day grace period.

69
Q

A residential internet consumer wants to add a wireless network to their home. To automate and simplify the setup process, the user installed a wireless access point capable of Wi-Fi Protected Setup (WPS) with an eight-character Personal Identification Number (PIN). What type of attack is this installation vulnerable to?

A

A brute force attack

WPS is vulnerable to brute force attacks. The PIN is eight characters, but these separate PINs are simple to brute force.

In a dictionary attack, software enumerates values in a dictionary wordlist. Enforcing password complexity and varying the characters makes passwords difficult to guess and compromise.

A rainbow table attack is where an attacker uses a set of related plaintext passwords and their hashes to crack passwords. Values are computed in chains and only the first and last values need to be stored.

A hybrid password attack is targeted against naively strong passwords. The password cracking algorithm tests dictionary words and names in combination with numeric prefixes and/or suffixes.

70
Q

Which of the following attacks consists of intercepting a key or password hash, to reuse it as a means to gain access to a resource?

A

A replay attack

A replay attack consists of intercepting a key or password hash, then reusing it to gain access to a resource, such as the pass-the-hash attack.

A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. This type of attack can be used for the purpose of forging a digital signature.

A downgrade attack can be used to facilitate a Man-in-the-Middle (MitM) attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths.

A Man-in-the-Middle (MitM) attack is a form of eavesdropping in which the attacker makes an independent connection between two victims and steals information to use fraudulently.

71
Q

An attacker gathered Open Source Intelligence (OSINT) about a company through the internet, then contacted employees of the company and used the information gathered to extract more personally identifiable information (PII). Which of the following describes this type of social engineering attack?

A

Trust

To be convincing (or to establish trust) usually depends on the attacker obtaining privileged information. An impersonation attack is much more effective if the attacker knows the information about the employee.

Shoulder surfing refers to stealing a password or PIN (or other secure information) by watching the user type it, either in close proximity or remotely.

If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system (often described as a lunchtime attack).

Tailgating is a means of entering a secure area without authorization, by following close behind the person that has been allowed to open the door or checkpoint.

72
Q

An attacker can exploit a weakness in a password protocol, to calculate the hash of a password. Which of the following can the attacker match the hash to, as a means to obtain the password? (Select two)

A

A dictionary word

A rainbow table

Password crackers can exploit weaknesses in a protocol, to calculate the hash and match it to a dictionary word or brute force it.

Rainbow tables are associated with attacks where an attacker uses a set of related plaintext passwords and their hashes to crack passwords.

A Pre-Shared Key (PSK) refers to using a passphrase to generate the key that is used to encrypt communications. It is also referred to as group authentication, since a group of users share the same secret.

Wi-Fi Protected Access (WPA) is an encryption scheme for protecting Wi-Fi communications, designed to replace WEP.

73
Q

An attacker sent a victim an email with a link to a malicious website. The victim then clicked the link, which opened a malicious payload in the browser, and changed the user’s password to a legitimate website. What type of attack is the legitimate site vulnerable to?

A

Cross-site Request Forgery (XSRF)

A Cross-site Request Forgery (XSRF) is a malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser. This is successful if the server does not check if the user actually made the request.

Reflected Cross-Site Scripting (XSS) is a server-side input validation exploit that injects a script into a website. Once the victim visits the infected website, the malicious code executes in the user’s browser.

Stored (or persistent) Cross-Site Scripting (XSS) is a server-side script attack that inserts code into a back-end database used by the trusted site.

Document Object Model (DOM) Cross-Site Scripting (XSS) exploits vulnerabilities in client-side scripts to modify the content and layout of a web page.

74
Q

A penetration tester cracked a company’s Wired Equivalent Privacy (WEP) access point (AP) by making the AP generate a large amount of initialization vector (IV) packets, by replaying Address Resolution Protocol (ARP) packets at it. What type of attack did the pen tester use to crack the AP?

A

Replay

In a replay attack the attacker intercepts authentication data and reuses it to re-establish a session. To crack WEP, a type of replay attack is used.

War driving is the practice of using a Wi-Fi sniffer to detect WLANs and then either making use of them or trying to break into them (using WEP and WPA cracking tools).

A Wi-Fi jamming attack can be performed by setting up an AP with a stronger signal. Wi-Fi jamming devices are illegal to use and to sell. The attacker needs to gain fairly close physical proximity to the wireless network.

Skimming is an RFID attack where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card.

75
Q

Which of the following is a way to protect against birthday attacks?

A

Encryption algorithms, demonstrating collision avoidance

To protect against the birthday attack, encryption algorithms must demonstrate collision avoidance (that is, to reduce the chance that different inputs will produce the same output).

Operating system hardening is process of making the OS configuration secure by enabling and allowing access to only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the OS is patched to be secure against software exploits.

Implementing a captive portal requiring login credentials helps protect against unauthorized users accessing your Wi-Fi hotspot.

Understanding the use of environmental controls helps provide suitable conditions for server equipment and protect against fire risks.

76
Q

An end-user received a web pop-up that claimed to identify a virus infection on their computer. The pop-up offered a link to download a program to fix the problem. After clicking the link, the security operations center (SOC) received an alert from the computer that the user downloaded a Trojan. Which of the following is most likely true about the pop-up?

A

The tool claiming to fix the problem was actually a hoax attack.

In a hoax attack, an email alert or web pop-up will claim to have identified some sort of security problem, such as a virus infection, and offer a tool to fix the problem. The tool, of course, will be some sort of Trojan application.

Spyware is a program that monitors user activity and sends the information to someone else. This can occur with or without the user’s knowledge.

Phishing is a combination of social engineering and spoofing, where the attacker sets up a spoof website to imitate a trusted one.

Rogueware is a fake antivirus web pop-up that claims to have detected viruses on the computer and prompts the user to initiate a full scan, which installs the attacker’s Trojan.

77
Q

An attacker installed a fraudulent Radio Frequency ID (RFID) reader to steal credit card numbers any time someone used a card to make a purchase. What type of attack does this describe?

A

Skimming

Skimming is an RFID attack where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card.

Bluesnarfing refers to using an exploit in Bluetooth to steal information from someone else’s phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism.

A Bluetooth-discoverable device is vulnerable to bluejacking, similar to spam, where someone sends an unsolicited text (or picture/video) message or vCard (contact details). This can also be a vector for Trojan malware.

A rogue AP masquerading as a legitimate one is called an evil twin or sometimes wiphishing.

78
Q

What type of brute force attack aims at exploiting collisions in hash functions?

A

Birthday attacks

A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. A collision is where a function produces the same hash value for two different plaintexts.

With Pass-the-Hash attacks, if an attacker obtains the hash of a user’s password, it is possible to authenticate with the hash, without cracking it.

A downgrade attack can be used to facilitate a Man-in-the-Middle (MitM) attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths.

A Man-in-the-Middle (MitM) attack is a form of eavesdropping in which the attacker makes an independent connection between two victims and steals information to use fraudulently.

79
Q

Which of the following is an example of why viruses are destructive? (Select two)

A

Viruses can exploit zero days.

Viruses can spread via social engineering techniques.

Viruses can be categorized by their virulence. Some viruses are destructive since they exploit a previously unknown system vulnerability (a “zero day” exploit).

Some attackers utilize particularly effective social engineering techniques to persuade users to open an infected file (an infected email attachment with the subject “I Love You” being one of the best examples of the breed).

Worms spread through memory and network connections rather than infecting files. Viruses spread from computer to computer, usually by “infecting” executable applications or program code.

Worms are memory-resident viruses that replicate over network resources. Viruses spread from computer to computer, usually by “infecting” executable applications or program code.

80
Q

An end-user received a web pop-up that claimed to identify a virus infection on their computer. The pop-up offered a link to download a program to fix the problem. After clicking the link, the security operations center (SOC) received an alert from the computer that the user downloaded a Trojan. Which of the following is most likely true about the pop-up?

A

The tool claiming to fix the problem was actually a hoax attack.

In a hoax attack, an email alert or web pop-up will claim to have identified some sort of security problem, such as a virus infection, and offer a tool to fix the problem. The tool, of course, will be some sort of Trojan application.

Spyware is a program that monitors user activity and sends the information to someone else. This can occur with or without the user’s knowledge.

Phishing is a combination of social engineering and spoofing, where the attacker sets up a spoof website to imitate a trusted one.

Rogueware is a fake antivirus web pop-up that claims to have detected viruses on the computer and prompts the user to initiate a full scan, which installs the attacker’s Trojan.

81
Q

In what way can an attacker NOT perform a Denial of Service (DoS) attack?

A

Use web application firewall processing rules to filter traffic.

A web application firewall (WAF) is one designed specifically to protect software running on web servers and their backend databases from code injection and DoS attacks. WAFs use application-aware processing rules to filter traffic.

DoS attacks can prevent network access by knocking out the directory server.

Routing protocols that have no authentication or weak authentication are vulnerable to route table poisoning. This can mean that traffic is misdirected to a monitoring port (sniffing), sent to a blackhole (non-existent address), or continuously looped around the network, causing DoS.

DoS attacks focus on overloading a service by using up CPU, system RAM, disk space, or network bandwidth (resource exhaustion).

82
Q

An attacker installed a fraudulent Radio Frequency ID (RFID) reader to steal credit card numbers any time someone used a card to make a purchase. What type of attack does this describe?

A

Skimming

Skimming is an RFID attack where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card.

Bluesnarfing refers to using an exploit in Bluetooth to steal information from someone else’s phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism.

A Bluetooth-discoverable device is vulnerable to bluejacking, similar to spam, where someone sends an unsolicited text (or picture/video) message or vCard (contact details). This can also be a vector for Trojan malware.

A rogue AP masquerading as a legitimate one is called an evil twin or sometimes wiphishing.

83
Q

An attacker gathered personal information from an employee by using Open Source Intelligence (OSINT). The attacker then emailed the employee and used the employee’s full name, job title, and phone number to convince the victim that the communication was legitimate. What type of scam did the attacker pull off?

A

Spear phishing

Spear phishing refers to a phishing scam where the attacker has some information that makes an individual target more likely to be fooled by the attack. The attacker might know the details that help convince the target that the communication is genuine.

Phishing is a type of email-based social engineering attack. The attacker sends email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim.

Vishing describes a phishing attack conducted through a voice channel (telephone or VoIP, for instance).

SMiShing refers to fraudulent SMS texts. Other vectors could include instant messaging or social media sites.

84
Q

Which of the following can perform a Denial of Service (DoS) attack against a wireless network? (Select two)

A

A deauthentication attack

A disassociation attack

Similar to a deauthentication attack, a disassociation attack uses disassociation packets to perform DoS attacks.

Similar to a disassociation attack, a deauthentication attack uses deauth frames to perform DoS attacks.

An evil twin is a rogue access point (AP) masquerading as a legitimate one, and can have a similar Service Set Identifier (SSID) name as the legitimate AP. The evil twin can harvest information from users entering their credentials.

Bluesnarfing refers to using an exploit in Bluetooth to steal information from someone else’s phone/mobile device.

85
Q

A user entered credentials into a web application login page. Unfortunately, the login form contained a malicious invisible iFrame, that allowed the attacker to intercept the user’s input. What type of attack is this known as?

A

Clickjacking

Clickjacking is a hijacking attack that forces a user to unintentionally click a link that is embedded in or hidden by other web page elements.

A MitB attack is where the web browser is compromised by installing malicious plug-ins or scripts or intercepting API calls. Vulnerability exploit kits can be installed to a website and actively try to exploit vulnerabilities in clients browsing the site.

XSRF is a malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser.

Session IDs are generated using patterns (such as IP address with the date and time), making the session vulnerable to eavesdropping and possibly hijacking, by replaying the cookie to re-establish the session.

86
Q

To automate and simplify the setup process of adding a wireless network, a homeowner installed a wireless access point capable of Wi-Fi Protected Setup (WPS) with an eight-character Personal Identification Number (PIN). What type of attack can a hacker perform to exploit this vulnerability?

A

A brute force attack

WPS is vulnerable to brute force attacks. The PIN is eight characters, but these separate PINs are simple to brute force.

In a dictionary attack, software enumerates values in a dictionary wordlist. Enforcing password complexity and varying the characters makes passwords difficult to guess and compromise.

A rainbow table attack occurs when an attacker uses a set of related plaintext passwords and their hashes to crack passwords. Values are computed in chains and only the first and last values need to be stored.

A hybrid password attack is targeted against naively strong passwords. The password cracking algorithm tests dictionary words and names in combination with numeric prefixes and/or suffixes.

87
Q

If a system is vulnerable, to which of the following can an attacker (with system access) be able to obtain keys from system memory?

A

Privilege escalation

An attacker with system access is able to obtain keys from system memory or pagefiles/scratch disks. Privilege escalation is the practice of exploiting flaws in an operating system or other application, to gain a greater level of access than was intended for the user or application.

An SQL injection attack inserts an SQL query as part of user input, which allows an attacker to extract or insert information into the database or execute arbitrary code.

Directory traversal occurs when the attacker gets access to a file outside the web server’s root directory.

Transitive access describes the problem of authorizing a request for a service that depends on an intermediate service.

88
Q

A social engineer suspects the upper management department of a company are more vulnerable to ordinary phishing attacks than the normal IT staff, since management staff are reluctant to learn basic security procedures. Therefore, the attacker crafted a campaign targeting these individuals. What type of attack did the social engineer perform?

A

Whaling

A spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other “big beasts”) is sometimes called whaling.

Tailgating is a social engineering technique to gain access to a building by following someone else (or persuading them to “hold the door”).

If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system (often described as a lunchtime attack).

A watering hole attack is type of directed social engineering attack. It relies on the circumstance that a group of targets may use an unsecure third-party website.

89
Q

A hacker used a Man-in-the-Middle (MitM) attack to capture a user’s authentication cookie. The attacker disrupted the legitimate user’s session and then re-sent the valid cookie to impersonate the user and authenticate to the user’s account. What type of attack is this?

A

A replay attack

In a replay attack, the attacker captures some data used to log on or start a session legitimately. The attacker then disrupts the legitimate session and resends the captured data to re-enable the connection.

A birthday attack is a type of brute force attack aimed at exploiting collisions in hash functions. This type of attack can be used for the purpose of forging a digital signature.

A downgrade attack can be used to facilitate a Man-in-the-Middle (MitM) attack by requesting that the server use a lower specification protocol with weaker ciphers and key lengths.

A Man-in-the-Middle (MitM) attack is a form of eavesdropping in which the attacker makes an independent connection between two victims and steals information to use fraudulently.

90
Q

After an attacker gathered Open Source Intelligence (OSINT) from a social media site on an employee, the attacker called the employee and extracted important information, regarding the company the employee works for. Which of the following did the social engineer successfully perform?

A

Trust

To be convincing (or to establish trust) usually depends on the attacker obtaining privileged information. An impersonation attack is much more effective if the attacker knows the information about the employee.

Shoulder surfing refers to stealing a password or PIN (or other secure information) by watching the user type it, either in close proximity or remotely.

If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system (often described as a lunchtime attack).

Tailgating is a means of entering a secure area without authorization, by following close behind the person that has been allowed to open the door or checkpoint.

91
Q

Which of the following social engineering techniques has less of a chance of arousing suspicion and getting caught? (Select two)

A

Familiarity

Liking

Familiarity is low risk. If the request is refused, it is unlikely to cause suspicion and the social engineer can move to a different target without being detected.

Liking is low risk. If the request is refused, it is less likely to cause suspicion and the social engineer can move on to a different target without being detected.

Compared to using a familiarity/liking approach, the authority tactic is riskier as there is a greater chance of arousing suspicion and the target reporting the attack attempt.

Compared to using a familiarity/liking approach, the intimidation tactic is riskier as there is a greater chance of arousing suspicion and the target reporting the attack attempt.

92
Q

Mutual authentication prevents a client from inadvertently submitting confidential information to a non-secure server. Mutual authentication also helps avoid which of the following? (Select two)

A

Session hijacking attacks

Man-in-the-Middle attacks

Mutual authentication is a security mechanism that requires that each party in a communication verifies each other’s identity and helps in avoiding Man-in-the-Middle attacks.

Mutual authentication helps in avoiding session hijacking attacks, and is a security mechanism that requires that each party in a communication verifies each other’s identity.

Address Resolution Protocol (ARP) poisoning occurs when an attacker, with access to the network, redirects an IP address to the MAC address of a computer that is not the intended recipient.

IP spoofing occurs when an attacker sends IP packets from a false (or spoofed) source address to communicate with targets.

93
Q

An end-user received a web pop-up that claimed to identify a virus infection on their computer. The pop-up offered a link to download a program to fix the problem. After clicking the link, the security operations center (SOC) received an alert from the computer that the user downloaded a Trojan. Which of the following is most likely true about the pop-up?

A

A hoax attack

In a hoax attack, an email alert or web pop-up will claim to have identified some sort of security problem, such as a virus infection, and offer a tool to fix the problem. The tool, of course, will be some sort of Trojan application.

Spyware is a program that monitors user activity and sends the information to someone else. This can occur with or without the user’s knowledge.

Phishing is a combination of social engineering and spoofing, where the attacker sets up a spoof website to imitate a trusted one.

Rogueware is a fake antivirus web pop-up that claims to have detected viruses on the computer and prompts the user to initiate a full scan, which installs the attacker’s Trojan.

94
Q

An attacker exploited a vulnerability on a website frequently visited by a group of bank employees. Once the employees visit the site, the attacker’s malware infects their computers. What type of attack did the employees fall for?

A

A watering hole attack

95
Q

Which of the following attacks consists of intercepting a key or password hash, to reuse it as a means to gain access to a resource?

A

A replay attack

96
Q

A social engineer used a phishing attack to trick users into visiting a website. Once users visit the site, a vulnerability exploit kit installs, which actively exploits vulnerabilities on the client. What type of attack did the users become a victim of?

A

A Man-in-the-Browser (MitB) attack

97
Q

An attacker hosted an exploit script on a malicious website and injected it into a trusted website. The attacker then sent the link to the victim and used open source information gathering (OSINT) and social engineering tactics, such as spear phishing, to convince the victim to click the link, which compromised the user browsing to the site. Which of the following best describes this type of attack?

A

Cross-site scripting (XSS)

Cross-site scripting (XSS) is a malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site.

Cross-site Request Forgery (XSRF) is a malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser.

A SQL injection attack inserts an SQL query as part of user input, which allows an attacker to extract or insert information into the database or execute arbitrary code.

A command injection attack runs OS shell commands from the browser, and allows commands to operate outside of the server’s directory root, allowing commands to run as the web “guest” user.

98
Q

An attacker changed the physical address of the wireless adapter interface, to redirect traffic to the hacker’s computer destined for the legitimate user. What type of attack does this describe?

A

Media Access Control (MAC) spoofing

99
Q

An attacker used an illegal access point (AP) with a very strong signal, and gained close physical proximity to a corporate wireless network to disrupt its services. What type of attack does this describe? (Select two)

A

An interference attack

A jamming attack

100
Q

Which of the following attacks do security professionals expose themselves to if they turn the power output down on a wireless access point (AP)?

A

Evil twin attacks

101
Q

Which of the following attacks would allow an attacker to sniff all traffic on a switched network?

A

ARP poisoning