Domain 1

Question 1

SPIM

Answer 1

SPIM is spam (or mass unsolicited messages) but over instant messaging or Internet messaging services, such as WhatsApp, Facebook Messenger, Skype, or Telegram.

Question 2

Spam

Answer 2

Spam or bulk unsolicited messages, usually sent in the form of email advertisements or other appealing material, may deliver malware or lure a user to another form of attack.

Question 3

Spear phishing

Answer 3

Spear phishing is a phishing scam where the attacker has some information that makes an individual target more likely to be fooled by the attack.

Question 4

Whaling

Answer 4

Whaling is a spear phishing attack directed specifically against upper levels of management in the organization (CEOs and other “big fish”).

Question 5

pharming

Answer 5

Pharming is a passive means of redirecting users from a legitimate website to a malicious one by corrupting the way the victim’s computer performs Internet name resolution.

Question 6

Credential Harvesting

Answer 6

Credential harvesting is a campaign specifically designed to steal account credentials. The attacker has more interest in selling the database of captured logins than trying to exploit them directly.

Question 7

Watering Hole

Answer 7

A watering hole attack relies on the circumstance that users may use an unsecure third-party website, like a local pizza firm, which the attacker has compromised.

Question 8

Typosquatting

Answer 8

Typosquatting occurs when a threat actor registers a domain name that is similar to a real one and tricks users into thinking they are going to a legitimate website even when they misspell the name a little.

Question 9

Domain hijacking

Answer 9

Domain hijacking is a type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Brandjacking is another term for domain hijacking.

Question 10

Kiting

Answer 10

Kiting is the act of continually registering, deleting, and reregistering a name within the five-day grace period without having to pay for it.

Question 11

Tasting

Answer 11

Tasting is a Domain Name Server (DNS) exploit that involves registering a domain temporarily to see how many hits it generates within the five-day grace period.

Question 12

Hoax attack

Answer 12

In a hoax attack, an email alert or web pop-up will claim to have identified some sort of security problem, such as a virus infection, and offer a tool to fix the problem. The tool, of course, will be some sort of Trojan application.

Question 13

Spyware

Answer 13

Spyware is a program that monitors user activity and sends the information to someone else. This can occur with or without the user’s knowledge.

Question 14

Rogueware

Answer 14

Rogueware is a fake antivirus web pop-up that claims to have detected viruses on the computer and prompts the user to initiate a full scan, which installs the attacker’s Trojan.

Question 15

Trust

Answer 15

To be convincing (or to establish trust) usually depends on the attacker obtaining privileged information. An impersonation attack is much more effective if the attacker knows the information about the employee.

Question 16

Shoulder surfing

Answer 16

Shoulder surfing refers to stealing a password or PIN (or other secure information) by watching the user type it, either in close proximity or remotely.

Question 17

Lunchtime attack

Answer 17

If a user leaves a workstation unattended while logged on, an attacker can physically gain access to the system (often described as a lunchtime attack).

Question 18

Tailgating

Answer 18

Tailgating is a means of entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint.

Question 19

Adware

Answer 19

Adware is software that records information about a PC and its user, and usually displays pop-ups of commercial offers and deals.

Question 20

Trojan

Answer 20

A Trojan is a malicious program hidden within an innocuous-seeming piece of software. Usually, the Trojan tries to compromise the security of the target computer.

Question 21

Crypto-malware

Answer 21

Crypto-malware is a class of ransomware that attempts to encrypt data files. If the attack is successful, the user will be unable to access the files without obtaining the private encryption key, which is held by the attacker.

Question 22

Keylogger

Answer 22

A keylogger actively attempts to steal confidential information by recording keystrokes. The attacker will usually hope to discover passwords or credit card data.

Question 23

What does Fileless Malware use?

Answer 23

“live off the land” techniques rather than compiled executables to evade detection. This means that the malware code uses legitimate scripting tools like Windows PowerShell. uses lightweight shellcode to achieve a backdoor mechanism on the host.can be classified as using low observable characteristics (LOC) attacks which can make it less intrusive than other malware.

Question 24

If a user’s computer becomes infected with a botnet, which of the following can this compromise allow the attacker to do?

Answer 24

RAT backdoor applications can allow the attacker to use the computer in a botnet to launch Distributed Denial of Service (DoS) attacks.to launch mass-mail spam attacks.A RAT must establish a connection from the compromised host to a Command and Control (C2 or C&C) host or network operated by the attacker.

Question 25

What does a worm do?

Answer 25

memory-resident viruses that replicate over network resources. The primary effect of a worm infestation is to rapidly consume network bandwidth as the worm replicates. A worm may also be able to perform a Denial of Service attack by crashing operating systems and servers

Question 26

What does a program virus do?

Answer 26

program virus, sequences of code insert themselves into another executable program. When executing the application, the virus code becomes active.

Question 27

What is a multipartite virus?

Answer 27

uses both boot sector and executable file infection methods of propagation.

Question 28

What is macro virus?

Answer 28

macro virus uses the programming features available in Microsoft Office files.

Question 29

Password spraying

Answer 29

s a horizontal brute-force online attack. This means that the attacker chooses one or more common passwords and tries to use them in conjunction with multiple usernames.

Question 30

online password attack

Answer 30

where the hacker interacts directly with the authentication service and submits multiple passwords (and variations) to gain access with a single account (e.g., root).

Question 31

offline password attack

Answer 31

may involve using a captured database of known passwords or password hashes, even credentials stored in memory.

Question 32

dictionary attack

Answer 32

occurs when there is a good chance of guessing the likely value of the plaintext or non-complex password with a common word in a dictionary.

Question 33

What is potentially unwanted programs (PUP)? or Potentially unwanted applications (PUA)?

Answer 33

software installed alongside a package or from a computer store that the user did not request.

Question 34

What is Adware browser plug-in?

Answer 34

displays commercial offers and deals. Some adware may exhibit spyware-like behavior, by tracking the websites a user visits and displaying targeted ads, for instance.

Question 35

RootKit

Answer 35

is a backdoor malware that changes core system files and programming interfaces so that local shell processes no longer reveal their presence.

Question 36

Which of the following attacks do security professionals expose themselves to, if they do not salt passwords with a random value?

Answer 36

Passwords not “salted” with a random value make the ciphertext vulnerable to rainbow table attacks. A rainbow table attack is a password attack that allows an attacker to use a set of plaintext passwords and their hashes to crack passwords.

Question 37

What is refactoring?

Answer 37

Refactoring means the code performs the same function by using different methods. Refactoring means that the antivirus software may no longer identify the malware by its signature.

Question 38

what is Improper input handling?

Answer 38

Improper input handling exposes software to input validation attacks. When an attacker exploits improper input handling, it crashes the process hosting the code, performs

Question 39

What is Shimming?

Answer 39

Shimming is the process of developing and implementing additional code between an application and the operating system to enable functionality that would otherwise be unavailable.

Question 40

DLL injection

Answer 40

Denial of Services (DoS), obtains elevated privileges, or facilitates data exfiltration. DLL injection is not a vulnerability of an application, but of the way the operating system allows one process to attach to another, and then forces it to load a malicious link library.

Question 41

What is SQL Injection?

Answer 41

SQL injection is an attack that injects a database query into the input data directed at a server by accessing the client side of the application.

Question 42

Directory traversal

Answer 42

Directory traversal is an application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.

Question 43

XML injection

Answer 43

is fundamentally the same thing but targeted against web servers using XML applications rather than SQL.

Question 44

What can happen if program developers do not use logic statement tests before trying to use the software?

Answer 44

A malicious process can alter the execution environment to create a null point and crash the program.If the pointer is set to a null value by a malicious process, this creates a null pointer exception, and the process will crash. Programmers can use logic statements to test that a pointer is not null before trying to use it.

Question 45

What is a buffer overflow?

Answer 45

To exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills the buffer (an area of memory) that the application reserves to store the expected data.

Question 46

command injection attack

Answer 46

runs OS shell commands from the browser and allows commands to operate outside of the server’s directory root, forcing commands to run as the web “guest” user.

Question 47

Transitive access

Answer 47

describes the problem of authorizing a request for a service that depends on an intermediate service

Question 48

server-side request forgery

Answer 48

abuses the functionality and services of backend servers to read and update internal resources. This can expose, for example, database information, even without an authenticated session.

Question 49

A client-side (or cross-site) request

Answer 49

forgery is an attack that forces a user to execute unwanted actions to a web server that the user is currently authenticated to.

Question 50

cross-site scripting (XSS) attack

Answer 50

exploits the fact that the browser is likely to trust scripts that appear to come from a site the user has chosen to visit.

Question 51

resource exhaustion attack

Answer 51

overloads resources like CPU time, memory, or disk capacity using distributed denial of service (DDoS) requests.

Question 52

LDAP injection

Answer 52

A lightweight directory access protocol (LDAP) injection occurs when an attacker exploits a client’s unauthenticated access to submit LDAP queries that could create or delete accounts, even change authorizations and privileges. LDAP uses port 389.

Question 53

API

Answer 53

calls use keys, made up of alphanumeric characters, to authorize requests to the web application. These keys are exposed over an unsecure connection such as HTTP. An attacker can use the key to perform other API calls.

Question 54

Improper error handling

Answer 54

Default application settings may expose more information than necessary when errors occur. Exposing such information over an HTTP connection may provide insight of the environment to the attacker.

Question 55

Privilege escalation?

Answer 55

n attacker with system access is able to obtain keys from system memory or pagefiles/scratch disks. Privilege escalation is the practice of exploiting flaws in an operating system or other application to gain a greater level of access than intended for the user or application.

Question 56

Reflected Cross-site scripting (XSS)

Answer 56

A reflected XSS attack occurs when a web application echoes user-supplied data without proper sanitization. In this case, the attacker’s email links to a malicious website. Once clicked, it injects malicious code into the victim’s browser, which executes and changes the password on a legitimate website. This aligns with the behavior of a reflected XSS attack.

Question 57

Cross-Site Request Forgery (XSRF)

Answer 57

XSRF is an attack that exploits a user’s active session with a web application. It tricks the victim into executing an unwanted action, typically by clicking on a malicious link. However, in this scenario, there is no mention of a previously established session that the attacker is trying to exploit.

Question 58

Stored Cross-Site Scripting (XSS)

Answer 58

Stored XSS attacks involve an attacker injecting a malicious script directly into a website that is stored and served to users. In this scenario, the malicious payload is delivered via a link in an email, not stored on the website itself.

Question 59

Document Object Model (DOM)-based Stored Cross-Site Scripting (XSS)?

Answer 59

DOM-based XSS attacks involve an attacker manipulating the structure of an HTML page using client-side scripting. The malicious payload is typically embedded within the page itself. However, in this scenario, the malicious payload is delivered via a link in an email, not embedded within a page.

Question 60

Memory Leaks

Answer 60

Memory leaks in the OS kernel are extremely serious. A memory leak may itself be a sign of a malicious or corrupted process.

Question 61

pointer that references an object

Answer 61

pointer that references an object at a memory location was set to a null value by a malicious process, then this can create a null pointer exception, causing instability and crashes.

Question 62

Race conditions

Answer 62

Race conditions occur when the outcome from execution processes is dependent on the order and timing of certain events, and those events fail to execute in the order and timing intended

Question 63

Near Field communication (NFC)

Answer 63

No encryption, so eavesdropping and Man-in-the-middle attacks are possible if the attacker can find some way of intercepting the communication and other software services are not encrypting the data.

Question 64

Domain Name System (DNS) server cache poisoning

Answer 64

DNS Server Cache poisoning is a redirection attack that aims to corrupt the records held by the DNS server itself. The intention is to redirect traffic for a legitimate domain to a malicious IP address.

Question 65

A low level distributed denial of service (DDoS) attack that involves SYN or SYN/ACK flooding describes what type of attack?

Answer 65

A network attack aims at consuming network bandwidth and denying it to legitimate hosts. For example, a SYN flood attack works by withholding the client’s ACK packet during TCP’s three-way handshake.

Question 66

A malicious actor is preparing a script to run with an Excel spreadsheet as soon as the target opens the file. The script includes a few macros designed to secretly gather and send information to a remote server. How is the malicious actor accomplishing this task?

Answer 66

Visual Basic for Applications (VBA) is a scripting language for Microsoft Office that uses macros to perform a sequence of actions in the context of a word processor, spreadsheet, or presentation file.

Question 67

PowerShell

Answer 67

is the preferred method of performing Windows administration tasks. Common PowerShell cmdlets include Invoke-Expression, Invoke-Command, Invoke-WMIMethod, New-Service, etc.

Question 68

Bash or Bourne again shell

Answer 68

is a command-line terminal for a Linux environment. Malicious shellcode commands targeting a Linux operating system are indicative of a bash scripting attack.

Question 69

Python

Answer 69

is a popular language for development projects. Codes that have multiple logic and looping statements found in a .py file can indicate a python scripting attempt.

Question 70

Bluesnarfing

Answer 70

refers to using an exploit in Bluetooth to steal information from someone else’s phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism.

Question 71

bluejacking

Answer 71

A Bluetooth-discoverable device is vulnerable to bluejacking, similar to spam, where someone sends an unsolicited text (or picture/video) message or vCard (contact details). This can be a vector for Trojan malware.

Question 72

WiPhishing

Answer 72

An evil twin (or sometimes called WiPhishing) is a rogue AP masquerading as a legitimate one.

Question 73

IV attacks

Answer 73

An Initialization Vector attack modifies the IV of an encrypted wireless packet during transmission to compute the RC4 keystream to decrypt all other wireless traffic. This attack becomes useless when WPA or WPA2 wireless protection is enabled.

Question 74

Application attack

Answer 74

An application attack targets vulnerabilities in the headers and payloads of specific application protocols. For example, one type of amplification attack targets DNS services with bogus queries.

Question 75

DNS harvesting

Answer 75

DNS harvesting uses Open Source Intelligence (OSINT) to gather information about a domain (subdomains, hosting provider, administrative contacts, and so on).

Question 76

Host discovery

Answer 76

When performing host discovery on an internetwork (a network of routed IP subnets), the attacker will want to discover how the routers connect the subnets, and whether any misconfigured gateways between subnets exist.

Question 77

Data exfiltration

Answer 77

Data exfiltration is an unauthorized copying or retrieval of data from a system. Data exfiltration attacks are one of the primary means for attackers to retrieve valuable data, such as Personally Identifiable Information (PII) or payment information, often destined for later sale on the black market.

Question 78

Log aggregation

Answer 78

refers to normalizing data from different sources so that it is consistent and searchable. This makes it easier to integrate with dynamic reporting engines.

Question 79

Syslog

Answer 79

is a collector tool that allows for a centralized collection of events from multiple sources. It is an open format for event logging messages.

Question 80

Security orchestration, automation, response (SOAR)

Answer 80

is a solution to the volume of alerts overwhelming an analyst’s ability to respond. It analyzes an organization’s store of security intelligence and uses deep learning techniques to automate and provide data enrichment to improve incident response and threat hunting workflows.

Question 81

Sensors

Answer 81

like an Intrusion Detection System (IDS) sensor, is an example of data input. More sensors mean more data inputs.

Question 82

Which of the following will most likely cause false positives?

Answer 82

Port scanning is less likely to detect a wide range of vulnerabilities in host systems and can result in false positives.
Passive scanning A scanning technique to passively test security controls, such as detecting which service ports a system uses, can result in false positives.

Question 83

Windows 10 hosts

Answer 83

can filter, aggregate, and normalize system logs to capture and analyze health and security on a SIEM system.

Question 84

Data loss prevention (DLP)

Answer 84

Systems can log policy violations, like the use of a USB thumb drive from a client computer. The DLP system can forward that data to a SIEM for further analysis and reporting.

Question 85

Vulnerability scanners

Answer 85

gather security readings from various systems, including client computers, to ensure they are secure. Vulnerability scanners can send data to a SIEM system for analysis and reporting.

Question 86

The security content automation protocol (SCAP) allows compatible scanners to determine whether a computer meets a security baseline when performing which of the following?

Answer 86

Security content automation protocol (SCAP) determines whether a computer meets a configuration baseline. Perform configuration reviews to ensure the system is secure and ready for production.

Question 87

Common Vulnerabilities and Exposures (CVE)

Answer 87

Databases store lists of vulnerabilities, such as Common Vulnerabilities and Exposures (CVE). These are coded as a signature used in scanners.

Question 88

common vulnerability scoring system (CVSS)

Answer 88

is a metric score between 0 to 10 based on the characteristic of the vulnerability, such as whether it can be triggered remotely or if it requires user intervention.

Question 89

Analysts can develop queries and filters to correlate threat data against on-premises data from network traffic and logs when applying which type of threat hunting technique?

Answer 89

Intelligence fusion An organization can apply intelligence fusion techniques with security information, event management (SIEM), and threat analytics platforms. Analysts can develop queries and filters to correlate threat data from these systems.

Question 90

During which type of penetration test does the tester skip the reconnaissance phase of the test?

Answer 90

During a white box pen test, the consultant has complete access to information about the network. Sometimes the consultant will conduct this type of test, as a follow-up to a black box test, to fully evaluate flaws discovered during the black box test.

Question 91

Black box pen tester

Answer 91

During a black box pen test, the consultant has no privileged information about the network, its security systems, and its configuration. Black box tests are useful for simulating the behavior of an external threat.

Question 92

Gray box pen test

Answer 92

During a gray box pen test, the consultant has some information, which resembles the knowledge of junior or non-IT staff, to model types of insider threats.

Question 93

Which of the following penetration steps should a tester perform before internal reconnaissance?

Answer 93

Persistence, followed by further reconnaissance, occurs when the pen tester attempts to map out the internal network and discover the services running on it and accounts configured to access it.