Day 1 39-75

Question 1

1.39 To infect a machine, a rootkit needs which privilege level?

A. User level privileges

B. Ring 3 Privileges

C. System level privileges

D. Kernel level privileges

Answer 1

D

Question 2

1.40 What is the name of the Steganography method that hides data in the “white-space” of files?

A. snow

B. beetle

C. magnet

D. cat

Answer 2

A

Question 3

1.41 Besides input validation, what is another countermeasure against an XSS scripting attack such as an attacker entering the following on a web page:

<script>
alert(“You big dummy!”)
</script>

A. Create an IP access list and restrict connections based on port number

B. Replace “<” and “>” characters with “& l t;” and “& g t;” using server scripts

C. Disable Javascript in IE and Firefox browsers

D. Connect to the server using HTTPS protocol instead of HTTP

Answer 3

B

Question 4

1.42 Which of these web-server maintenance steps would involve a forensic investigator?

A. Configuring, protecting, and analyzing log files

B. Backing up critical information frequently

C. Maintaining a protected authoritative copy of the organization’s Web content

D. Establishing and following procedures for recovering from compromise

E. Testing and applying patches in a timely manner

F. Testing security periodically.

Answer 4

D

Question 5

1.43 Which of these are common web vulnerabilities that a web admin should be concerned about

A. Non-validated parameters, broken access control, broken account and session management, cross-site scripting and buffer overflows

B. Visible clear text passwords, anonymous user account set as default, missing latest security patch, no firewall filters set and no SSL configured

C. No SSL configured, anonymous user account set as default, missing latest security patch, no firewall filters set and an inattentive system administrator

D. No IDS configured, anonymous user account set as default, missing latest security patch, no firewall filters set and visible clear text passwords

Answer 5

A

Question 6

1.44 Which of these is the most efficient way for an attacker to infect a remote corporate machine with a trojan?

A. Physical access - the attacker can simply copy a Trojan horse to a victim’s hard disk infecting the machine via Firefox add-on extensions

B. Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program that is unique to that particular computer

C. Custom packaging - the attacker can create a custom Trojan horse that mimics the appearance of a program used by the company

D. Downloading software from a website. An attacker can offer free software, such as shareware programs and pirated mp3 files

Answer 6

C

Question 7

1.45 More sophisticated IDSs look for common shellcode signatures. But even these systems can be bypassed by using polymorphic shellcode. This is a technique common among virus writers that basically hides the true nature of the shellcode in different disguises. How does a polymorphic shellcode work?

A. They reverse the working instructions into opposite order by masking the IDS signatures.

B. They compress shellcode into normal instructions, uncompress the shellcode using loader code, and then execute.

C. They encrypt the shellcode, use loader code to decrypt the shellcode, then executing the decrypted shellcode.

D. They convert the shellcode into Unicode using a loader to convert back to machine code before execution.

Answer 7

C

Question 8

1.46 Your web-page asks users to enter their mailing address, but you’re worried about possible buffer overflow attacks. Which bit of pseudo-code would correctly limit the Address1 field to 40 characters and avoid a buffer overflow?

A. if (Address1 = 40) {update field} else exit

B. if (Address1 != 40) {update field} else exit

C. if (Address1 >= 40) {update field} else exit

D. if (Address1 <= 40) {update field} else exit

Answer 8

D

Question 9

1.47 Which bit of pseudo-code in a programming module would limit input to less than 300 characters, and if there are 300 characters, the module should stop because it can’t hold any more data?

A. If (I > 300) then exit

B. If (I < 300) then exit

C. If (I <= 300) then exit

D. If (I >= 300) then exit

Answer 9

D

Question 10

1.48 What type of attack will take advantage of a flaw in a web page to force other user’s browsers to send malicious requests they didn’t intend to send?

A. File injection attack

B. Hidden field manipulation attack

C. SQL Injection attack (SQLi)

D. Cross-Site Request Forgery (CSRF)

Answer 10

D

Question 11

1.49 An example of a logical or technical control would be?

A. Security tokens

B. Heating and air conditioning

C. Smoke and fire alarms

D. Corporate security policy

Answer 11

A

Question 12

1.50 Which famous trojan could command and control a botnet?

A. YouKill DOOM

B. Damen Rock

C. Poison Ivy

D. Matten Kit

Answer 12

C

Question 13

1.51 You want to steal a file from work and send it to your home computer. If your company monitors outbound traffic, how can you transfer the file without raising any suspicion?

A. Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account

B. Package the Sales.xls using Trojan wrappers and telnet them back your home computer

C. You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques

D. Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account

Answer 13

C

Question 14

1.52 Which ISO standard should definitely be implemented?

A. ISO/IEC 27001

B. ISO/IEC 27002

C. ISO/IEC 27003

D. ISO/IEC 27004

Answer 14

A

Question 15

1.53 A common web site flaw allows users to provide data onto a web site, then displays that content to other users in an un-sanitized form. Which attack takes advantage of this?

A. URL Traversal attack

B. SQL Injection

C. Cross-site-scripting attack

D. Buffer Overflow attack

Answer 15

C

Question 16

1.54 What is a covert channel?

A. A server program using a port that is not well known

B. Making use of a protocol in a way it was not intended to be used

C. It is the multiplexing taking place on a communication link

D. It is one of the weak channels used by WEP that makes it insecure

Answer 16

B

Question 17

1.55 Your company wants to implement 2-factor authentication, however, smart-cards have been deemed too expensive. Which would be the next best choice?

A. Biometric device

B. OTP

C. Proximity cards

D. Security token

Answer 17

D

Question 18

1.56 Which HTTP request includes a SQL injection attack?

A. http://www.corpco.c0m/search.asp?

lname=jones%27%3bupdate%20usertable%20set%20passwd%3d%27baseball%27%3b–%00

B. http://www.corpco.c0m/script.php?

mydata=%3cscript%20src=%22

C. http%3a%2f%2fwww.acmecorp.c0m%

2fbadscript.js%22%3e%3c%2fscript%3e

D. http://www.kleegin.com/ExampleAccountno =67891&credit=999999999

Answer 18

A

Question 19

1.57 What does ISO 27002 provide?

A. guidelines and practices for security controls.

B. financial soundness and business viability metrics.

C. standard best practice for configuration management.

D. contract agreement writing standards.

Answer 19

A

Question 20

1.58 Which of these can emulate corporate servers to observe logins and action taken?

A. Firewall

B. Honeypot

C. Core server

D. Layer 4 switch

Answer 20

B

Question 21

1.59 To make itself persistent on a Windows machine, in which TWO Registry locations does a trojan create entries?

A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\System32\CurrentVersion\ Run

C. HKEY_CURRENT_USER\Software\Microsoft\Windows\System32\CurrentVersion\Run

D. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Answer 21

A and D

Question 22

1.60 When using public computers, what are THREE ways to defeat possible key-loggers?

A. Alternate between typing the login credentials and typing characters somewhere else in the focus window

B. Type a wrong password first, later type the correct password on the login page defeating the keylogger recording

C. Type a password beginning with the last letter and then using the mouse to move the cursor for each subsequent letter.

D. The next key typed replaces selected text portion. E.g. if the password is “secret”, one could type “s”, then some dummy keys “asdfsd”. Then these dummies could be selected with mouse, and next character from the password “e” is typed, which replaces the dummies “asdfsd”

Answer 22

A, C and D

Question 23

1.61 You have a fake ID badge and company shirt. You wait by an entrance and follow an employee into the office after they swipe their access card to open the door. Which type of social engineering attack is this?

A. You have used a tailgating social engineering attack to gain access to the offices

B. You have used a piggybacking technique to gain unauthorized access

C. This type of social engineering attack is called man trapping

D. You are using the technique of reverse social engineering to gain access to the offices

Answer 23

A

Question 24

1.62 Hacker Joe logs into his email account online and gets the following URL: http://www.mail.com/mail.asp?mailbox=Joe&Biggs

Joe is trying to access Bob Jones’ email account, so he changes the URL to: http://www.mail.com/mail.asp?mailbox=Bob&Jones

Which attack is Joe using here to attempt to gain access to Bob’s e-mail?

A. This type of attempt is called URL obfuscation when someone manually changes a URL to try and gain unauthorized access

B. By changing the mailbox’s name in the URL, Joe is attempting directory transversal

C. Joe is trying to utilize query string manipulation to gain access to Bob’s email account

D. He is attempting a path-string attack to gain access to Bob’s mailbox

Answer 24

C

Question 25

1.63 What can you do if your final security solutions do not eliminate 100% of the risk in a system?

A. Continue to apply controls until there is zero risk.

B. Ignore any remaining risk.

C. If the residual risk is low enough, it can be accepted.

D. Remove current controls since they are not completely effective.

Answer 25

C

Question 26

1.64 A polymorphic virus can mutate and change its signature and hide from signature-based antivirus programs. If that’s the case, then can Action Jackson use an antivirus program to detect and eliminate a polymorphic virus?

A. Yes. A.J. can use an antivirus program since it compares the parity bit of executable files to

the database of known check sum counts and it is effective on a polymorphic virus.

B. Yes. A.J. can use an antivirus program since it compares the signatures of executable files to

the database of known viral signatures and it is very effective against a polymorphic virus.

C. No. A.J. can’t use an antivirus program since it compares the signatures of executable files to

the database of known viral signatures and in that case the polymorphic viruses cannot be

detected by a signature-based anti-virus program.

D. No. A.J. can’t use an antivirus program since it compares the size of executable files to the

database of known viral signatures and it is effective on a polymorphic virus.

Answer 26

C

Question 27

1.65 Which of these methods would NOT be an effective way for your custom-made Trojan to evade corporate anti-virus scanners?

A. Convert the Trojan.exe file extension to Trojan.txt disguising as text file

B. Break the Trojan into multiple smaller files and zip the individual pieces

C. Change the content of the Trojan using hex editor and modify the checksum

D. Encrypt the Trojan using multiple hashing algorithms like MD5 and SHA-1

Answer 27

A

Question 28

1.66 Before you turn on auditing on a production server, what should you do first?

A. Perform a vulnerability scan of the system.

B. Determine the impact of enabling the audit feature.

C. Perform a cost/benefit analysis of the audit feature.

D. Allocate funds for staffing of audit log review.

Answer 28

B

Question 29

1.67 Which of these often targets Microsoft Office products?

A. Polymorphic virus

B. Multipart virus

C. Macro virus

D. Stealth virus

Answer 29

C

Question 30

1.68 How are user-account passwords typically protected?

A. The operating system performs a one-way hash of the passwords.

B. The operating system stores the passwords in a secret file that users cannot find.

C. The operating system encrypts the passwords, and decrypts them when needed.

D. The operating system stores all passwords in a protected segment of non-volatile memory.

Answer 30

A

Question 31

1.69 Which is the most common and efficient method of cracking Windows server AD (Active Directory) passwords?

A. Perform a dictionary attack.

B. Perform a brute force attack.

C. Perform an attack with a rainbow table.

D. Perform a hybrid attack.

Answer 31

C

Question 32

1.70 Which password-cracking method takes a dictionary file, then adds numbers and symbols to those words in an attempt to crack the passwords?

A. Dictionary attack

B. Brute forcing attack

C. Hybrid attack

D. Syllable attack

E. Rule-based attack

Answer 32

C

Question 33

1.71 Where are SAM password files stored in Windows?

A. c:\windows\system32\config\SAM

B. c:\winnt\system32\machine\SAM

C. c:\windows\etc\drivers\SAM

D. c:\windows\config\etc\SAM

Answer 33

A

Question 34

1.72 If you’re using LAN Manager (LANMan) to store passwords, they are truncated down to 14 bytes, split in half, and then the halves are individually hashed and stored. If a user’s password is less than 8 characters, the second hash value would be.

A. 0xAAD3B435B51404EE

B. 0xAAD3B435B51404AA

C. 0xAAD3B435B51404BB

D. 0xAAD3B435B51404CC

Answer 34

A

Question 35

1.73 How long would it take you to crack a 21 character dictionary-word password?

A. 16 million years

B. 5 minutes

C. 23 days

D. 200 years

Answer 35

B

Question 36

1.74 As an admin, how can you protect your password files against rainbow tables?

A. Password salting

B. Use of non-dictionary words

C. All uppercase character passwords

D. Lockout accounts under brute force password cracking attempts

Answer 36

A

Question 37

1.75 You want to crack a company’s password file. Employees use a password generator that creates random, non-dictionary passwords. Which method would crack these passwords in the shortest amount of time?

A. Brute force attack

B. Birthday attack

C. Dictionary attack

D. Brute service attack

Answer 37

B

In this scenario, dictionary is out because the users have randomly generated passwords. There is no such thing as brute service attack. A brute-force attack is usually the slowest way to crack password hashes. A birthday attack is slightly faster because it uses mathematical algorithms to reduce the number of possibilities the password cracker needs to try.