Domain 1

Question 1

A social engineer used vishing and polite behavior to persuade a target to visit a fake website with fake reviews. The attacker then persuaded the victim to enter personally identifiable information (PII) in a web form. Which of the following did the attacker use to make the site appear more legitimate? (Select all that apply.)

Answer 1

Consensus/social proof and Familiarity/liking

With consensus/social proof impersonation, an attacker fools users into believing that a malicious website is legitimate by posting fake reviews. The victims believe the reviews and place their trust in the website.

One of the tools of social engineers is to be likable, and to present the requests they make as completely reasonable.

Question 2

A social engineer intercepted an end-user’s phone call to an internet service provider (ISP) about a home internet outage. Pretending to be the caller reporting the outage, the attacker immediately contacted the ISP to cancel the service call, dressed up as an internet tech, and then proceeded to enter the end-user’s home with permission. What type of social engineering attack did the ISP and end-user fall victim to?

Answer 2

Impersonation

Impersonation is a social engineering attack in which the attacker pretends to be someone else.

Question 3

Which of the following situations describes identity fraud? (Select all that apply.)

Answer 3

Using stolen credit card & Using another persons name

Question 4

A hacker is using a password spraying attack to gain access to a remote computer connected to the company network. Which of the following attack characteristics describes the actions of the hacker in this case?

Answer 4

Using multiple usernames and passwords

Password spraying is a horizontal brute-force online attack. This means that the attacker chooses one or more common passwords and tries to use them in conjunction with multiple usernames.

Question 5

What can an attacker do to acquire a duplicate of another user’s smart card?

Answer 5

Clone it.
Card cloning refers to making one or more copies of an existing card. An attacker can physically duplicate a lost or stolen card with no cryptographic protections.

Wrong-Skimming refers to using a counterfeit card reader to capture card details, which the attacker uses to program a duplicate.

Question 6

A few end-users contacted the cybersecurity department about browser pop-ups on their computer and explained that some websites they visit redirect them to other sites they did not intend to navigate. The security team confirmed the pop-ups and noted modified DNS (Domain Name System) queries that go to nefarious websites hosting malware. What most likely happened to the users’ computers?

Answer 6

Spyware infected the computers.

One spyware technique is to spawn browser pop-up windows, as well as modify DNS queries attempting to direct the user to other websites, often of dubious provenance.

Question 7

An attacker can exploit a weakness in a password protocol to calculate the hash of a password. Which of the following can the attacker match the hash to, as a means to obtain the password? (Select all that apply.)

Answer 7

Dictionary word and a rainbow table
Password crackers can exploit weaknesses in a protocol to calculate the hash and match it to a dictionary word or brute force it.

Rainbow tables are associated with attacks where an attacker uses a set of related plaintext passwords and their hashes to crack passwords.

Question 8

Which of the following conditions correlate with the process of a SYN (synchronize) flood attack? (Select all that apply.)

Answer 8

Denial of Service, Amplification, and Resource exhaustion

SYN attacks cause resource exhaustion on the host’s processing requests, consuming CPU cycles, and memory. This delays the processing of legitimate traffic and could potentially crash the host system completely.

A DoS attack causes a service at a given host to fail or to become unavailable to legitimate users. DoS attacks focus on overloading a service by using up CPU, system RAM, disk space, or network bandwidth (resource exhaustion).

A more powerful TCP SYN flood attack is a DRDoS or amplification attack, where the adversary spoofs the victim’s IP address and attempts to open connections with multiple servers.

Question 9

By compromising a Windows XP application that ran on a Windows 10 machine, an attacker installed persistent malware on a victim computer with local administrator privileges. What should the attacker add to the registry, along with its files added to the system folder, to execute this malware?

Answer 9

A shim

A shim is a code library that intercepts and redirects calls to enable legacy mode on a system. The shim database represents a way that malware with local administrator privileges can run on reboot (persistence).

Question 10

A security engineer implemented once-only tokens and timestamping sessions. What type of attacks can this type of security prevent? (Select all that apply.)

Answer 10

A replay attack and a pass the hash attack

Pass-the-hash occurs when the attacker steals hashed credentials and uses them to authenticate to the network. Using once-only session tokens or timestamping sessions prevents this type of attack.

A replay attack consists of intercepting a key or password hash, then reusing it to gain access to a resource. Using once-only session tokens or timestamping sessions prevents this type of attack.

Question 11

An attacker discovered an input validation vulnerability on a website, crafted a URL that performed code injection against it, and then emailed the link to the victim. Once the user clicked the link, the web site returned the page containing the malicious code. What type of attack does this describe?

Answer 11

cross site scripting (XSS)
Cross-site scripting (XSS) is a malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site.

Question 12

An attacker sent a victim an email with a link to a malicious website. The victim then clicked the link, which opened a malicious payload in the browser, and changed the user’s password to a legitimate website. The legitimate site is vulnerable to what type of attack?

Answer 12

Cross-site Request Forgery (XSRF)

A Cross-site Request Forgery (XSRF) is a malicious script hosted on the attacker’s site that can exploit a session started on another site in the same browser. This is successful if the server does not check if the user actually made the request.

Question 13

The latest web application, using default settings, is currently accepting application programming interface (API) calls over HyperText Transfer Protocol (HTTP). The environment has a moderate key management system. Even with basic server security, the API connection is vulnerable to which of the following? (Select all that apply.)

Answer 13

Key discovery and improper error handling

API calls use keys, made up of alphanumeric characters, to authorize requests to the web application. These keys are exposed over an unsecure connection such as HTTP. An attacker can use the key to perform other API calls.

Default application settings may expose more information than necessary when errors occur. Exposing such information over an HTTP connection may provide insight of the environment to the attacker.

Question 14

Which of the following is a sign of a malicious or corrupted process, and is particularly serious within service applications and in the operating system kernel?

Answer 14

memory leak

Memory leaks in the OS kernel are extremely serious. A memory leak may itself be a sign of a malicious or corrupted process.

Question 15

An attacker hosted an exploit script on a malicious website and injected it into a trusted website. The attacker then sent the link to the victim and used open source information gathering (OSINT) and social engineering tactics, such as spear phishing, to convince the victim to click the link, which compromised the user browsing to the site. Which of the following best describes this type of attack?

Answer 15

cross-site scripting

Cross-site scripting (XSS) is a malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site.

Question 16

Which of the following does NOT provide encryption and is, therefore, vulnerable to eavesdropping and Man-in-the-Middle attacks?

Answer 16

NFC 
NFC (Near Field Communications) does not provide encryption, so eavesdropping and Man-in-the-Middle attacks are possible if the attacker can find some way of intercepting the communication and other software services are not encrypting the data.

Question 17

External hackers have some access to a company’s website and made some changes. Customers have submitted multiple complaints via email for wrong orders and inappropriate images on the website. The Chief Information Officer (CIO) is now worried about the distribution of malware. The company should prepare for which of the following other issues or concerns? (Select all that apply.)

Answer 17

URL redirection and domain reputation
Domain reputation refers to the beliefs or opinions of the public. If the company does not quickly resolve their website issues, they may lose their current and even future customers, destroying the website’s credibility.

URL redirection refers to redirecting users to other web pages. This is true for links on the website that the attacker may modify, which point to fake or malicious web pages.

Question 18

Which of the following can perform a Denial of Service (DoS) attack against a wireless network? (Select all that apply.)

Answer 18

deauthentication and disassociation attack

A disassociation attack uses disassociation packets to remove a known wireless access point (WAP) from a client’s list of available networks. This is a type of DoS on wireless networks.

A deauthentication attack sends a stream of spoofed frames to cause a client to deauthenticate. This is a type of DoS attack on wireless networks.

Question 19

A Linux systems admin reported a suspicious .py file that ran on a daily schedule after business hours. The file included shellcode that would automate Application Programming Interface (API) calls to a web application to get information. What type of script is this shellcode most likely running?

Answer 19

Python script
Python is a popular language for development projects. Codes that have multiple logic and looping statements found in a .py file can indicate a python scripting attempt.

Question 20

By modifying query traffic, an attacker compromised a legitimate site’s web server via a Denial of Service (DoS) attack and redirected traffic intended for the legitimate domain, to go instead, to the attacker’s malicious IP address. What type of attack did the hacker perform?

A hacker corrupted the name:IP records held on the HOSTS file on a server, to divert traffic for a legitimate domain to a malicious IP address. What type of attack did the hacker perform? This is ARP

Answer 20

Domain Name System server cache poisoning

DNS Server Cache poisoning is a redirection attack, that aims to corrupt the records held by the DNS server itself. The intention is to redirect traffic for a legitimate domain to a malicious IP address.

Question 21

A hacker corrupted the name:IP records held on the HOSTS file on a server, to divert traffic for a legitimate domain to a malicious IP address. What type of attack did the hacker perform?

Answer 21

ARP poisoning

Question 22

Which of the following defeats a jamming attack and prevents disruption of a wireless network when a hacker uses an illegal access point (AP) with a very strong signal in close proximity? (Select all that apply.)

Answer 22

Boost signal of the legitimate device and locate the offending radio source and disable it.
Interference can disrupt a wireless network from other radio sources. One way to defeat a jamming attack is to locate the offending radio source and disable it.

Interference can disrupt a wireless network from other radio sources. One way to defeat a jamming attack is to boost the signal of the legitimate equipment.

Question 23

Which of the following attacks do security professionals expose themselves to if they turn the power output down on a wireless access point (AP)?

Answer 23

Evil Twin attacks
Security professionals expose themselves to “evil twin” attacks, as users may expect to find the network at a given location and assume that the rogue AP is legitimate.

Question 24

A group of people lost their jobs after their company filed for bankruptcy. These employees formed a closed hacktivist group to fashion a zero-day exploit that will target specific Windows operating systems (OS) on the company network. They will use internal influences to get the exploit onto the network. Which of the following factors will greatly influence the success of this attack? (Select all that apply.)

Answer 24

Former Colleague assistance and REvenge for hardship

Performing an act of revenge for personal hardship after being fired is a great motivation for carrying out an attack and seeing it through to the end. Revenge is a common motivator for insider threats.

Former colleagues, who are still working for the company, are a good resource to influence and insert a zero-day exploit onto the network. These colleagues (or insider threats) may want to help because they are sympathetic towards those employees who lost their jobs.

Question 25

An attacker used Open Source Intelligence (OSINT) to gather information about a target’s Internet Protocol (IP) address registration records for the victim’s servers. What type of technique did the attacker use?

Answer 25

DNS harvesting
DNS harvesting uses Open Source Intelligence (OSINT) to gather information about a domain (subdomains, hosting provider, administrative contacts, and so on).

Question 26

A retail company outsourced its online business to a company that uses a cloud service provider to store e-commerce applications and all business data, including customer information. The business that manages the e-commerce system and the company that provides cloud services are two different entities. What are the risks involved when working with these companies? (Select all that apply.)

Answer 26

Compliance impacts storing customer data in the cloud and Lack of vendor support when incident occurs.

An external company that manages an external system may not be able to provide adequate support for full integration with internal custom applications. This may slow down or hinder business growth.

Companies using cloud service providers (CSPs) must evaluate compliance impacts from storing personal data on a third-party system, such as a cloud provider or backup/archive management service. Non-compliance could expose customers’ private data.

Question 27

An assistant network administrator wants to increase wireless network coverage in a building and purchased new Wi-Fi Access Points (APs) at a discounted price to replace the old ones. Unfortunately, the network admin did not consult the security team before the purchase, and after the install, the admin discovers a serious known backdoor firmware vulnerability built into the APs. The admin contacts the vendor, but the vendor refuses to fix the known issue, even though the product remains on sale. Which of the following best describes the type of vulnerability management challenge this problem proposes?

Answer 27

There is a lack of vendor support for the Wi-Fi access points (APs).

Lack of vendor support is a situation where the vendor refuses to fix known issues even though the product might remain on sale or where a product is no longer supported when the original vendor or developer is no longer available.

Question 28

Analysts can develop queries and filters to correlate threat data against on-premises data from network traffic and logs when applying which type of threat hunting technique?

Answer 28

Intelligence fusion
An organization can apply intelligence fusion techniques with security information, event management (SIEM), and threat analytics platforms. Analysts can develop queries and filters to correlate threat data from these systems.

Question 29

A security information and event management (SIEM) system can manage logs from various data inputs for analysis and reporting. Which of the following would be appropriate data inputs to determine the health and/or security of individual client computers? (Select all that apply.)

Answer 29

Windows hosts, vulnerability scanners, DLP systems

Agents on Windows 10 hosts can filter, aggregate, and normalize system logs to capture and analyze health and security on a SIEM system.
Data loss prevention (DLP) systems can log policy violations, like the use of a USB thumb drive from a client computer. The DLP system can forward that data to a SIEM for further analysis and reporting.
Vulnerability scanners gather security readings from various systems, including client computers, to ensure they are secure. Vulnerability scanners can send data to a SIEM system for analysis and reporting

Question 30

Which of the following will most likely cause false positives? (Select all that apply.)

Answer 30

port scanning and passive scanning

Passive scanning is less likely to detect a wide range of vulnerabilities in host systems and can result in false positives.

A scanning technique to passively test security controls, such as detecting which service ports a system uses, can result in false positives.

Question 31

On the first day of the job, the Chief Information Officer (CIO) works with security engineers to evaluate the security of all information systems to determine how to improve them. The company uses a security information and event management (SIEM) system to collect all applicable data. What is the CIO’s main concern in relation to SIEM?

Answer 31

Reviewing the analysis report
The chief information officer (CIO) should be concerned with reviewing the overall analysis report which may showcase a number of incidents in the past week, or how many systems are currently on an old version of Windows.

Question 32

A company migrated their security information and event management (SIEM) system to the cloud to address the overwhelming amount of data. The company wants to take advantage of consistent searchable data that can be integrated with a dynamic reporting engine. Which of the following would help security engineers achieve this?

Answer 32

Log aggregation
Log aggregation refers to normalizing data from different sources so that it is consistent and searchable. This makes it easier to integrate with dynamic reporting engines.

Question 33

Which of the following penetration steps should a tester perform before internal reconnaissance?

Answer 33

persistence
Persistence, followed by further reconnaissance, occurs when the pen tester attempts to map out the internal network and discover the services running on it and accounts configured to access it.

Question 34

Which of the following penetration steps should a tester perform after obtaining a persistent foothold on the network and internal reconnaissance?

Answer 34

Obtain a pivot point
Having obtained a persistent foothold on the network and performed internal reconnaissance, the next likely objective is to obtain a pivot point and compromise other network systems (lateral spread).