Essential Knowledge Flashcards
- A security team is implementing various security controls across the organization. After considering several configurations and applications, a final agreed-on set of security controls is put into place; however, not all risks are mitigated by the controls. Of the following, which is the next best step?
A. Continue applying controls until all risk is eliminated.
B. Ignore any remaining risk as “best effort controlled.”
C. Ensure that any remaining risk is residual or low and accept the risk.
D. Remove all controls.
C. Remember at the beginning of this chapter when I said the process of elimination may be your best bet in some cases? Well, even if you aren’t well-versed in risk management and security control efforts, you could narrow this down to the correct answer. It is impossible to remove all risk from any system and still have it usable. I’m certain there are exceptions to this rule (maybe super-secret machines in underground vaults buried deep within the earth, running on geothermal-powered batteries, without any network access at all and controlled by a single operator who hasn’t seen daylight in many years), but in general the goal of security teams has always been to reduce risk to an acceptable level.
A is incorrect because, as I just mentioned, it’s impossible to reduce risk to absolute zero and still have a functional system. CEH Certified Ethical Hacker All-in-One Exam Guide, Fifth Edition, discusses the Security, Functionality, and Usability triangle, where as you move toward more security, you move further away from functionality and usability.
B is incorrect because it’s just silly. If you’re a security professional and your response to a risk—any risk—is to ignore it, I can promise you won’t be employed for long. Sure, you can point out that it’s low or residual and that the chance for actual exploitation is next to nonexistent, but you can’t ignore it. Best effort is for kindergarten trophies and IP packet delivery.
D is incorrect because removing all controls is worse than ignoring the risk. If you remove everything, then all risks remain. Remember, the objective is to balance your security controls to cover as much risk as possible while leaving the system as usable and functional as possible.
- A Certified Ethical Hacker (CEH) follows a specific methodology for testing a system. Which step comes after footprinting in the CEH methodology?
A. Scanning
B. Enumeration
C. Reconnaissance
D. Application attack
A. CEH methodology is laid out this way: reconnaissance (footprinting), scanning and enumeration, gaining access, escalating privileges, maintaining access, and covering tracks. While you may be groaning about scanning and enumeration both appearing as answers, they’re placed here in this way on purpose. This exam is not only testing your rote memorization of the methodology but also how the methodology actually works. Remember, after scoping out the recon on your target, your next step is to scan it. After all, you have to know what targets are there first before enumerating information about them.
B is incorrect because, although it is mentioned as part of step 2, it’s actually secondary to scanning. Enumerating is used to gather more in-depth information about a target you already discovered by scanning. Things you might discover in scanning are IPs that respond to a ping. In enumerating each “live” IP, you might find open shares, user account information, and other goodies.
C is incorrect because reconnaissance and footprinting are interchangeable in CEH parlance. An argument can be made that footprinting is a specific portion of an overall recon effort; however, in all CEH documentation, these terms are used interchangeably.
D is incorrect because it references an attack. As usual, there’s almost always one answer you can throw out right away, and this is a prime example. We’re talking about step 2 in the methodology, where we’re still figuring out what targets are there and what vulnerabilities they may have. Attacking, at this point, is folly.
- Your organization is planning for the future and is identifying the systems and processes critical for their continued operation. Which of the following best describes this effort?
A. BCP
B. BIA
C. DRP
D. ALE
B. A business impact analysis (BIA) best matches this description. In a BIA, the organization looks at all the systems and processes in use and determines which ones are absolutely critical to continued operation. Additionally, the assessor (the person or company conducting the analysis) will look at all the existing security architecture and make an evaluation on the likelihood of any system or resource being compromised. Part of this is assigning values to systems and services, determining the maximum tolerable downtime (MTD) for any, and identifying any overlooked vulnerabilities.
A is incorrect because a business continuity plan (BCP) contains all the procedures that should be followed in the event of an organizational outage—such as a natural disaster or a cyberattack. BCPs include the order in which steps should be taken and which system should be returned to service first. BCPs include DRPs (disaster recovery plans).
C is incorrect because a disaster recovery plan (DRP) contains steps and procedures for restoring a specific resource (service, system, and so on) after an outage. Usually DRPs are part of a larger BCP.
D is incorrect because the annualized loss expectancy (ALE) is a mathematical measurement of the cost of replacing or repairing a specific resource. ALE is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). For example, if the total cost of a single loss of a resource is calculated at $1000 and you calculate there is a 10 percent chance it will fail in any given year, your ALE would be $100.
- Which incident response (IR) phase is responsible for setting rules, identifying the workforce and roles, and creating backup and test plans for the organization?
A. Preparation
B. Identification
C. Containment
D. Recovery
A. So even if you weren’t aware of incident response phases, this one should’ve been a rather easy guess. In the preparation phase, your IR (incident response) team should be preparing for an incident. Preparation includes lots of things—some of which are mentioned here. But virtually anything you can think of that does not involve actions taken during the incident belongs here. Training, exercises, and policies are all examples.
As an aside, IR phases can be different depending on whom you ask and what the moon phase is, but generally IR is broken down into six phases: preparation, identification, containment, eradication, recovery, and lessons learned. Preparation we already covered. Identification refers to the steps taken to verify it’s actually an incident, and all the information surrounding that—source, destination(s), exploit used, malware used, and so on. Containment is the step used to cordon off the infected system(s) and prevent any further spread of infection or attack. Eradication refers to steps taken to remove the malware (or other attack-related residuals, such as backdoors). Recovery involves the steps taken to rebuild and restore the system(s) and network to pre-attack status (with better security, I might add). Finally, lessons learned is exactly what it sounds like, and it should feed right back into your organization’s preparation phase.
B is incorrect because the identification phase refers to the steps taken to verify the legitimacy of an active incident and gather information on the details of the attack.
C is incorrect because the containment phase deals with the steps taken to reduce or prevent the spread of the infection or attack inside the network.
D is incorrect because the recovery phase deals with the steps taken to restore and replace any resources damaged or affected by the attack footprint.
- You’ve been hired as part of a pen test team. During the brief, you learn the client wants the pen test attack to simulate a normal user who finds ways to elevate privileges and create attacks. Which test type does the client want?
A. White box
B. Gray box
C. Black box
D. Hybrid
B. A gray-box test is designed to replicate an inside attacker. Otherwise known as the partial knowledge attack (don’t forget this term), the idea is to simulate a user on the inside who might know a little about the network, directory structure, and other resources in your enterprise. You’ll probably find this one to be the most enlightening attack in out-briefing your clients in the real world—it’s amazing what you can get to when you’re a trusted, inside user. As an aside, you’ll often find in the real world that gray-box testing can also refer to a test where any inside information is given to a pen tester—you don’t necessarily need to be a fully knowledgeable inside user. In other words, if you have usable information handed to you about your client, you’re performing gray-box testing.
A is incorrect because the textbook definition of a white-box test is one where all knowledge is provided to the pen tester up front—the test is designed to simulate an admin on your network who, for whatever reason, decides to go on the attack. For most pen testers, this test is really just unfair. It’s tantamount to sending them into the Roman Colosseum armed with a .50-caliber automatic weapon to battle a gladiator who is holding a knife.
C is incorrect because black-box testing indicates no knowledge at all. And if you think about it, the name is easy to correlate and remember: black = no light. Therefore, you can’t “see” anything. This is the test most people think about when it comes to hacking. You know nothing and are (usually) attacking from the outside.
D is incorrect because, as far as I can tell from the EC-Council’s documentation, there is no terminology for a “hybrid-box” test. This is a little tricky because the term hybrid is used elsewhere—for attacks and other things. If you apply a little common sense here, this answer is easy to throw out. If you know everything about the target, it’s white. If you know nothing, it’s black. If you’re in the middle, it’s gray. See?
- Which of the following is defined as ensuring the enforcement of organizational security policy does not rely on voluntary user compliance by assigning sensitivity labels on information and comparing this to the level of security a user is operating at?
A. Mandatory access control
B. Authorized access control
C. Role-based access control
D. Discretionary access control
A. Access control is defined as the selective restraint of access to a resource, and there are several overall mechanisms to accomplish this goal. Mandatory access control (MAC) is one type that constrains the ability of a subject to access or perform an operation on an object by assigning and comparing “sensitivity labels.” Suppose a person (or a process) attempts to access or edit a file. With MAC, a label is placed on the file indicating its security level. If the entity attempting to access it does not have that level, or higher, then access is denied. With mandatory access control, security is centrally controlled by a security policy administrator, and users do not have the ability to override security settings.
This should not be confused with role-based access control (RBAC) systems, which may actually use MAC to get the job done. The difference is in whether the information itself has a labeled description or whether the person accessing it has their own label. For example, in a classified area, the information classified as Top Secret will have a label on it identifying it as such, while you, as an auditor, will have your own clearance and need-to-know label allowing you to access certain information. MAC is a property of an object; RBAC is a property of someone accessing an object.
B is incorrect because while authorized access control may sound great, it’s not a valid term.
C is incorrect because role-based access control can use MAC or discretionary access control to get the job done. With RBAC, the goal is to assign a role, and any entity holding that role can perform the duties associated with it. Users are not assigned permissions directly; they acquire them through their role (or roles). The roles are assigned to the user’s account, and each additional role provides its own unique set of permissions and rights.
D is incorrect because discretionary access control (DAC) allows the data owner, the user, to set security permissions for the object. If you’re on a Windows machine right now, you can create files and folders and then set sharing and permissions on them as you see fit. MAC administrators in the Department of Defense are shuddering at that thought right now.
- Which of the following statements is true regarding the TCP three-way handshake?
A. The recipient sets the initial sequence number in the second step.
B. The sender sets the initial sequence number in the third step.
C. When accepting the communications request, the recipient responds with an acknowledgement and a randomly generated sequence number in the second step.
D. When accepting the communications request, the recipient responds with an acknowledgement and a randomly generated sequence number in the third step.
C. The three-way handshake will definitely show up on your exam, and in much trickier wording than this. It’s easy enough to memorize “SYN, SYN/ACK, ACK,” but you’ll need more than that for the exam.
In step 1, the host sends a segment to the server, indicating it wants to open a communications session. Inside this segment, the host turns on the SYN flag and sets an initial sequence number (any random 32-bit number). When the recipient gets the segment, it crafts a segment in response to let the host know it’s open and ready for the communications session. It does this by turning on the SYN and ACK flags, acknowledging the initial sequence number by incrementing it, and adding its own unique sequence number. Then, when the host gets this response back, it sends one more segment before the comm channel opens. In this segment, it sets the ACK flag and acknowledges the other’s sequence number by incrementing it.
For example, suppose Host A is trying to open a channel with Server B. In this example, Host A likes the sequence number 2000, while Server B likes 5000. The first segment would look like this: SYN=1, ACK=0, ISN=2000. The response segment would look like this: SYN=1, ACK=1, ISN=5000, ACK NO=2001. The third and final segment would appear this way: SYN=0, ACK=1, SEQ NO=2001, ACK NO=5001.
A is incorrect because the initial sequence number is set in the first step.
B is incorrect for the same reason—the ISN is set in the first step.
D is incorrect because this activity occurs in the second step.
- Your network contains certain servers that typically fail once every five years. The total cost of one of these servers is $1000. Server technicians are paid $40 per hour, and a typical replacement requires two hours. Ten employees, earning an average of $20 per hour, rely on these servers, and even one of them going down puts the whole group in a wait state until it’s brought back up. Which of the following represents the ARO for a server?
A. $296
B. $1480
C. $1000
D. 0.20
D. When performing business impact analysis (or any other value analysis for that matter), the annualized loss expectancy (ALE) is an important measurement for every asset. To compute the ALE, multiply the annualized rate of occurrence (ARO) by the single loss expectancy (SLE). The ARO is the frequency at which a failure occurs on an annual basis. In this example, servers fail once every five years, so the ARO would be 1 failure / 5 years = 20 percent.
A is incorrect because this value equates to the ALE for the example. ALE = ARO × SLE. In this example, the ARO is 20 percent and the SLE is $1480: cost of a server ($1000) plus the cost of technician work to replace it ($80) plus lost time for workers (10 employees × 2 hours × $20 an hour, which works out to $400). Therefore, ALE = 20 percent × $1480, or $296.
B is incorrect because this value corresponds to the SLE for this scenario. The SLE is the total cost for a single loss, so we need to count the cost of the server, plus the cost of the technician’s hours, plus any downtime measurements for other workers. In this case, SLE = $1000 (cost of server) + $80 (server tech hours) + $400 (10 employees × 2 hours × $20 an hour), or $1480.
C is incorrect because this number doesn’t match the ARO for the example.
- An ethical hacker is given no prior knowledge of the network and has a specific framework in which to work. The agreement specifies boundaries, nondisclosure agreements, and a completion date definition. Which of the following statements is true?
A. A white hat is attempting a black-box test.
B. A white hat is attempting a white-box test.
C. A black hat is attempting a black-box test.
D. A black hat is attempting a gray-box test.
A. I love these types of questions. Not only is this a two-for-one question, but it involves identical but confusing descriptors, causing all sorts of havoc. The answer to attacking such questions—and you will see them, by the way—is to take each section one at a time. Start with what kind of hacker he is. He’s hired under a specific agreement, with full knowledge and consent of the target, thus making him a white hat. That eliminates C and D right off the bat. Second, to address what kind of test he’s performing, simply look at what he knows about the system. In this instance, he has no prior knowledge at all (apart from the agreement), thus making it a black-box test.
B is incorrect because although the attacker is one of the good guys (a white hat, proceeding with permission and an agreement in place), he is not provided with full knowledge of the system. In fact, it’s quite the opposite—according to the question he knows absolutely nothing about the system, making this particular “box” as black as it can be. A white-box target indicates one that the attacker already knows everything about. It’s lit up and wide open.
C is incorrect right off the bat because it references a black hat. Black-hat attackers are the bad guys—the ones proceeding without the target’s knowledge or permission. They usually don’t have inside knowledge of their target, so their attacks often start “black box.”
D is incorrect for the same reason just listed: because this attacker has permission to proceed and is operating under an agreement, he can’t be a black-box attacker. Additionally, this answer went the extra mile to convince you it was wrong—and missed on both swings. Not only is this a white-hat attacker, but the attack itself is black box. A gray-box attack indicates at least some inside knowledge of the target.
- Which of the following is a detective control?
A. Audit trail
B. CONOPS
C. Procedure
D. Smartcard authentication
E. Process
A. A detective control is an effort used to identify problems, errors, or (in the case of post-attack discovery) cause or evidence of an exploited vulnerability—and an audit log or trail is a perfect example. Ideally, detective controls should be in place and working such that errors can be corrected as quickly as possible. Many compliance laws and standards (the Sarbanes-Oxley Act of 2002 is one example) mandate the use of detective controls.
B is incorrect because a concept of operations (CONOPS) isn’t detective in nature. A CONOPS defines what a system is and how it is supposed to be used.
C is incorrect because a procedure is a document the spells out specific step-by-step instructions for a given situation or process.
D is incorrect because smartcard authentication is a preventive control, not a detective one. It’s designed to provide strong authentication, ideally preventing a problem in the first place.
E is incorrect because a process can refer to a lot of different things, depending on your definition and viewpoint, but is not detective in nature as a control. A process, in general, refers to a set of steps or actions directed at accomplishing a goal.
- As part of a pen test on a U.S. government system, you discover files containing Social Security numbers and other sensitive personally identifiable information (PII). You are asked about controls placed on the dissemination of this information. Which of the following acts should you check?
A. FISMA
B. Privacy Act
C. PATRIOT Act
D. Freedom of Information Act
B. The Privacy Act of 1974 protects information of a personal nature, including Social Security numbers. The Privacy Act defines exactly what “personal information” is, and it states that government agencies cannot disclose any personal information about an individual without that person’s consent. It also lists 12 exemptions for the release of this information (for example, information that is part of a law enforcement issue may be released). In other questions you see, keep in mind that the Privacy Act generally will define the information that is not available to you during and after a test. Dissemination and storage of private information needs to be closely controlled to keep you out of hot water. As a side note, how you obtain PII is oftentimes just as important as how you protect it once discovered. In your real-world adventures, keep the Wiretap Act (18 U.S. Code Chapter 119—Wire and Electronic Communications Interception and Interception of Oral Communications) and others like it in mind.
A is incorrect because the Federal Information Security Management Act (FISMA) isn’t designed to control the dissemination of PII or sensitive data. Its primary goal is to ensure the security of government systems by promoting a standardized approach to security controls, implementation, and testing. The act requires government agencies to create a security plan for their systems and to have it “accredited” at least once every three years.
C is incorrect because the PATRIOT Act is not an effort to control personal information. Its purpose is to aid the U.S. government in preventing terrorism by increasing the government’s ability to monitor, intercept, and maintain records on almost every imaginable form of communication. As a side effect, it has also served to increase observation and prevention of hacking attempts on many systems.
D is incorrect because the Freedom of Information Act wasn’t designed to tell you what to do with information. Its goal is to define how you can get information—specifically information regarding how your governments work. It doesn’t necessarily help you in hacking, but it does provide a cover for a lot of information. Anything you uncover that could have been gathered through the Freedom of Information Act is considered legal and should be part of your overall test.
- In which step of the Cyber Kill Chain methodology would an adversary create a deliverable malicious payload?
A. Command and Control (C2)
B. Weaponization
C. Installation
D. Exploitation
B. Originally developed from a military model by Lockheed Martin (https://lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html) seeking to quantify how to identify, prepare to attack, engage, and destroy the cyber enemy target, the Cyber Kill Chain is a methodology for tracing the stages of a cyberattack. Covering everything from early reconnaissance to data exfiltration (or worse), it has evolved to help security professionals better understand and combat adversarial efforts. The methodology includes seven steps—Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives—detailing an attack from inception to closure. In the Weaponization stage, adversaries create the deliverable malicious payload using an exploit, and in the next stage, Delivery, they send it merrily along the way.
A is incorrect because in the Command and Control (C2) stage, a C2 channel is created to pass data and control information back and forth.
C is incorrect because in the Installation stage, the malware is actually installed on the target.
D is incorrect because in the Exploitation stage, a vulnerability is exploited via executing code on the target system.
- An organization’s leadership is concerned about social engineering and hires a company to provide training for all employees. How is the organization handling the risk associated with social engineering?
A. They are accepting the risk.
B. They are avoiding the risk.
C. They are mitigating the risk.
D. They are transferring the risk.
C. When it comes to risks, there are four different methods of attempting to deal with them. In risk mitigation, steps are taken to reduce the chance that the risk even will occur, and in this example that’s exactly what’s happening. Training on social engineering should help reduce the likelihood an employee will fall victim (real-life concerns on this notwithstanding—we are talking about test questions here).
A is incorrect because the acceptance of risk means the organization understands the risk is there, but they don’t do anything about it. Why would a company take this action? Perhaps the chance a threat agent will (or even can) exploit the risk is so low it makes the effort to mitigate it pointless. Or it could be the cost to mitigate simply is more than any damage or recovery from exploitation in the first place. In any case, if the organization does nothing, they’re accepting risk.
B is incorrect because avoidance of risk means the organization takes steps to eliminate the service, action, or technology altogether. In other words, the risk is deemed so great the company would rather do without the asset or service in the first place. In the case of social engineering, unless the organization can work without employees, avoiding this risk is nearly impossible.
D is incorrect because transferring risk occurs when the organization puts the burden of risk on another party. For example, the company might hire an insurance company to pay off in the event a risk is exploited.
- In which phase of the ethical hacking methodology would a hacker be expected to discover available targets on a network?
A. Reconnaissance
B. Scanning and enumeration
C. Gaining access
D. Maintaining access
E. Covering tracks
B. The scanning and enumeration phase is where you’ll use things such as ping sweeps to discover available targets on the network. This step occurs after reconnaissance. In this step, tools and techniques are actively applied to information gathered during recon to obtain more in-depth information on the targets. For example, reconnaissance may show a network subnet to have 500 or so machines connected inside a single building, whereas scanning and enumeration would discover which ones are Windows machines and which ones are running FTP. As an aside, it’s important to remember these phases and definitions are exactly what you’ll need to pass your exam, but in the real world, actions and findings don’t necessarily fit cleanly into predefined roles and definitions.
A is incorrect because the reconnaissance phase is nothing more than the steps taken to gather evidence and information on the targets you want to attack. Activities that occur in this phase include dumpster diving and social engineering. Another valuable tool in recon is the Internet. Look for any of these items as key words in answers on your exam. Of course, in the real world, you may actually gather so much information in your recon you’ll already be way ahead of the game in identifying targets and whatnot, but when it comes to the exam, stick with the hard-and-fast boundaries they want you to remember and move on.
C is incorrect because the gaining access phase is all about attacking the machines themselves. You’ve already figured out background information on the client and have enumerated the potential vulnerabilities and security flaws on each target. In this phase, you break out the big guns and start firing away. Key words you’re looking for here are the attacks themselves: accessing an open and unsecured wireless access point, manipulating network devices, writing and delivering a buffer overflow, and performing SQL injection against a web application are all examples.
D is incorrect because this phase is all about backdoors and the steps taken to ensure you have a way back in. For the savvy readers out there who noticed I skipped a step here (escalating privileges), well done. Key words you’ll look for on this phase (maintaining access) are backdoors, zombies, and rootkits.
E is incorrect because this phase is all about cleaning up when you’re done and making sure no one can see where you’ve been. Clearing tracks involves steps to conceal success and avoid detection by security professionals. Steps taken here consist of removing or altering log files, concealing files via hidden attributes or directories, and even using tunneling protocols to communicate with the system.
- Which of the following was created to protect shareholders and the general public from corporate accounting errors and fraudulent practices as well as to improve the accuracy of corporate disclosures?
A. GLBA
B. HIPAA
C. SOX
D. FITARA
C. The Sarbanes-Oxley Act (SOX; https://www.sec.gov/about/laws.shtml#sox2002) introduced major changes to the regulation of financial practice and corporate governance in 2002 and is arranged into 11 titles. SOX mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures, and combat corporate and accounting fraud, and it created the “Public Company Accounting Oversight Board,” also known as the PCAOB, to oversee the activities of the auditing profession.
A is incorrect because the Gramm-Leach-Bliley Act (GLBA; https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act) requires financial institutions—companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data. Under the Safeguards Rule, financial institutions must protect the consumer information they collect. GLBA protects the confidentiality and integrity of personal information collected by financial institutions.
B is incorrect because the Health Insurance Portability and Accountability Act (HIPAA; www.hhs.gov/hipaa/) was designed to protect the confidentiality of private health information. HIPAA contains privacy and security requirements as well as provides steps and procedures for handling and protecting private health data.
D is incorrect because the Federal Information Technology Acquisition Reform Act (FITARA; https://www.congress.gov/bill/113th-congress/house-bill/1232) didn’t actually pass in full, but did contain sections that were eventually added as part of the National Defense Authorization Act (NDAA) for fiscal year 2015.