Day 1 115-151

Question 1

1.115 After gaining access to a Linux machine, how can an attacker use the /etc/passwd file?

A. He can’t read it because it’s encrypted.
B. The file reveals the passwords to the root user only.
C. He can open it and read the user id’s and corresponding passwords.
D. The password file does not contain the passwords themselves.

Answer 1

Answer: D

In Linux, user-account info is stored in the /etc/passwd file. Typically, however, the actual user passwords themselves are stored in a different file, /etc/shadow, which is only readable by the root account.

Question 2

1.116 What type of SQL injection attack is this?

SELECT * FROM userinfo WHERE name=‘xyz’ AND userid IS NULL; –’;

A. Union SQL injection
B. End of line comment
C. Tautology
D. Illegal/logically incorrect query

Answer 2

Answer: B

The – is an end of line comment and negates any other code that may have come afterwards, such as a password requirement perhaps. Tautology is when two things are equal to each other, such as 1=1 (which is not present here). A union statement is combining two queries with a UNION command (again, not present here). As for the logic, the above query is logically correct.

Question 3

1.117 Which would be the best description for Cross-Site Request Forgery (CSRF)?

A. Modification of a request by a proxy between client and server
B. A request sent by a malicious user from a browser to a server
C. A browser making a request to a server without the user’s knowledge
D. A server making a request to another server without the user’s knowledge

Answer 3

Answer: C

Question 4

1.118 In an attempt to protect passwords in the password file, you add random characters to the passwords before hashing them. What is this called?

A. Double hashing
B. Salting
C. Key stretching
D. Keyed hashing

Answer 4

Answer: B

Question 5

1.119 You have a frame-relay network connected to your company. Over this network you need authenticate inbound users who are connecting via DSL, analog modems, wireless data services, and VPN’s. Which AAA would be the most likely to handle this requirement?

A. Kerberos
B. TACACS+
C. RADIUS
D. Diameter

Answer 5

Answer: C

RADIUS is the AAA system that has been around the longest and is generally the most compatible with different technologies and different vendor’s equipment.

Another reason RADIUS is a better answer here is that RADIUS is generally used for your users to access the network, whereas TACACS+ is generally used to control remote administration of networking equipment. TACACS+ can not only authenticate your network technicians, but it can also authorize a specific list of commands for each one of them.

Question 6

1.120 In which type of attack does an attacker exploit vulnerabilities in dynamically generated web pages to inject client-side scripts into pages viewed by other users?

A. Cross-Site Request Forgery (CSRF)
B. SQL injection attack
C. LDAP injection attack
D. Cross-Site Scripting (XSS)

Answer 6

Answer: D

Question 7

1.121 What’s the attack called where someone uses your Bluetooth connection to send you messages without your consent? This is basically the Bluetooth version of spamming.

A. Bluesmacking
B. Bluejacking
C. Bluesniffing
D. Bluesnarfing

Answer 7

Answer: B

Question 8

1.122 Which type of attack allows an attacker to force a victim’s browser to send an authenticated request to a server?

A. Cross-site scripting
B. Cross-site request forgery
C. Server side request forgery
D. Session hijacking

Answer 8

Answer: B

While CSRF is a type of session hijack, it’s the better answer here as it’s the specific type of session hijack this question is referring to. With CSRF you need the victim to log-in (authenticate) to a server, then you trick the user into clicking on some type of link that will then send traffic to the server “on the victim’s behalf”. You are “forging a request” that appears to legitimately come from the user, even though the user has no idea what’s happening.

Question 9

1.123 Why should you remove or disable unnecessary ISAPI filters?

A. To defend against jailbreaking
B. To defend against social engineering attacks
C. To defend against wireless attacks
D. To defend against webserver attacks

Answer 9

Answer: D

ISAPI filters are DLL files that can modify incoming or outgoing data to a Microsoft IIS webserver. Among other things, they can sanitize incoming data to protect against many common threats. Be sure to disable unnecessary ISAPI filters though because some of the default filters have known vulnerabilities.

Question 10

1.124 Many antivirus programs will analyze potential viruses by executing them in a virtual machine to simulate CPU and memory activities. They do this to see how the code interacts with the VM. Which type of virus detection method is this?

A. Code emulation
B. Heuristic analysis
C. Scanning
D. Integrity checking

Answer 10

Answer: B

Most antivirus programs that utilize heuristic analysis perform this function by executing the programming commands of a questionable program or script within a specializedvirtual machine, thereby allowing the anti-virus program to internally simulate what would happen if the suspicious file were to be executed, while keeping the suspicious code isolated from the real-world machine.

Question 11

1.125 What type of firewall could protect against a SQL injection attack?

A. Web application firewall
B. Stateful firewall
C. Data-driven firewall
D. Packet firewall

Answer 11

Answer: A

Question 12

1.126 Which OS did the Shellshock vulnerability NOT directly affect?

A. Windows
B. Linux
C. OS X
D. Unix

Answer 12

Answer: A

Question 13

1.127 What is it called when you do an injection attack based on true/false questions?

A. Classic SQLi
B. Blind SQLi
C. Compound SQLi
D. DMS-specific SQLi

Answer 13

Answer: B

Question 14

1.128 Which of these acts requires employers to list their standard national numbers on all transactions?

A. SOX
B. HIPAA
C. PCI-DSS
D. DMCA

Answer 14

Answer: B

Question 15

1.129 You’ve just been alerted by the HIDS that the server has been breached. After calling the incident response team, they’ve instructed you not to power off the server and that they are on the way.

Why did they tell you not to power off the server?

A. This will alert the attacker that they’ve been discovered, prompting them to delete data or install ransomware before their foothold in the network is severed.
B. The incident response team needs to retrieve information stored in volatile memory such as RAM.
C. Actually, the correct procedure in this case is to power off the server. This helps prevent the attacker from spreading deeper into the network.
D. The attacker may have placed a logic bomb, which will trigger when the shutdown command is issued

Answer 15

Answer: B

Question 16

1.130 After reviewing the database access logs, you see signs that indicate a data breach has occurred. Because of this an incident is declared. During the evidence gathering and handling phase of the incident response, what is the most important thing to do?

A. Creating detailed notes about lessons learned from the incident
B. Recording what is discussed at every incident response meeting
C. Reviewing the evidence in careful detail to identify the attacking hosts
D. Recording the date and time when evidence is gathered, and the location where the evidence is stored

Answer 16

Answer: D

Question 17

1.131 What is the name for a tool that can receive event logs from workstations, servers, network equipment and applications, and then can correlate those logs and generate alarms for an security issues found?

A. Intrusion Prevention Server
B. Vulnerability Scanner
C. Network Sniffer
D. Security Incident and Event Monitoring

Answer 17

Answer: D

SIEM (Security Incident and Event Monitoring) software acts as a “tactical dashboard” to monitor and correlate all the security events across your enterprise. Examples include systems by NAGIOS, Splunk, and McAffee.

Question 18

1.132 What is the role of test automation in security testing?

A. It is an option but it tends to be very expensive.
B. Test automation is not usable in security due to the complexity of the tests.
C. It can accelerate benchmark tests and repeat them with a consistent setup. But it cannot replace manual testing completely.
D. It should be used exclusively. Manual testing is outdated because of low speed and possible test setup inconsistencies.

Answer 18

Answer: C

Question 19

1.133 Susan got an e-mail with a file attached. The file was disguised as a Word document, but the extension ended with .docx.exe. Susan ran the attachment but got an error message. In the background the file began to beacon to a C2 server to download more malicious files. What type of malware is this?

A. Trojan
B. Key-logger
C. Macro virus
D. Worm

Answer 19

Answer: A

Question 20

1.134 When referring to the field of cryptanalysis, what is a “rubber-hose” attack?

A. Attempting to decrypt ciphertext by making logical assumptions about the contents of the original plaintext
B. Extraction of cryptographic secrets through coercion or torture
C. A backdoor placed into a cryptographic algorithm by its creator
D. Forcing the targeted keystream through a hardware-accelerated device such as an ASIC

Answer 20

Answer: B

Question 21

1.135 While doing a pen-test you stand outside the entrance to the building pretending to have an argument while on your cell-phone. After an authorized employee badges in, you grab the door as it begins to close. What are you doing here?

A. Whaling
B. Tailgating
C. Masquerading
D. Phishing

Answer 21

Answer: B

Question 22

1.136 Which of these should you do if your backup tapes contain sensitive information, such as credit-card numbers?

A. Hire a security consultant to provide direction.
B. Back up the hashes of the credit card numbers, not the actual credit card numbers.
C. Do not back up either the credit card numbers nor their hashes.
D. Encrypt the backup tapes that are sent off-site.

Answer 22

Answer: D

Question 23

1.137 Why are containers less secure than VM’s?

A. Host OS on containers has a larger attack surface.
B. Containers may fill disk space of the host.
C. A compromised container may cause a CPU starvation of the host.
D. Containers are attached to the same virtual network.

Answer 23

Answer: C

Question 24

1.138 Which type of SQL injection uses conditional timing delays to determine if the queries are successful or not?

A. Error-based SQL injection
B. NoSQL injection
C. Blind SQL injection
D. Union-based SQL injection

Answer 24

Answer: C

Generally with a blind SQL injection you have to use inference to arrive at your results. A blind injection attack will ask a series of true/false questions (boolean). How then, do you arrive at useful info if you aren’t getting a response of true or false? You could construct a statement that says something like “if true, do this process (which takes a bit of time) and give me some requested data, but if false, don’t do that process (which is much quicker)”. By timing how long it takes to get the response, you can tell if the condition was true or false.

Question 25

1.139 Some types of antivirus software identifies malware by gathering data across many protected hosts, then sends that data to a provider’s environment instead of analyzing files locally. Which type of detection technique is this?

A. Cloud based
B. Honeypot based
C. Behavioral based
D. Heuristics based

Answer 25

Answer: A

Question 26

1.140 What is the difference between phishing and pharming attacks?

A. Both pharming and phishing attacks are identical.
B. Both pharming and phishing attacks are purely technical and are not considered forms of social engineering.
C. In a phishing attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a pharming attack an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual website domain name.
D. In a pharming attack a victim is redirected to a fake website by modifying their host configuration file or by exploiting vulnerabilities in DNS. In a phishing attack an attacker provides the victim with a URL that is either misspelled or looks very similar to the actual website domain name.

Answer 26

Answer: D

Question 27

1.141 What does it mean when you get a DEP (Data Execution Protection) error?

A. Malicious code is attempting to execute instructions in a non-executable memory region.
B. Malware is executing in either ROM or a cache memory area.
C. A race condition is being exploited, and the operating system is containing the malicious process.
D. A page fault is occurring, which forces the operating system to write data from the hard drive.

Answer 27

Answer: A

Question 28

1.142 Which of these is concerned with CDE’s (Cardholder Data Environments)?

A. ISO 27001
B. HIPAA
C. PCI
D. SOX

Answer 28

Answer: C

Question 29

1.143 A Business Associate Agreement (BAA) is a legal contract that lists details on how to handle certain types of data and the specific security requirements for that data. What regulation requires a Business Associate Agreement for some vendors?

A. ISO 27001
B. HIPAA
C. PCI
D. SOX

Answer 29

Answer: B

Question 30

1.144 Which of these is the best way to secure backup tapes while taking them to an off-site location?

A. Degauss the backup tapes and transport them in a lock box
B. Encrypt the backup tapes and transport them in a lock box.
C. Hash the backup tapes and transport them in a lock box.
D. encrypt the backup tapes and use a courier to transport them.

Answer 30

Answer: B

Question 31

1.145 LDAP has trouble representing many-to-one relationships because it uses a ______ database structure, as compared to SQL’s ______ structure.

A. Simple, Complex
B. Relational, Hierarchical
C. Hierarchical, Relational
D. Strict, Abstract

Answer 31

Answer: C

Question 32

1.146 If your employees keep sharing passwords with each other, which of these would be the best first step in making employees understand the importance of keeping sensitive information a secret?

A. Warnings to those who write passwords on post-it notes and leave them on their desks.
B. Information security awareness training.
C. Developing a strict information security policy.
D. Conducting a one to one discussion with employees about the importance of information security.

Answer 32

Answer: B

Question 33

1.147 After assessing the risk of a breach in your web application, you find there is a 40% chance of breach. You implement some controls and now find that the risk of a breach is down to 15%, while your risk threshold for the web application is at 25%. Which of these risk strategies will you most likely employ to continue operations with the most business profit?

A. Avoid the risk
B. Mitigate the risk
C. Accept the risk
D. Introduce more controls to bring the risk to 0%

Answer 33

Answer: C

Question 34

1.148 In one type of an attack, the hacker sends the victim to a website that contains an interesting looking URL with a link to some funny internet memes. Unknown to the victim, the hacker has created a transparent ‘iframe’ in front of the URL. The victim tries to click the URL, but he is really just clicking the content or URL in the transparent iframe instead. Which type of attack is this?

A. HTTP parameter pollution
B. HTML injection
C. Clickjacking attack
D. Session fixation

Answer 34

Answer: C

Question 35

1.149 Bob is doing a pen-test for BigCorp. He sends a specially crafted e-mail to an employee at BigCorp. The e-mail header looks like this:

From: fred_smith@bigcorp.com
To: sally_thompson@bigcorp.com
Subject: Test test test
Date: 2/14/2016 11:15

Sally Thompson at BigCorp receives the e-mail, which must mean their e-mail gateway doesn’t prevent which of these? (Select TWO possible answers)

A. Email spoofing
B. Email harvesting
C. Email masquerading
D. Email phishing

Answer 35

Answer: A, C

Question 36

1.150 For PCI compliance, which of these would best fit under the objective “implement strong access control measures”?

A. Assign a unique ID to each person with computer access.
B. Regularly test security systems and processes.
C. Encrypt transmission of cardholder data across open, public networks.
D. Use and regularly update anti-virus software on all systems commonly affected by malware.

Answer 36

Answer: A