Exam Prep Flashcards by Stacey Paredes

What is the notion among hackers that something is worth doing or is interesting?

A) Zero-Day
B) Doxing
C) Hack Value
D)Exploit

C) Hack Value

How well did you know this?

Not at all

Perfectly

What is an existence of a weakness,design, or implementation error that may lead to compromising the security of the system?

A) Exploit
B) Payload
C) Vulnerability
D) Bot

C) Vulnerability

How well did you know this?

Not at all

Perfectly

What is breach of IT system security through vulnerabilities?

A) Doxing
B) Daisy Chaining
C) Exploit
D) Payload

C) Exploit

How well did you know this?

Not at all

Perfectly

What is a part of an exploit code that performs the malicious action? i.e. destroying, creating, backdoor, hijacking computers

A) Vulnerability
B) Bot
C) Hack Value
D) Payload

D) Payload

How well did you know this?

Not at all

Perfectly

What is an attack that exploits computer application vulnerabilities before a patch was able to be released?

A) Bot
B) Daisy Chaning
C) Zero-Day Attack
D) Hack Value

C) Zero-Day Attack

How well did you know this?

Not at all

Perfectly

What involves gaining access to one network and/or computer to obtain information that will enable them to gain access to multiple other computers and/or networks?

A) Bot
B) Exploit
C) Daisy Chaining
D) Payload

C) Daisy Chaining

How well did you know this?

Not at all

Perfectly

What involves publishing personally identifiable information about an individual that was obtain from public databases and social media?

A) Doxing
B) Zero-Day Attack
C) Vulnerability
D) Daisy Chaining

A) Doxing

How well did you know this?

Not at all

Perfectly

What is a software application that can be remotely controlled to execute/automate predefined tasks?

A) Bot
B) Payload
C) Hack Value
D) Doxing

A) Bot

How well did you know this?

Not at all

Perfectly

What is a state of infrastructure and information well-being to keep the possibility of theft, tampering, disruption of information and services kept tolerable and low?

A) Confidentiality
B) Information Security
C) Authenticity
D) Integrity

B) Information Security

How well did you know this?

Not at all

Perfectly

What is the assurance that information is only accessible to authorized individuals?

A) Authenticity
B) Availability
C) Integrity
D)Confidentiality

D) Confidentiality

How well did you know this?

Not at all

Perfectly

What is the trustworthiness of preventing improper and unauthorized changes of data or resources?

A) Availability
B) Integrity
C) Information Security
D) Non-Repudiation

B) Integrity

How well did you know this?

Not at all

Perfectly

What refers to the assurance that the system which is responsible for the processing, delivering and storing of information is accessible to the authorized users when required?

A) Availability
B) Authenticity
C) Confidentiality
D) Non-Repudiation

A) Availability

How well did you know this?

Not at all

Perfectly

What refers to any data, communication or document characteristics which ensures the quality of being genuine?

A) Availability
B) Authenticity
C) Non-Repudiation
D)Confidentiality

B) Authenticity

How well did you know this?

Not at all

Perfectly

What guarantees that an individual cannot later deny sending a message and the recipient cannot deny receiving a message?

A) Availability
B) Non-Repudiation
C) Authenticity
D) Confidentiality

B) Non-Repudiation

How well did you know this?

Not at all

Perfectly

What three components can any systems level of security be defined by?

A) Authenticity, Confidentiality, Integrity
B) Security, Functionality, Usability
C) Non-Repudiation, Usability, Authenticity
D) Authenticity, Integrity, Security

B) Security, Functionality, Usability

How well did you know this?

Not at all

Perfectly

What three components make up attacks?

A) Attacks = Motive (goal) + Method + Vulnerability
B) Attacks = Security + Method + Confidentiality
C) Attacks = Availability + Vulnerability + Motive
D) Attacks = Security + Integrity + Method

A) Attacks = Motive (goal) + Method + Vulnerability

How well did you know this?

Not at all

Perfectly

What originates out of the awareness that a target system processes or stores valuable data, which may lead towards an attack on the system?

A) Method
B) Vulnerability
C) Attackers
D) Motive

D) Motive

How well did you know this?

Not at all

Perfectly

Who utilizes a variety of different tools and attack techniques to exploit vulnerabilities within a computer system to accomplish their motives?

A) System Analysts
B) Attackers
C) White Hat
D) All of the above

B) Attackers

How well did you know this?

Not at all

Perfectly

What is an on-demand delivery of IT capabilities where an organizations sensitive data and clients are stored?

A) Cloud Computing
B) Botnet
C) Workstation
D) Access Control

A) Cloud Computing

How well did you know this?

Not at all

Perfectly

What attack vector is a flaw in within a client’s application cloud which can enable attackers to access other client’s data?

A) Mobile Threats
B) Ransomware
C) Advanced Persistent Threats
D) Cloud Computing Threats

D) Cloud Computing Threats

How well did you know this?

Not at all

Perfectly

What attack vector focuses on stealing data from a victims machine without their knowledge?

A) Advanced Persistent Threats (APT)
B) Ransomware
C) Mobile Threats
D) Cloud Computing Threats

A) Advanced Persistent Threats (APT)

How well did you know this?

Not at all

Perfectly

What is the most prevalent networking threat that is capable of infecting an entire network within seconds?

A) Mobile Threats
B) Viruses and Worms
C) Advanced Persistent Threats
D) Cloud Computing Threats

B) Viruses and Worms

How well did you know this?

Not at all

Perfectly

What attack restricts access to files and folders within a computer system and demands an online payment to remove the restrictions?

A) Advanced Persistent Threats (APT)
B) Ransomware
C) Mobile Threats
D) Cloud Computing Threats

B) Ransomware

How well did you know this?

Not at all

Perfectly

Why have the focus of attackers shifted towards mobile devices?

A) The increase of mobile device adoption for business and personal purposes, and it also has less security controls.
B) No security controls
C) Individuals do not use mobile devices often
D) All of the above

A) The increase of mobile device adoption for business and personal purposes, and it also has less security controls.

How well did you know this?

Not at all

Perfectly

What is a huge network of compromised systems that are utilized by attackers to perform a variety of different network attacks. A) Insider Attacks B) IoT Threats C) Phishing D) Botnet

D) Botnet

What attack is performed on a network or single computer by an entrusted individual who has authorized access? A) Insider Attacks B) IoT Threats C) Phishing D) Botnet

A) Insider Attacks

What attack send an illegitimate email claiming to be a legitimate site in as an attempt to acquire a users personal /account information? A) Insider Attacks B) IoT Threats C) Phishing D) Botnet

C) Phishing

Which security attack vector threatens the performance of a website and hampers its security to steal user credentials, set up a phishing site or acquire private data by targeting web applications? A) Insider Attacks B) Web Application Threats C) Phishing D) Botnet

B) Web Application Threats

What enables attackers to remotely gain access into an IoT device in order to perform a variety of different attacks? A) Insider Attacks B) IoT Threats C) Phishing D) Botnet

B) IoT Threats

What are the three different Information Security Threat Categories? A) Network Threats, Host Threats, Application Threats B) Host Threats, IoT Threats, Web Application Threats C) Mobile Threats, Network Threats, IoT threats D) Security Threats, Confidentiality Threats, IoT Threats

A) Network Threats, Host Threats, Application Threats

What type of attack does an attacker search for OS vulnerabilities and exploits them to gain access to the system? A) Misconfiguration Attacks B) Operating System Attacks C) Shrink Wrap Code Attacks D) Application Level Attacks

B) Operating System Attacks

What type of attack affects the web servers, application platforms, databases, networks, or frameworks that can lead towards illegal access or even the possibility of owning the system? A) Misconfiguration Attacks B) Operating System Attacks C) Shrink Wrap Code Attacks D) Application Level Attacks

A) Misconfiguration Attacks

What type of attack exploits that vulnerabilities in applications that are running on a company's information system in order to steal or manipulate the data or gain unauthorized access? A) Misconfiguration Attacks B) Operating System Attacks C) Shrink Wrap Code Attacks D) Application Level Attacks

D) Application Level Attacks

What type of attack will exploit default configurations and settings of off- the-shelf libraries and code? A) Misconfiguration Attacks B) Operating System Attacks C) Shrink Wrap Code Attacks D) Application Level Attacks

C) Shrink Wrap Code Attacks

What refers to the utilization of information and communication technologies (ICT) for a competitive advantage over an opponent? A) Information Warfare (InfoWar) B) Vulnerability Warfare C) Attacker Warfare D) Exploit Warfare

A) Information Warfare (InfoWar)

What refers to all of the strategies/actions used to to defend against ICT asset attacks? A) Defensive Information Warfare B) Offensive Information Warfare C) Attacker Warfare

A) Defensive Information Warfare

What refers to information warfare which involves the attacks against the opponents ICT assets? A) Defensive Information Warfare B) Offensive Information Warfare C) Attacker Warfare

B) Offensive Information Warfare

What refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized access to a system? A) Hacking B) Analysis C) Vulnerability D) Authorized User

A) Hacking

Who are people with extraordinary computing skills, resorting to malicious or destructive activities and are also known as crackers? A) Black Hats B) Script Kiddies C) White Hats D) Gray Hats

A) Black Hats

Who are unskilled hackers who compromise systems by running scripts, tools, and software developed by real hackers? A) Black Hats B) Script Kiddies C) White Hats D) Gray Hats

B) Script Kiddies

Who are people who profess hacking skills and utilize them for defensive proposes and are also known as security analysts? A) Black Hats B) Script Kiddies C) White Hats D) Gray Hats

C) White Hats

Who are people that have a wide range of skills, motivated by religious or political beliefs to create fear by large-scale disruption of computer networks? A) Black Hats B) Script Kiddies C) Cyber Terrorists D) Gray Hats

C) Cyber Terrorists

Who are individuals that work both offensively and defensively at various items? A) Gray Hats B) Script Kiddies C) Cyber Terrorists D) Gray Hats

A) Gray Hats

Who are people that are employed by the government to penetrate and gain top - secret information and to damage information systems of the other governments? A) Gray Hats B) Script Kiddies C) State Sponsored Hackers D) Gray Hats

C) State Sponsored Hackers

Who are people who aim to bring down critical infrastructure for a "cause" and are not worried about facing jail time or punishment? A) Gray Hats B) Script Kiddies C) State Sponsored Hackers D) Suicide Hackers

D) Suicide Hackers

Who are individuals who promote a political agenda by hacking especially by defacing or disabling websites? A) Gray Hats B) Hacktivist C) State Sponsored Hackers D) Suicide Hackers

B) Hacktivist

What is the second hacking phase? ``` A) Reconnaissance B) Scanning C) Gaining access D) Maintaining access E) Clearing tracks ```

B) Scanning

What is the third hacking phase? ``` A) Reconnaissance B) Scanning C) Gaining access D) Maintaining access E) Clearing tracks ```

C) Gaining access

What is the fourth hacking phase? ``` A) Reconnaissance B) Scanning C) Gaining access D) Maintaining access E) Clearing tracks ```

D) Maintaining access

What is the last hacking phase? ``` A) Reconnaissance B) Scanning C) Gaining access D) Maintaining access E) Clearing tracks ```

E) Clearing tracks

What is the first hacking phase? ``` A) Reconnaissance B) Scanning C) Gaining access D) Maintaining access E) Clearing tracks ```

A) Reconnaissance

What refers to the preparatory phase where an attacker seeks to gather information about a target prior to launching an attack? ``` A) Scanning B) Reconnaissance C) Gaining Access D) Maintaining Access E) Clearing tracks ```

B) Reconnaissance

What refers to the pre-attack phase when the attacker scans the network for specific information. ``` A) Scanning B) Reconnaissance C) Gaining Access D) Maintaining Access E) Clearing tracks ```

A) Scanning

What refers to the point where the attacker obtains access to the operating system or application? ``` A) Scanning B) Reconnaissance C) Gaining Access D) Maintaining Access E) Clearing tracks ```

C) Gaining Access

What refers to the phase when the attacker tries to retain his or her ownership of the system? ``` A) Scanning B) Reconnaissance C) Gaining Access D) Maintaining Access E) Clearing tracks ```

D) Maintaining Access

What refers to the activities carried out by an attacker to hide malicious acts? ``` A) Scanning B) Reconnaissance C) Gaining Access D) Maintaining Access E) Clearing tracks ```

E) Clearing tracks

What involves the use of hacking tools , tricks, and technical techniques to identify vulnerabilities to ensure system security? A) Ethical Hacking B) Hacking C) Scanning D) Reconnaissance

A) Ethical Hacking

What refers to the assurance that the integrity, availability, confidentiality and authenticity of information and information systems are protected during usage, processing, storage, and transmission of information? A) Information Assurance (AI) B) Hacking C) Ethical Hacking D) Scanning

A) Information Assurance (AI)

What is a well-defined level of information security that includes policies, processes, procedures, standards and guidelines? A) Information Security Management Program B) Enterprise Information Security Architecture (EISA) C) Network Security Zoning D) Defense-In-Depth

A) Information Security Management Program

What is a set of requirements,processes,principles and models that determines the structure and behavior of an organization's information systems? A) Information Security Management Program B) Enterprise Information Security Architecture (EISA) C) Network Security Zoning D) Defense-In-Depth

B) Enterprise Information Security Architecture (EISA)

What mechanism allows an organization to manage a secure network environment by selecting the appropriate security levels for the different zones of internet and intranet networks? A) Information Security Management Program B) Enterprise Information Security Architecture (EISA) C) Network Security Zoning D) Defense-In-Depth

C) Network Security Zoning

What is an uncontrolled zone, as it is outside the boundaries of an organization? ``` A) Internet DMZ B) Internet Zone C) Production Network Zone D) Intranet Zone E) Management Network Zone ```

B) Internet Zone

What is a controlled zone, as it provides a barrier between internal networks and internet? ``` A) Internet DMZ B) Internet Zone C) Production Network Zone D) Intranet Zone E) Management Network Zone ```

A) Internet DMZ

What is a restricted zone, as it strictly controls direct access for uncontrolled networks? ``` A) Internet DMZ B) Internet Zone C) Production Network Zone D) Intranet Zone E) Management Network Zone ```

C) Production Network Zone

What is a controlled zone with no heavy restrictions? ``` A) Internet DMZ B) Internet Zone C) Production Network Zone D) Intranet Zone E) Management Network Zone ```

D) Intranet Zone

What is a secured zone with strict policies? ``` A) Internet DMZ B) Internet Zone C) Production Network Zone D) Intranet Zone E) Management Network Zone ```

E) Management Network Zone

What is a security strategy in which several protection layers are placed throughout an information system? A) Information Security Management Program B) Enterprise Information Security Architecture (EISA) C) Network Security Zoning D) Defense-In-Depth

D) Defense-In-Depth

What are is the foundation of the security infrastructure? A) Security Policies B) Information Security Policies C) Management

A) Security Policies

What defines the basic security requirements and rules to be implemented in order to protect and secure an organization's systems? A) Security Policies B) Information Security Policies C) Management

B) Information Security Policies

What policy has no restrictions on usage of systems resources? A) Promiscuous Policy B) Permissive Policy C) Prudent Policy D) Paranoid Policy

A) Promiscuous Policy

What policy is wide open and only known dangerous services/ attacks or behaviors are blocked? A) Promiscuous Policy B) Permissive Policy C) Prudent Policy D) Paranoid Policy

B) Permissive Policy

What policy provides maximum security by blocking all services, only individually enabling safe/ necessary services and everything is logged? A) Promiscuous Policy B) Permissive Policy C) Prudent Policy D) Paranoid Policy

C) Prudent Policy

What policy forbids everything, no internet connection, or severely limited internet usage? A) Promiscuous Policy B) Permissive Policy C) Prudent Policy D) Paranoid Policy

D) Paranoid Policy

What policy defines the resources being protected and the rules that control access to them? A) Access Control Policy B) Remote-Access Policy C) User- Account Policy D) Email Security Policy

A) Access Control Policy

What policy defines who can have remote access? A) Access Control Policy B) Remote-Access Policy C) User- Account Policy D) Email Security Policy

B) Remote-Access Policy

What policy defines the account creation process, authority, and rights and responsibility of the users accounts? A) Access Control Policy B) Remote-Access Policy C) User- Account Policy D) Email Security Policy

C) User- Account Policy

What policy defines the sensitivity levels of information? A) Information-Protection Policy B) Remote-Access Policy C) User- Account Policy D) Email Security Policy

A) Information-Protection Policy

What defines the access, management, and monitoring and monitoring of firewalls in an organization? A) Information-Protection Policy B) Remote-Access Policy C) Firewall- Management Policy D) Email Security Policy

C) Firewall- Management Policy

What policy defines the terms and conditions of granting special access to system resources? A) Information-Protection Policy B) Special-Access Policy C) Firewall- Management Policy D) Email Security Policy

B) Special-Access Policy

What policy is created to govern the proper usage of corporate email? A) Information-Protection Policy B) Special-Access Policy C) Firewall- Management Policy D) Email Security Policy

D) Email Security Policy

What policy defines the acceptable use of system resources? A) Information-Protection Policy B) Special-Access Policy C) Acceptable-Use Policy D) Email Security Policy

C) Acceptable-Use Policy

What policy provides guidelines for using strong password protection on organizations resources? A) Passwords Policy B) Special-Access Policy C) Acceptable-Use Policy D) Email Security Policy

A) Passwords Policy

What policy defines who can install new resources on the network, approve the installation of new devices, and document network changes? A) Passwords Policy B) Special-Access Policy C) Network-Connection Policy D) Email Security Policy

C) Network-Connection Policy

What refers to a degree of uncertainty or expectation that adverse event may cause damage to the system? A) Risk B) Risk Management C) Incident

A) Risk

What is the process of reducing and maintaining risk at an acceptable level? A) Risk B) Risk Management C) Incident

B) Risk Management

What is a risk assessment approach for analyzing security of an application by capturing, organizing, and analyzing all the information that affects the security of an application? A) Risk B) Risk Management C) Incident D) Threat Modeling

D) Threat Modeling

What is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore normal service operations as quickly as possible and prevent future recurrence of the incident? A) Risk B) Risk Management C) Incident Management D) Threat Modeling

C) Incident Management

What does -f switch set? A) Do Not Fragment B) Send buffer size C) Traceroutes

A) Do Not Fragment

What does the -l option mean? A) Do Not Fragment B) Send buffer size C) Traceroutes

B) Send buffer size

What command traceroutes the network configuration information of the target domain? A) Do Not Fragment B) Send buffer size C) tracert

C) tracert

Which of the following can the administrator do to verify that a tape backup can be recovered in its entirety? A) read the first 512 bytes of the tape B) Perform a full restore C) Read the last 512 bytes of the tape D) Restore a random file

B) Perform a full restore

If an attacker uses the SELECT* FROM user WHERE name = 'x' AND userid IS NULL; --; which type of SQL injection is the attacker performing? A) UNION SQL injection B) Tautology C) End of Line Comment D) Illegal / logically incorrect Query

C) End of Line Comment

To determine if a software program properly handles a wide range of invalid input, a form of automated testing can be used to randomly generate invalid input in an attempt to crash the program. What term is commonly utilized when referring to this type of testing? A) Fuzzing B) Bounding C) Mutating D) Randomizing

A) Fuzzing

What is purpose of a demilitarized zone on a network A) To provide a place to put the honeypot B) To only provide direct access to the notes within the DMZ and protect the network behind it C) To scan all traffic coming through the DMZ to the internal network D) To contain the network devices you wish to protect

B) To only provide direct access to the notes within the DMZ and protect the network behind it

Which Nmap option would you use if you were not concerned about being detected and wanted to perform a very fast scan? A) -A B) -T5 C) -O D) -T0

B) -T5

You have compromised a server and successfully gained a root access. You want to pivot and pass traffic undetected over the network and evade any possible intrusion detection system. What is the best approach? A) Install and use Telnet to encrypt all outgoing traffic from this server. B) Use HTTP so that all traffic can be routed via a browser, thus evading the internal intrusion detection systems. C) Install Cryptcat and encrypt outgoing packets from this server. D) Use alternate data streams to hide the outgoing packets from this server.

C) Install Cryptcat and encrypt outgoing packets from this server.

Which of the following antenna commonly used in communications for a frequency band of 10 MHz to VHF and UHF? A) Parabolic grid antenna B) Omnidirectional antenna C) Dipole Antenna D) Yagi antenna

D) Yagi antenna

Which of the following is a design pattern based on distinct pieces of software providing application functionality as service to other applications? A) Object Oriented architecture B) Lean Coding C) Service Oriented Architecture D) Agile Process

C) Service Oriented Architecture

When tuning security alerts, what is the best approach? A) Decrease False Negatives B) Decrease the false positives C) Rise False positives Rise False Negatives D) Tune to avoid False positive and False Negatives

D) Tune to avoid False positive and False Negatives

If you are the network admin and you get a complaint that some of the websites are no longer accessible. You tried to ping the servers, it’s reachable. Then you type the IP address and then try on the browser, even then it accessible. But they are not accessible when you try using the URL. What may be the problem? A) Traffic is Blocked on TCP port 80. B) Traffic is Blocked on UDP port 53. C) Traffic is Blocked on TCP port 54. D) Traffic is blocked on UDP port 80.

B) Traffic is Blocked on UDP port 53.

You are performing a penetration test. You achieve access via a buffer overload exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrators bank account password and login information for the administrators Bitcoin account. What should you do? A) Do not report it and continue the penetration test. B) Report immediately to the administrator. C) Transfer money from the administrator’s account to another account. D) Do not transfer the money but still the bitcoins.

B) Report immediately to the administrator.

You are a security officer of a company. You had an alert from IDS that indicate one PC on your Internet connected to a blacklisted IP address (C2 Server) on the Internet. The IP address was blacklisted just before the alert. You are starting investigation to know the severity of the situation roughly. Which of the following is appropriate to analyze? A) Event logs on domain controller B) Event logs on the PC C) Internet Firewall / Proxy log D) IDS log

C) Internet Firewall / Proxy log

What network security concept requires multiple layers of security controls to be placed throughout an IT infrastructure, which improves the security posture of an organization to defend against malicious attacks or potential vulnerabilities? A) Network- Based Intrusion Detection System B) Defense in depth C) Security through obscurity D) Host- Based Intrusion Detection System

B) Defense in depth

You need a tool that can perform network intrusion prevention, but also intrusion detection and can function as a network sniffer and records network activity, what tools would you most likely select? A) Cain &Abel B) Nmap C) Snort D) Nessus

C) Snort

In risk management, how is the “likelihood” related to the concept of “threat?” A) Likelihood it’s a possible threat source that may exploit a vulnerability. B) Likelihood is the probability that a threat source will exploit a vulnerability. C) Likelihood is the likely source of a threat that could exploit a vulnerability. D) Likelihood is the probability that vulnerability is the threat source.

B) Likelihood is the probability that a threat source will exploit a vulnerability.

Insecure direct object reference is a type of vulnerability where application doesn’t verify if the user is authorized to access internal object via its name or key. Suppose the malicious user Rob tries to gain access to the account of the benign user Ned. Which of the following requests best illustrates an attempt to exploit an insecure direct object reference vulnerability? A) GET /restricted/\r\n\%00account%00Ned%access HTTP/1.1 Host: westbank.com B) GET/restricted/accounts/?name=Ned HTTP/1.1 Host: westbank.com C) GET/restricted/bank.getaccount(“Ned”) HTTP/1.1 Host: westbank.com D) GET/ restricted/goldtransfer?to=Rob&from=1 or 1 HTTP /1.1 Host: westbank.com

B) GET/restricted/accounts/?name=Ned HTTP/1.1 | Host: westbank.com

In Wireshark, the packet bytes panes shows the data of the current packet in which format? A) Binary B) ASCII only C) Decimal D) Hexadecimal

D) Hexadecimal

During the process of encryption and decryption, what keys are shared? A) Public Keys B) User passwords C) Public and private keys D) Private Keys

A) Public Keys

Firewalls are the software or hardware systems that are able to control and monitor the traffic coming in and out of the target network based on a pre-defined set of rules. Which of the following types of firewalls can protect against SQL injection attacks? A) Data-driven firewall B) Web application firewall C) Stateful firewall D) Packet firewall

B) Web application firewall

Which of the following in incorrect? Standard Range (ft) 802. 11a 150-150 802. 11b 150-150 802. 11g 150-150 802. 16 (WiMax) 30 Miles A) 802.11b B) 802.11g C) 802.11a D) 802.16 (WiMax)

B) 802.11g

WPA2 utilizes AES for wireless data encryption at which of the following encryption levels? A) 128 bit and CCMP B) 128 bit and TKIP C) 128 bit and CRC D) 64 bit and CCMP

A) 128 bit and CCMP

What is the role of test automation in security testing? A) it is an option but it tends to be very expensive B) It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely. C) Test automation is not usable in security due to the complexity of the tests D) It should be utilized exclusively. Manual testing is outdated because of low speed and possible test setup inconsistencies.

B) It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely.

You are attempting to run a Nmap portscan on a web server. Which of the following commands would result in a scan of common ports with the least amount of noise in order to evade an IDS? A) Nmap -sT -O -T0 B) Nmap -sP -p-65535 -T5 C) Nmap -A -Pn D) Nmap -A -host-timeout 99 -T1

A) Nmap -sT -O -T0

Which of the following scanning method splits the TCP header into several packets and makes it difficult for packet filters to detect the purpose of the packet? A) SYN/FIN scanning using IP fragments\ B) ICMP Echo scanning C) ACK flag probe scanning D) IPID scanning

A) SYN/FIN scanning using IP fragments\

Which of the following is a command line packet analyzer similar to GUI -based WireShark? A) Jack the ripper B) Nessus C) tcpdump D) ethereal

C) tcpdump

Which of the following attacks exploits web page vulnerabilities that allow an attacker to force an unsuspecting user;s browser to send malicious requests they did not intend? A) Cross Site Request Forgery ( CSRF) B) File Injection Attack C) Command Injection Attacks D) Hidden Field Manipulation Attack

A) Cross Site Request Forgery ( CSRF)

The "gray box testing" methodology enforces what kind of restriction? A. Only the external operation of a system is accessible to the tester. B. The internal operation of a system is completely known to the tester. C. The internal operation of a system is only partly accessible to the tester. D. Only the internal operation of a system is known to the tester.

C. The internal operation of a system is only partly accessible to the tester.

The "black box testing" methodology enforces which kind of restriction? A. Only the internal operation of a system is known to the tester. B. The internal operation of a system is completely known to the tester. C. Only the external operation of a system is accessible to the tester. D. The internal operation of a system is only partly accessible to the tester.

C. Only the external operation of a system is accessible to the tester.

Under the "Post-attack Phase and Activities," it is the responsibility of the tester to restore the systems to a pretest state. Which of the following activities should not included in this phase? I. Removing all files uploaded on the system II. Cleaning all registry entries III. Mapping of network state IV. Removing all tools and maintaining backdoor for reporting A. III B. IV C. III and IV D. All should be included

C. III and IV

The "white box testing" methodology enforces what kind of restriction? A. The internal operation of a system is only partly accessible to the tester. B. Only the external operation of a system is accessible to the tester. C. Only the internal operation of a system is known to the tester. D. The internal operation of a system is completely known to the tester.

D. The internal operation of a system is completely known to the tester.

A regional bank hires your company to perform a security assessment on their network after a recent data breach. The attacker was able to steal financial data from the bank by compromising only a single server. Based on this information, what should be one of your key recommendations to the bank? A. Place a front-end web server in a demilitarized zone that only handles external web traffic. B. Move the financial data to another server on the same IP subnet C. Require all employees to change their passwords immediately D. Issue new certificates to the web servers from the root certificate authority

A. Place a front-end web server in a demilitarized zone that only handles external web traffic.

What is the process of logging, recording, and resolving events that take place in an organization? A. Incident Management Process B. Metrics C. Internal Procedure D. Security Policy

A. Incident Management Process

Nation-state threat actors often discover vulnerabilities and hold on the them until they want to launch a sophisticated attack. The Sutxnet attack was an unprecedented style of attack because it used four types of vulnerability? What is this style of attack called? A. zero-hour B. no-day C. zero-day D. zero-sum

C. zero-day

What is the benefit of performing an unannounced Penetration Testing? A. It is best to catch critical infrastructure unpatched. B. The tester will have an actual security posture visibility of the target network. C. Network security would be in a "best state" posture. D. The tester could not provide an honest analysis.

B. The tester will have an actual security posture visibility of the target network.

This international organization regulates billions of transactions daily and provides security guidelines to protect personally identifiable information (PII). These security controls provide a baseline and prevent low-level hackers sometimes known as script kiddies from causing a data breach. Which of the following organizations is being described? A. International Security Industry Organization (ISIO) B. Center for Disease Control (CDC) C. Payment Card Industry (PCI) D. Institute of Electrical and Electronics Engineers (IEEE)

C. Payment Card Industry (PCI)

Which of the following incident handling process phases is responsible for defining rules, collaborating human workforce, creating a backup plan, and testing plans for an organization? A. Preparation phase B. Identification phase C. Recovery phase D. Containment phase

A. Preparation phase

It is a regulation that has a set of guidelines, which should be adhered to by anyone who handles and electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure. Which of the following regulations best matches the description? A. HIPAA B. COBIT C. FISMA D. ISO/IEC 27002

A. HIPAA

A security analyst is performing an audit on the network to determine if there are any deviations from the security policies in place. The analyst discovers that a user from the IT department had a dial-out modem installed. Which is security policy it must the security analyst check to see if dial-out modems are allowed? A. Firewall management policy B. Permissive policy C. Remote access policy D. Acceptable use policy

C. Remote access policy

An enterprise recently moved to a new office in the new neighborhood is a little risky. The CEO wants to monitor the physical perimeter and the entrance doors 24 hours. What is the best option to do this job? A. Install a CCTV with cameras pointing to the entrance doors and the street B. Use an IDS in the entrance doors and install some of them near the corners C. Use lights in all the entrance doors and along the company's perimeter D. Use fences in the entrance doors

A. Install a CCTV with cameras pointing to the entrance doors and the street

Which of the following security policies define the use of VPN for gaining access to an internal corporate network? A. Network Security policy B. Access control policy C. Remote access policy D. Information protection policy

C. Remote access policy

A newly discovered flaw in a software application would be considered which kind of security vulnerability? A. Input validation flaw B. 0-day vulnerability C. Time-to-check to time-to-use flaw D. HTTP header injection vulnerability

B. 0-day vulnerability

t has been reported to you that someone has caused an information spillage on their computer. You go to the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What step in incident handling did you just complete? A. Recovery B. Containment C. Eradication D. Discovery

B. Containment

What network security concept requires multiple layers of security controls to be placed through out an IT infrastructure, which improves the security posture of an organization to defend against malicious attacks or potential vulnerabilities? A. Network-Based Intrusion Detection System B. Defense in depth C. Security through obscurity D. Host-Based Intrusion Detection System

B. Defense in depth

Which type of security feature stops vehicles from crashing through the doors of a building? A. Bollards B. Mantrap C. Receptionist D. Turnstile

A. Bollards

Seth is starting a penetration test from inside the network. He hasn't been given any information about the network. What type of test is he conducting? A. External, Whitebox B. External,Blackbox C. Internal, Whitebox D. Internal, Blackbox

D. Internal, Blackbox

Which protocol and port number might be needed in order to send log messages to a log analysis tool that resides behind a firewall? A. UDP 541 B. UDP 514 C. UDP 123 D. UDP 415

B. UDP 514

An unauthorized individual enters a building following an employee through the employee entrance after the lunch rush. What type of breach has the individual just performed? A. Tailgating B. Reverse Social Engineering C. Piggybacking D. Announced

A. Tailgating

Code injection is a form of attack in which a malicious user: A. Inserts additional code into the JavaScript running in the browser. B. Gains access to the code base on the server and inserts new code. C. Inserts text into a data field that gets interpreted as code. D. Gets the server to execute arbitrary code using a buffer overflow.

C. Inserts text into a data field that gets interpreted as code.

In which of the following cryptography attack methods, attacker makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions? A. Chosen-plaintext attack B. Ciphertext-only attack C. Adaptive chosen-plaintext attack D. Known-plaintext attack

C. Adaptive chosen-plaintext attack

When conducting a penetration test it is crucial to use all means to get all available information about the target network. One of the ways to do that is by sniffing the network.Which of the following cannot be performed by the passive network sniffing? A. Collecting unencrypted information about usernames and passwords B. Modifying and replaying captured network traffic C. Capturing a network traffic for further analysis D. Identifying operating systems, services, protocols and devices

B. Modifying and replaying captured network traffic

Bob, a network administrator at BigUniversity, realized that some students are connecting their notebooks in the wired network to have Internet access.In the university campus there are many Ethernet ports available for professors and authorized visitors, but not for students. He identified this when the IDS alerted for malware activities in the network. What Bob should do to avoid this problem? A. Use the 802.1x protocol. B. Disable unused ports in the switches. C. Separate students in a different VLAN. D. Ask students to use the wireless network.

A. Use the 802.1x protocol.

Steve, a scientist which works in a governmental security agency, developed a technological solution to identify people based on walking patterns, and implemented this approach to a physical control access. A camera captures people walking and identifies the individuals using Steve's approach. After that, people must approximate their RFID badges.Both identification are required to open the door. In this case, we can say: A. Although the approach has two phases, it actually implements just one authentication factor B. The solution implements the two authentication factors: physical object and physical characteristic C. Biological motion cannot be used to identify people D. The solution will have a high level of false positives

B. The solution implements the two authentication factors: physical object and physical characteristic

Bob finished a C programming course and created a small C application to monitor the network traffic and to produce alerts when any origin sends "many" IP packets, based on the average number of packets sent by all origins and using some thresholds. In concept, the solution developed by Bob is actually: A. Just a network monitoring tool B. A behavioral IDS C. A signature IDS D. A hybrid IDS

B. A behavioral IDS

Sam is working as a pen-tester in an organization in Houston. He performs penetration testing on IDS in order to find the different ways an attacker uses to evade the IDS. Sam sends large amount of packets to the target IDS that generate alerts which enable Sam to hide the real traffic. What type of method is Sam using to evade IDS? A. Obfuscating B. False Positive Generation C. Insertion Attack D. Denial-of-Service

B. False Positive Generation

Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. A. SSL/TLS Renegotiation Vulnerability B. POODLE C. Shellshock D. Heartbleed Bug

D. Heartbleed Bug

Chandler works as a pen-tester in an IT-firm in New York. As a part of detecting viruses in the systems, he uses a detection method where the anti-virus executes the malicious codes on a virtual machine to simulate CPU and memory activities. Which type of virus detection method did Chandler use in this context? A. Code Emulation B. Scanning C. Heuristic Analysis D. Integrity checking

A. Code Emulation

ping -* 6 192.168.0.101 output Pinging 192.168.0.101 with 32 bytes of data: Reply from 192.168.0.101: bytes=32 time<1ms TTL=128 Reply from 192.168.0.101: bytes=32 time<1ms TTL=128 Reply from 192.168.0.101: bytes=32 time<1ms TTL=128 Reply from 192.168.0.101: bytes=32 time<1ms TTL=128 Reply from 192.168.0.101: bytes=32 time<1ms TTL=128 Reply from 192.168.0.101: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.0.101: Packets: Sent = 6, Received = 6, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms What does the option * here ? A. 'a B. 'n C. 's D. 't

B. 'n

The purpose of a __________ is to deny network access to local area networks and other information assets by unauthorized wireless devices. A. Wireless Access Control List B. Wireless Jammer C. Wireless Analyzer D. Wireless Access Point

A. Wireless Access Control List

You have compromised a server and successfully gained a root access. You want to pivot and pass traffic undetected over the network and evade any possible Intrusion Detection System. What is the best approach? A. Install and use Telnet to encrypt all outgoing traffic from this server. B. Use HTTP so that all traffic can be routed via a browser, thus evading the internal Intrusion Detection Systems. C. Install Cryptcat and encrypt outgoing packets from this server. D. Use Alternate Data Streams to hide the outgoing packets from this server.

C. Install Cryptcat and encrypt outgoing packets from this server.

NMAP -sn 192.168.11.200-215 The NMAP command above performs which of the following? A. An operating system detect B. A trace sweep C. A port scan D. A ping scan

D. A ping scan

Initiating an attack against targeted businesses and organizations, threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection. The attackers run exploits on well-known and trusted sites likely to be visited by their targeted victims. Aside from carefully choosing sites to compromise, these attacks are known to incorporate zero-day exploits that target unpatched vulnerabilities. Thus, the targeted entities are left with little or no defense against these exploits. What type of attack is outlined in the scenario? A. Watering Hole Attack B. Shellshock Attack C. Heartbleed Attack D. Spear Phising Attack

A. Watering Hole Attack

Which tool can be used to silently copy files from USB devices? A. USB Sniffer B. USB Snoopy C. USB Grabber D. USB Dumper

D. USB Dumper

A virus that attempts to install itself inside of the file it is infecting is called ? A. Stealth virus B. Tunneling virus C. Polymorphic virus D. Cavity virus

D. Cavity virus

Which of the following scanning method splits the TCP header into several packets and makes it difficult for packet filters to detect the purpose of the packet? A. SYN/FIN scanning using IP fragments\ B. ICMP Echo scanning C. ACK flag probe scanning D. IPID scanning

A. SYN/FIN scanning using IP fragments\

DNS cache snooping is a process of determining if the specified resource address present in the DNS cache records. It may be useful during examination of the network to determine what software update resources are used, thus discovering what software is installed. What command is used to determine if the entry is present in DNS cache? A. nslookup -fullrecursive update.antivirus.com B. nslookup -norecursive update.antivirus.com C. dnsnooping -rt update.antivirus.com D. dns --snoop update.antivirus.com

B. nslookup -norecursive update.antivirus.com

Identify the web application attack where attackers exploit vulnerabilities in dynamically generated web pages to inject client-side script into web pages viewed by other users A. LDAP Injection attack B. Cross-Site Request Forgery (CSRF) C. Cross-Site Scripting (XSS) D. SQL injection attack

C. Cross-Site Scripting (XSS)

During the process of encryption and decryption, what keys are shared? A. Public keys B. User passwords C. Public and private keys D. Private keys

A. Public keys

What type of a vulnerability/attack is it when the malicious person forces the user's browser to send an authenticated request to a server? A. Cross-site request forgery B. Session hijacking C. Cross-site scripting D. Server side request forgery

A. Cross-site request forgery

What is the least important information when you analyse a public IP address in a security alert? A. Whois B. ARP C. DNS D. Geolocation

B. ARP

Which one of the following options represents a conceptual characteristic of an anomaly-based IDS over a signature-based IDS? A. Can identify unknown attacks B. Cannot deal with encrypted network traffic C. Produces less false positives D. Requires vendor updates for new threats

A. Can identify unknown attacks

When does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing? A. At least once every three years and after any significant infrastructure or application upgrade or modification B. At least once a year and after any significant infrastructure or application upgrade or modification C. At least once every two years and after any significant infrastructure or application upgrade or modification D. At least twice a year and after any significant infrastructure or application upgrade or modification

B. At least once a year and after any significant infrastructure or application upgrade or modification

Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he configure properly the firewall to allow access just to servers/ports which can have direct internet access, and block the access to workstations. Bob also concluded that DMZ really makes sense just when a stateful firewall is available, which is not the case of TPNQM SA. In this context, what you can say? A. Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations. B. Bob is partially right. Actually, DMZ doesn't make sense when a stateless firewall is available. C. Bob is partially right. He doesn't need to separate networks if he can create rules by destination IPs, one by one. D. Bob can be right, DMZ doesn't make sense combined with stateless firewalls.

A. Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations.

You are Monitoring the Network of your Organization. You notice that 1. There is huge Outbound Connections from your Internal Network to External IP’s. 2. On further Investigation you see that the external IP’s are Blacklisted. 3. Some connections are Accepted and some Dropped . 4. You find that it’s a CnC communication. Which of the Following solution will you Suggest ? A. Clean the Malware which are trying to Communicate with the External Blacklist IP’s. B. Update the Latest Signatures on your IDS/IPS. C. Block the Blacklist IP’s @ Firewall. D. Both B and C

D. Both B and C

When you are performing a risk assessment you need to determine the potential impacts if some of the critical business processes of the company interrupt its service. What is the name of the process you need to determine those critical business? A. Disaster Recovery Planning (DRP) B. Emergency Plan Response (EPR) C. Risk Mitigation D. Business Impact Analysis (BIA)

D. Business Impact Analysis (BIA)

Which of the following attacks exploits web page vulnerabilities that allow an attacker to force an unsuspecting user's browser to send malicious requests they did not intend? A. Cross-Site Request Forgery (CSRF) B. File Injection Attack C. Command Injection Attacks D. Hidden Field Manipulation Attack

A. Cross-Site Request Forgery (CSRF)

Firewalls are the software or hardware systems that are able to control and monitor the traffic coming in and out the target network based on pre-defined set of rules. Which of the following types of firewalls can protect against SQL injection attacks? A. Data-driven firewall B. Web application firewall C. Stateful firewall D. Packet firewall

B. Web application firewall

Alice encrypts her data using her public key PK and stores the encrypted data in the cloud. Which of the following attack scenarios will compromise the privacy of her data? A. Hacker Harry breaks into the cloud server and steals the encrypted data. B. Alice also stores her private key in the cloud, and Harry breaks into the cloud server as before C. Agent Andrew subpoenas Alice, forcing her to reveal her private key. However, the cloud server successfully resists Andrew's attempt to access the stored data D. None of these scenarios compromise the privacy of Alice's data

B. Alice also stores her private key in the cloud, and Harry breaks into the cloud server as before

Which of the following provides a security professional with the most information about the system's security posture? A. Wardriving, warchalking, social engineering B. Phishing, spamming, sending trojans C. Social engineering, company site browsing, tailgating D. Port scanning, banner grabbing, service identification

D. Port scanning, banner grabbing, service identification

Which component of IPsec performs protocol-level functions that are required to encrypt and decrypt the packets? A. IPsec driver B. Internet Key Exchange (IKE) C. Oakley D. IPsec Policy Agent

A. IPsec driver

An attacker, using a rogue wireless AP, performed a MITM attack and injected a HTML code to embed a malicious applet in all HTTP connections. When users accessed any page, the applet ran and exploited many machines. Which one of the following tools the hacker probably used to inject HTML code? A. Aircrack-ng B. Tcpdump C. Ettercap D. Wireshark

C. Ettercap

You need to deploy a new web-based software package for your organization. The package requires three separate servers and needs to be available on the Internet. What is the recommended architecture in terms of server placement? A. A web server facing the Internet, an application server on the internal network, a database server on the internal network. B. All three servers need to be placed internally. C. All three servers need to face the Internet, so they can communicate between themselves. D. A web server and the database server facing the Internet, an application server on the internal network.

A. A web server facing the Internet, an application server on the internal network, a database server on the internal network.

You are working as a Security Analyst in a Company XYZ . XYZ owns the whole Subnet range of 23.0.0.0/8 and 192.168.0.0/8. While monitoring the Data you find a high number of outbound connections. You see that IP's Owned by XYZ (Internal) and Private IP's are communicating to a Single Public IP. Therefore the Internal IP's are Sending data to the Public IP. After further analysis you find out that this Public IP is a blacklisted IP and the internal communicating Devices are compromised. What kind of attack does the above scenario depict ? A. Botnet Attack B. Advanced Persistent Threats C. Rootkit Attack D. Spear Phishing Attack

A. Botnet Attack

Which of the following is considered as one of the most reliable forms of TCP scanning? A. Xmas Scan B. TCP Connect / Full Open Scan C. Half-open Scan D. NULL Scan

B. TCP Connect / Full Open Scan

An attacker scans a host with the below command. Which three flags are set? # nmap -sX host.domain.com A. This is Xmas scan. SYN and ACK flags are set B. This is SYN scan. SYN flag is set. C. This is ACK scan. ACK flag is set. D. This is Xmas scan. URG, PUSH and FIN are set.

D. This is Xmas scan. URG, PUSH and FIN are set.

Which of the following Secure Hashing Algorithm (SHA) produces a 160-bit digest from a message with a maximum length of (264 - 1) bits, and resembles the MD5 algorithm? A. SHA-3 B. SHA-1 C. SHA-0 D. SHA-2

B. SHA-1

Which one of the following Google advance search operators allows an attacker to restrict the results to those websites in the given domain? A. [cache:] B. [site:] C. [inurl:] D. [link:]

B. [site:]

Security Policy is a definition of what it means to be secure for a system, organization or other entity. For Information Technologies, there are sub-policies like; Computer Security Policy, Information Protection Policy, Information Security Policy, Network Security Policy, Physical Security Policy, Remote Access Policy, User Account Policy. What is main theme of the sub-policies for Information Technologies? A. Confidentiality, Integrity, Availability B. Availability, Non-repudiation, Confidentiality C. Authenticity, Integrity, Non-repudiation D. Authenticity, Confidentiality, Integrity

A. Confidentiality, Integrity, Availability

Which one of the following approaches are commonly used to automatically detect host intrusions? A. Network traffic analysis B. The host's network interface use C. File checksums D. System CPU utilization

C. File checksums

Which of the following types of jailbreaking allows user-level access but does not allow iboot-level access? A. Sandbox Exploit B. Userland Exploit C. Bootrom Exploi

B. Userland Exploit

You perform a scan of your company's network and discover that TCP port 123 is open. What services by default run on TCP port 123? A. POP3 B. Telnet C. Network Time Protocol D. DNS

C. Network Time Protocol

Which of the following cryptography attack is an understatement for the extraction of cryptographic secrets (e.g. the password to an encrypted file) from a person by coercion or torture? A. Rubber Hose Attack B. Timing Attack C. Chosen-Cipher text Attack D. Ciphertext-only Attack

A. Rubber Hose Attack

TCP

Transmission Control Protocol

SYN

Synchronize segment

SYN/ACK

Synchronize Acknowledgment segment

ACK

Acknowledgment segment

ARP

Address Resolution Protocol

What is the the three-way handshake expressed as?

SYN, SYN/ACK, ACK

PII

Personally Identifiable Information

IRT

Incident Response Team

EISA

Enterprise Information Security Architecture is a collection of requirements and processes that help determine how an organization’s information systems are built and how they work.

What can security controls be categorized by ?

physical, technical, and administrative

Physical controls include things | such as...

guards, lights, and cameras

Technical controls include things such as...

encryption, smartcards, and access control lists

Administrative controls include...

training, awareness, and policy efforts

Preventative Measures

Authentication (preventative), alarm bells for unauthorized access to a physical location, alerts on unauthorized access to resources, audits (detective), and backups and restore options (corrective).

CIA

Confidentiality, Integrity, Availability

Hash

hematical | algorithm (such as MD5 and SHA-1) that generates a specific, fixed-length number which is a hash value.

Hash

mathematical algorithm (such as MD5 and SHA-1) that generates a specific, fixed-length number which is a hash value.

Bit flipping

The attacker isn’t interested in learning the entirety of the plain-text message. Instead, bits are manipulated in the cipher text itself to generate a predictable outcome in the plain text once it is decrypted.

Evaluation Assurance Level (EAL)

Set standard of controls and testing | method

Target of evaluation (TOE)

What is being tested

Security target (ST)

The documentation describing the TOE and security requirements

Protection profile (PP)

A set of security requirements specifically for the type of product being tested

Mandatory access control (MAC)

method of access control where security policy is controlled by a security administrator: users can’t set access controls themselves.

Discretionary access control (DAC)

Allows users to set access controls on the resources they own or controls.

Standards

Mandatory rules used to achieve consistency.

Baselines

Provide the minimum security level necessary

Guidelines

Flexible recommended actions users are to take in the event there is no standard to follow.

Procedures

Detailed step-by-step instructions for accomplishing a task or goal.

Phreaker

Someone who manipulates telecommunications | systems in order to make free calls.

Infowar

The use of offensive and defensive techniques to create advantage over your adversary.

Pen Test Stages

Preparation, Assessment, and Conclusion

Preparation Phase

The preparation phase defines the time period during which the actual contract is hammered out. The scope of the test, the types of attacks allowed, and the individuals assigned to perform the activity are all agreed upon in this phase.

Assessment Phase

The assessment phase (sometimes also known as the security evaluation phase or the conduct phase) is exactly what it sounds like —the actual assaults on the security controls are conducted during this time.

Conclusion Phase

The conclusion (or post-assessment) phase defines the time when final reports are prepared for the customer, detailing the findings of the tests (including the types of tests performed) and many times even providing recommendations to improve security.

Payment Card Industry Data Security Standard (PCI-DSS)

A security standard for organizations handling credit cards, ATM cards, and other point-of sales cards.

Which of the following would be the best example of a deterrent control? A. A log aggregation system B. Hidden cameras onsite C. A guard posted outside the door D. Backup recovery systems

C. If you’re doing something as a deterrent, you’re trying to prevent an attack in the first place. In this physical security deterrent control, a guard visible outside the door could help prevent physical attacks.

Enacted in 2002, this U.S. law requires every Federal agency to implement information security programs, including significant reporting on compliance and accreditation. Which of the following is the best choice for this definition? A. FISMA B. HIPAA C. NIST 800-53 D. OSSTM

A. FISMA has been around since 2002 and was updated in 2014. It gave certain information security responsibilities to NIST, OMB, and other government agencies, and declared the Department of Homeland Security (DHS) as the operational lead for budgets and guidelines on security matters.

Brad has done some research and determined a certain set of systems on his network fail once every ten years. The purchase price for each of these systems is $1200. Additionally, Brad discovers the administrators on staff, who earn $50 an hour, estimate five hours to replace a machine. Five employees, earning $25 an hour, depend on each system and will be completely unproductive while it is down. If you were to ask Brad for an ALE on these devices, what should he answer with? A. $2075 B. $207.50 C. $120 D. $1200

B. ALE = ARO × SLE. To determine ARO, divide the number of occurrences by the number of years (1 occurrence / 10 years = 0.1). To determine SLE, add the purchase cost (1200) plus the amount of time to replace (5 × 50 = 250) plus the amount of lost work (5 hours × 5 employees × 25 = 625). In this case, it all adds up to $2075. ALE = 0.1 × 2075, or $207.50

An ethical hacker is hired to test the security of a business network. The CEH is given no prior knowledge of the network and has a specific framework in which to work, defining boundaries, nondisclosure agreements, and the completion date. Which of the following is a true statement? A. A white hat is attempting a black-box test. B. A white hat is attempting a white-box test. C. A black hat is attempting a black-box test. D. A black hat is attempting a gray-box test.

A. In this example, an ethical hacker was hired under a specific agreement, making him a white hat. The test he was hired to perform is a no-knowledge attack, making it a black-box test.

When an attack by a hacker is politically motivated, the hacker is said to be participating in which of the following? A. Black-hat hacking B. Gray-box attacks C. Gray-hat attacks D. Hactivism

D. Hackers who use their skills and talents to forward a cause or a political agenda are practicing hactivism.

Two hackers attempt to crack a company’s network resource security. One is considered an ethical hacker, whereas the other is not. What distinguishes the ethical hacker from the “cracker”? A. The cracker always attempts white-box testing. B. The ethical hacker always attempts black-box testing. C. The cracker posts results to the Internet. D. The ethical hacker always obtains written permission before testing.

D. The ethical hacker always obtains written permission before testing and never performs a test without it!

In which stage of an ethical hack would the attacker actively apply tools and techniques to gather more in-depth information on the targets? A. Active reconnaissance B. Scanning and enumeration C. Gaining access D. Passive reconnaissance

B. The second of the five phases of an ethical hack attempt, scanning and enumeration, is the step where ethical hackers take the information they gathered in recon and actively apply tools and techniques to gather more in-depth information on the targets.

Which type of attack is generally conducted as an inside attacker with elevated privileges on the resources? A. Gray box B. White box C. Black box D. Active reconnaissance

B. A white-box attack is intended to simulate an internal attacker with elevated privileges, such as a network administrator.

Which of the following Common Criteria processes refers to the system or product being tested? A. ST B. PP C. EAL D. TOE

D. The target of evaluation (TOE) is the system or product being tested.

Your company has a document that spells out exactly what employees are allowed to do on their computer systems. It also defines what is prohibited and what consequences await those who break the rules. A copy of this document is signed by all employees prior to their network access. Which of the following best describes this policy? A. Information Security Policy B. Special Access Policy C. Information Audit Policy D. Network Connection Policy

A. The Information Security Policy defines what is allowed and not allowed, and what the consequences are for misbehavior in regard to resources on the corporate network. Generally this is signed by employees prior to their account creation.

Sally is a member of a pen test team newly hired to test a bank’s security. She begins searching for IP addresses the bank may own by searching public records on the Internet. She also looks up news articles and job postings to discover information that may be valuable. What phase of the pen test is Sally working? A. Preparation B. Assessment C. Conclusion D. Reconnaissance

B. The assessment phase, which EC-Council also likes to interchangeably denote as the “conduct” phase sometimes, is where all the activity takes place—including the passive information gathering performed by Sally in this example

Joe is a security engineer for a firm. His company downsizes, and Joe discovers he will be laid off within a short amount of time. Joe plants viruses and sets about destroying data and settings throughout the network, with no regard to being caught. Which type of hacker is Joe considered to be? A. Hactivist B. Suicide hacker C. Black hat D. Script kiddie

B. A suicide hacker doesn’t care about being caught. Jail time and punishment mean nothing to these guys. While sometimes they are tied to a political or religious group or function, sometimes they’re just angry folks looking to make an entity pay for some perceived wrongdoing.

Elements of security include confidentiality, integrity, and availability. Which technique provides for integrity? A. Encryption B. UPS C. Hashing D. Passwords

C. A hash is a unique numerical string, created by a hashing algorithm on a given piece of data, used to verify data integrity. Generally, hashes are used to verify the integrity of files after download (comparison to the hash value on the site before download) and/or to store password values. Hashes are created by a one-way algorithm.

Which of the following best describes an effort to identify systems that are critical for continuation of operation for the organization? A. BCP B. BIA C. MTD D. DRP

B. The Business Impact Analysis best matches this description. Although maximum tolerable downtime is part of the process, and a continuity plan certainly addresses it, a BIA is the actual process to identify those critical systems.

SRV (Service)

Defines the hostname and port number of servers providing specific services, such as a Directory Services server.

SOA (Start of Authority)

Identifies the primary name server for the zone. The SOA record contains the hostname of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain.

PTR (Pointer)

Maps an IP address to a hostname (providing for reverse DNS lookups).

NS (Name Server)

Defines the name servers within your namespace.

MX (Mail Exchange)

Identifies the e-mail servers within your domain.

CNAME (Canonical Name)

Provides for domain name aliases within your zone.

A (Address)

Maps an IP address to a hostname and is used most often for DNS lookups.

Which of the following would be the best choice for footprinting restricted URLs and OS information from a target? A. www.archive.org B. www.alexa.com C. Netcraft D. Yesware

C. Netcraft is the best choice here. From the site: “Netcraft provides internet security services including anti-fraud and anti-phishing services, application testing and PCI scanning.”

While footprinting a network, you successfully perform a zone transfer. Which DNS record in the zone transfer indicates the company’s e-mail server? A. MX B. EM C. SOA D. PTR

A. MX records define a server as an e-mail server. An associated A record will define the name-to-IP-address translation for the server.

Which of the following best describes the role that the U.S. Computer Security Incident Response Team (CSIRT) provides? A. Vulnerability measurement and assessments for the U.S. Department of Defense B. A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security C. Incident response services for all Internet providers D. Pen test registration for public and private sector

B. CSIRT provides incident response services for any user, company, agency, or organization in partnership with the Department of Homeland Security.

A security peer is confused about a recent incident. An attacker successfully accessed a machine in the organization and made off with some sensitive data. A full vulnerability scan was run immediately following the theft, and nothing was discovered. Which of the following best describes what may have happened? A. The attacker took advantage of a zero-day vulnerability on the machine. B. The attacker performed a full rebuild of the machine after he was done. C. The attacker performed a denial-of-service attack. D. Security measures on the device were completely disabled before the attack began

A. A zero-day vulnerability is one that security personnel, vendors, and even vulnerability scanners simply don’t know about yet. It’s more likely the attacker is using an attack vector unknown to the security personnel than he somehow managed to turn off all security measures without alerting anyone.

Which footprinting tool or technique can be used to find the names and addresses of employees or technical points of contact? A. whois B. nslookup C. dig D. traceroute

A. Whois provides information on the domain registration, including technical and business POCs’ addresses and e- mails.

Which Google hack would display all pages that have the words SQL and Version in their titles? A. inurl:SQL inurl:version B. allinurl:SQL version C. intitle:SQL inurl:version D. allintitle:SQL version

D. The Google search operator allintitle allows for the combination of strings in the title. The operator inurl looks only in the URL of the site.

Which of the following is a passive footprinting method? (Choose all that apply.) A. Checking DNS replies for network mapping purposes B. Collecting information through publicly accessible sources C. Performing a ping sweep against the network range D. Sniffing network traffic through a network tap

A, B. Passive footprinting is all about publicly accessible sources.

Which DNS record type maps an IP address to a hostname and is used most often for DNS lookups? A. NS B. MX C. A D. SOA

C. A records provide IP-address-to-name mappings.

You have an FTP service and an HTTP site on a single server. Which DNS record allows you to alias both services to the same record (IP address)? A. NS B. SOA C. CNAME D. PTR

C. CNAME records provide for aliases within the zone.

As a pen test team member, you begin searching for IP ranges owned by the target organization and discover their network range. You also read job postings and news articles and visit the organization’s website. Throughout the first week of the test, you also observe when employees come to and leave work, and you rummage through the trash outside the building for useful information. Which type of footprinting are you accomplishing? A. Active B. Passive C. Reconnaissance D. None of the above

B. All the methods discussed are passive in nature, per EC-Council’s definition.

A member of your team enters the following command: nmap -sV -sC -O –traceroute IPAddress Which of the following nmap commands performs the same task? A. nmap -A IPAddress B. nmap -all IPAddress C. nmap -Os IPAddress D. nmap -aA IPAddress

A. The –A switch turns on OS detection, version detection, script scanning, and traceroute, just as the –O, -sV, -sC, and –traceroute switches do in conjunctions with each other

You want to perform banner grabbing against a machine (168.15.22.4) you suspect as being a web server. Assuming you have the correct tools installed, which of the following command-line entries will successfully perform a banner grab? (Choose all that apply.) A. Telnet 168.15.22.4 80 B. Telnet 80 168.15.22.4 C. nc –v –n 168.15.22.4 80 D. nc –v –n 80 168.15.22.4

A, C. Both Telnet and netcat, among others, can be used for banner grabbing. The correct syntax for both have the port number last.

You’ve decided to begin scanning against a target organization but want to keep your efforts as quiet as possible. Which IDS evasion technique splits the TCP header among multiple packets? A. Fragmenting B. IP spoofing C. Proxy scanning D. Anonymizer

A. Fragmenting packets is a great way to evade an IDS, for any purpose. Sometimes referred to as IP fragments, splitting a TCP header across multiple packets can serve to keep you hidden while scanning.

One of your team members is analyzing TTL fields and TCP window sizes in order to fingerprint the OS of a target. Which of the following is most likely being attempted? A. Online OS fingerprinting B. Passive OS fingerprinting C. Aggressive OS fingerprinting D. Active OS fingerprinting

B. Generally speaking, any activity noted in a question that does not explicitly state you are crafting packets and injecting them toward a system indicates you are passively observing traffic—in this case, most likely with a sniffed traffic log.

What flag or flags are sent in the segment during the second step of the TCP three-way handshake? A. SYN B. ACK C. SYN/ACK D. ACK/FIN

C. A three-way TCP handshake has the originator forward a SYN. The recipient, in step 2, sends a SYN and an ACK. In step 3, the originator responds with an ACK. The steps are referred to as SYN, SYN/ACK, ACK.

You are port scanning a system and begin sending TCP packets with the ACK flag set. Examining the return packets, you see a return packet for one port has the RST flag set and the TTL is less than 64. Which of the following is true? A. The response indicates an open port. B. The response indicates a closed port. C. The response indicates a Windows machine with a non-standard TCP/IP stack. D. ICMP is filtered on the machine.

A. According to ECC, if the TTL of the returned RST packet is less than 64, the port is open.

An ethical hacker is ACK-scanning against a network segment he knows is sitting behind a stateful firewall. If a scan packet receives no response, what does that indicate? A. The port is filtered at the firewall. B. The port is not filtered at the firewall. C. The firewall allows the packet, but the device has the port closed. D. It is impossible to determine any port status from this response.

A. An ACK packet received by a stateful firewall will not be allowed to pass unless it was “sourced” from inside the network. No response indicates the firewall filtered that port packet and did not allow it passage.

Which flag forces a termination of communications in both directions? A. RST B. FIN C. ACK D. PSH

A. The RST flag forces both sides of the communications channel to stop. A FIN flag signifies an ordered close to the communications.

You are examining a host with an IP address of 52.93.24.42/20 and want to determine the broadcast address for the subnet. Which of the following is the correct broadcast address for the subnet? ``` A. 52.93.24.255 B. 52.93.0.255 C. 52.93.32.255 D. 52.93.31.255 E. 52.93.255.255 ```

D. If you look at the address 52.93.24.42 in binary, it looks like this: 00110100.01011101.00011000.00101010. The subnet mask given, /20, tells us only the first 24 bits count as the network ID (which cannot change if we are to stay in the same subnet), and the remaining 12 bits belong to the host. Turning off all the host bits (after the 20th) gives us our network ID: 00110100.01011101.00010000.00000000 (52.93.16.0/20). Turning on all the host bits gives us our broadcast address: 00110100.01011101.00011111.11111111 (52.93.31.255/20).

Which port number is used by default for syslog? A. 21 B. 23 C. 69 D. 514

D. Syslog uses 514 by default. Even if you had no idea, the other answers provided are very well-known default ports (FTP, Telnet, TFTP) that you can use to eliminate them as possible answers.

Which of the following commands would you use to quickly identify live targets on a subnet? (Choose all that apply.) A. nmap –A 172.17.24.17 B. nmap –O 172.17.24.0/24 C. nmap –sn 172.17.24.0/24 D. nmap –PI 172.17.24.0/24

C, D. Both the –sn and –PI switches will accomplish the task quickly and efficiently.

You’re running an IDLE scan and send the first packet to the target machine. Next, the SYN/ACK packet is sent to the zombie. The IPID on the return packet from the zombie is 36754. If the starting IPID was 36753, in what state is the port on the target machine? A. Open B. Closed C. Unknown D. None of the above

B. Since the IPID incremented by only 1, this means the zombie hasn’t sent anything since your original SYN/ACK to figure out the starting IPID. If the IPID had increased by two, then the port would be open because the zombie would have responded to the target machine’s SYN/ACK.

Which ICMP message type/code indicates the packet could not arrive at the recipient due to exceeding its time to live? A. Type 11 B. Type 3, Code 1 C. Type 0 D. Type 8

A. A Type 11 ICMP packet indicates the TTL for the packet has reached 0; therefore, it must take the Carrousel (from the movie Logan’s Run) and disappear to a better place.

An ethical hacker is sending TCP packets to a machine with the SYN flag set. None of the SYN/ACK responses on open ports is being answered. Which type of port scan is this? A. Ping sweep B. XMAS C. Stealth D. Full

C. ECC defines what most of us used to call a half-open scan (although I suppose it would actually make more sense mathematically to call it a two-third scan, since it’s a three-way handshake and only two are used) a stealth scan. This is also known as a SYN scan.

Which of the following statements is true regarding port scanning? A. Port scanning’s primary goal is to identify live targets on a network. B. Port scanning is designed to overload the ports on a target in order to identify which are open and which are closed. C. Port scanning is designed as a method to view all traffic to and from a system. D. Port scanning is used to identify potential vulnerabilities on a target system.

D. Port scanning has a singular purpose—to knock on ports and see if they’re open (listening). Does an open port necessarily mean something is wrong? No, but it does represent a potential vulnerability you can exploit later

Which of the following best describes a honeypot? A. It is used to filter traffic from screened subnets. B. It is used to gather information about potential network attackers. C. It is used to analyze traffic for detection signatures. D. Its primary function involves malware and virus protection.

B. A honeypot is designed to draw attackers in so you can watch what they do, how they do it, and where they do it from.

Which of the following Wireshark filters would display all traffic sent from, or destined to, systems on the 172.17.15.0/24 subnet? (Choose all that apply.) A. ip.addr == 172.17.15.0/24 B. ip.src == 172.17.15.0/24 and ip.dst == 172.17.15.0/24 C. ip.src == 172.17.15.0/24 or ip.dst == 172.17.15.0/24 D. ip.src == 172.17.15.0/24 and ip.dst == 172.17.15.0/24

A, C. In Wireshark filter questions, always pay attention to the operators. While answer A shows any packet with the correct IP in it, anywhere, the or operator in answer C shows packets meeting both options

Which of the following best describes active sniffing? (Choose all that apply.) A. Active sniffing is usually required when hubs are in place. B. Active sniffing is usually required when switches are in place. C. Active sniffing is harder to detect than passive sniffing. D. Active sniffing is easier to detect than passive sniffing.

B, D. If you’re on a hub, why bother with active sniffing techniques? You’re already seeing everything. Also, active sniffing is much more likely to get you caught than simply plugging in a wire and sitting back.

Your client tells you they know beyond a doubt an attacker is sending messages back and forth from their network, yet theIDS doesn’t appear to be alerting on the traffic. Which of the following is most likely true? A. The attacker is sending messages over an SSL tunnel. B. The attacker has corrupted ACLs on every router in the network. C. The attacker has set up port security on network switches. D. The attacker has configured a trunk port on a switch.

A. Encryption is the bane of IDS’s existence. If traffic is encrypted, the IDS is blind as a bat.

Which display filter for Wireshark shows all packets containing the word facebook? A. content==facebook B. tcp contains facebook C. display==facebook D. tcp.all contains ==facebook

B. The appropriate Wireshark display filter is the following: tcp contains search-string.

You are configuring rules for your Snort installation and want to have an alert message of “Attempted FTP” on any FTPpacket coming from an outside address intended for one of your internal hosts. Which of the following rules are correct for this situation? A. alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:″Attempted FTP″) B. alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:″Attempted FTP″) C. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:″Attempted FTP″) D. alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:″Attempted FTP″).

C. Snort rules follow the same syntax: action protocol src address src port -> dest address port (options).

What occurs when an IDS does not properly identify a malicious packet entering the network? A. False negative B. False positive C. True negative D. True positive

A. When traffic gets to the IDS, is examined, and is still let through even though it’s naughty, a false negative has occurred. And a false negative is really, really bad.

Machine A (with MAC address 00-01-02-AA-BB-CC) and Machine B (00-01-02-BB-CC-DD) are on the same subnet. Machine C, with address 00-01-02-CC-DD-EE, is on a different subnet. While the attacker is sniffing on the fully switched network, Machine B sends a message to Machine C. If an attacker on Machine A wanted to receive a copy of this message, which of the following circumstances would be necessary? A. The ARP cache of the router would need to be poisoned, changing the entry for Machine A to 00-01-02-CC-DD-EE. B. The ARP cache of Machine B would need to be poisoned, changing the entry for the default gateway to 00-01-02- AA-BB-CC. C. The ARP cache of Machine C would need to be poisoned, changing the entry for the default gateway to 00-01-02- AA-BB-CC. D. The ARP cache of Machine A would need to be poisoned, changing the entry for Machine C to 00-01-02-BB-CCDD.

B. ARP poisoning is done on the machine creating the frame—the sender. Changing the default gateway entry on the sending machine results in all frames intended for an IP out of the subnet being delivered to the attacker. Changing the ARP cache on the other machine or the router is pointless.

An IDS installed on the network perimeter sees a spike in traffic during off-duty hours and begins logging and alerting. Which type of IDS is in place? A. Stateful B. Signature based C. Anomaly based D. Packet filtering

C. IDSs can be signature or anomaly based. Anomaly-based systems build a baseline of normal traffic patterns overtime, and anything that appears outside of the baseline is flagged

In what situation would you employ a proxy server? (Choose the best answer.) A. You wish to share files inside the corporate network. B. You want to allow outside customers into a corporate website. C. You want to filter Internet traffic for internal systems. D. You want to provide IP addresses to internal hosts.

C. There are a bunch of reasons for having a proxy. In this case, you’re using it to filter traffic between internal hosts and the rest of the world. Generally speaking, proxies don’t act as file servers, websites, or DHCP servers.

An attacker has successfully connected a laptop to a switch port and turned on a sniffer. The NIC is running in promiscuous mode, and the laptop is left alone for a few hours to capture traffic. Which of the following statements are true? (Choose all that apply.) A. The packet capture will provide the MAC addresses of other machines connected to the switch. B. The packet capture will provide only the MAC addresses of the laptop and the default gateway. C. The packet capture will display all traffic intended for the laptop. D. The packet capture will display all traffic intended for the default gateway

A, C. Switches filter or flood traffic based on the address. Broadcast traffic, such as ARP requests and answers, is flooded to all ports. Unicast traffic, such as traffic intended for the laptop itself or the default gateway, is sent only to the port on which the machine rests.

Which of the following are appropriate active sniffing techniques against a switched network? (Choose all that apply.) ``` A. ARP poisoning B. MAC flooding C. SYN flooding D. Birthday attack E. Firewalking ```

A, B. ARP poisoning can be used to trick a system into sending packets to your machine instead of recipients (including the default gateway). MAC flooding is an older attack used to fill a CAM table and make a switch behave like a hub.

A pen tester is configuring a Windows laptop for a test. In setting up Wireshark, what driver and library are required to allow the NIC to work in promiscuous mode? A. libpcap B. winprom C. winpcap D. promsw

C. WinPcap is the library used for Windows devices. Libpcap is used on Linux devices for the same purpose.

Which of the following works at Layer 5 of the OSI model? A. Stateful firewall B. Packet-filtering firewall C. Circuit-level firewall D. Application-level firewall

C. I admit, this one is tricky. Yes, circuit-level firewalls work at Layer 5. Stateful firewalls can be said to work at Layer 5, but they’re focused on Layers 3 and 4. Application works at Layer 7.

Which of the following best defines steganography? A. Steganography is used to hide information within existing files. B. Steganography is used to create hash values of data files. C. Steganography is used to encrypt data communications, allowing files to be passed unseen. D. Steganography is used to create multimedia communication files

A. Steganography is designed to place information in files where it will lay hidden until needed. Information can be hidden in virtually any file, although image and video files are traditionally associated with steganography.

Which encryption standard is used by LM? ``` A. MD5 B. SHA-1 C. DES D. SHA-2 E. 3DES ```

C. LAN Manager (LM), an old and outdated authentication system, used DES, an old and outdated means for hashing files (in this case, passwords).

Which of the following would be considered a passive online password attack? A. Guessing passwords against an IPC$ share B. Sniffing subnet traffic to intercept a password C. Running John the Ripper on a stolen copy of the SAM D. Sending a specially crafted PDF to a user for that user to open

B. Passive online attacks simply involve stealing passwords passed in clear text or copying the entire password exchange in the hopes of pulling off a reply or man-in-the-middle attack.

A user on Joe’s network does not need to remember a long password. Users on Joe’s network log in using a token and a four-digit PIN. Which authentication measure best describes this? A. Multifactor authentication B. Three-factor authentication C. Two-factor authentication D. Token authentication

C. Because Joe’s users need something they have—a token—and something they know—the PIN—this is considered two-factor authentication.

Which of the following best defines a hybrid attack? A. The attack uses a dictionary list, trying words from random locations in the file until the password is cracked. B. The attack tries random combinations of characters until the password is cracked. C. The attack uses a dictionary list, substituting letters, numbers, and characters in the words until the password is cracked. D. The attack use rainbow tables, randomly attempting hash values throughout the list until the password is cracked.

C. The hybrid attack takes any old dictionary list and juices it up a little. It will substitute numbers for letters, inject a character or two, and run all sorts of hybrid versions of your word list in an attempt to crack passwords.

While pen-testing a client, you discover that LM hashing, with no salting, is still engaged for backward compatibility on most systems. One stolen password hash reads 9FAF6B755DC38E12AAD3B435B51404EE. Is this user following good password procedures? A. Yes, the hash shows a 14-character, complex password. B. No, the hash shows a 14-character password; however, it is not complex. C. No, the hash reveals a seven-character-or-less password has been used. D. It is impossible to determine simply by looking at the hash.

C. LM hashes pad a password with blank spaces to reach 14 characters, split it into two 7-character sections, and then hash both separately. Because the LM hash of seven blank characters is always AAD3B435B51404EE, you can tell from the hash that the user has used only seven or fewer characters in the password. Because CEH has recommended that a password be a minimum of eight characters, be complex, and expire after 30 days, the user is not following good policy

Where is the SAM file stored on a Windows 7 system? A. /etc/ B. C:\Windows\System32\etc\ C. C:\Windows\System32\Config\ D. C:\Windows\System32\Drivers\Config

C. The SAM file is stored in the same folder on most Windows machines: C:\Windows\System32\Config\.

Examining a database server during routine maintenance you discover an hour of time missing from the log file, during what would otherwise be normal operating hours. Further investigation reveals no user complaints on accessibility. Which of the following is the most likely explanation? A. The log file is simply corrupted. B. The server was compromised by an attacker. C. The server was rebooted. D. No activity occurred during the hour time frame

B. It’s a database server during normal business hours and there’s nothing in the log? Forget the fact a reboot would’ve showed up somewhere—none of the users complained about it being down at all. No, we think this one is going to require some forensics work. Call the IR team.

Which of the following can migrate the machine’s actual operating system into a virtual machine? A. Hypervisor-level rootkit B. Kernel-level rootkit C. Virtual rootkit D. Library-level rootkit

A. The hypervisor-level rootkit is defined by ECC as one that basically replaces your physical OS with a virtual one

After gaining access to a Windows machine, you see the last command executed on the box looks like this: net use F: \\MATTBOX\BankFiles /persistent: yes Assuming the user had appropriate credentials, which of the following are true? (Choose all that apply.) A. In Windows Explorer, a folder will appear under the root directory named BankFiles. B. In Windows Explorer, a drive will appear denoted as BankFiles (\\MATTBOX) (F:). C. The mapped drive will remain mapped after a reboot. D. The mapped drive will not remained mapped after a reboot.

B, C. Net use commands were the rage back in the day. This command connects to a shared folder on MATTBOX. The shared folder is named BankFiles, and the mapping will display as a drive (F:) on the local machine. The persistent:yes portion means it will remain mapped forever, until you turn it off.

An attacker has hidden badfile.exe in the readme.txt file. Which of the following is the correct command to execute the file? A. start readme.txt>badfile.exe B. start readme.txt:badfile.exe C. start badfile.exe > readme.txt D. start badfile.exe | readme.txt

B. The command start readme.txt:badfile.exe says “Start the executable badfile.exe that is hidden in the readme.txt file.” In other variants of this question, the bad guy could create a link and execute it simply by typing the link name (for example, mklink innocent.exe readme.txt:badfile.exe would create a link and the bad file could be executed simply by typing innocent).

You see the following command in a Linux history file review: someproc & Which of the following best describe the command result? (Choose two.) A. The process “someproc” will stop when the user logs out. B. The process “someproc” will continue to run when the user logs out. C. The process “someproc” will run as a background task. D. The process “someproc” will prompt the user when logging off.

A, C. The ampersand (&) after the command dictates that the process should run in the background. Without anything indicating a persistent process (that is, adding nohup before the process name), it will die when the user logs out

The accounting department of a business notices several orders that seem to have been made erroneously. In researching the concern, you discover it appears the prices of items on several web orders do not match the listed prices on the public site. You verify the web server and the ordering database do not seem to have been compromised. Additionally, no alerts have displayed in the Snort logs concerning a possible attack on the web application. Which of the following might explain the attack in play? A. The attacker has copied the source code to his machine and altered hidden fields to modify the purchase price of the items. B. The attacker has used SQL injection to update the database to reflect new prices for the items. C. The attacker has taken advantage of a server-side include that altered the price. D. The attacker used Metasploit to take control of the web application.

A. In this case, because the logs and IDSs show no direct attack, it’s most likely the attacker has copied the source code directly to his machine and altered the hidden “price” fields on the order form. All other types of attack would have, in some form or fashion, shown themselves easily.

Which of the following would be the best protection against XSS attacks? A. Invest in top-of-the-line firewalls. B. Perform vulnerability scans against your systems. C. Configure input validation on your systems. D. Have a pen test performed against your systems.

C. “Best” is always a tricky word. In this case, configuring server-side operations to validate what’s being put in the input field is by far the best mitigation. Could vulnerability scans and pen tests tell you something is wrong? Sure, but by themselves they don’t do anything to protect you.

Which of the following is true regarding n-tier architecture? A. Each tier must communicate openly with every other tier. B. N-tier always consists of presentation, logic, and data tiers. C. N-tier is usually implemented on one server. D. N-tier allows each tier to be configured and modified independently.

D. While usually implemented in three tiers, n-tier simply means you have three or more independently monitored, managed, and maintained collection of servers, each providing a specific service or tasking.

Which character is the best choice to start a SQL injection attempt? A. Colon B. Semicolon C. Double quote D. Single quote

D. The single quote should begin SQL injection attempts, even though in many database systems it’s not always an absolute.

Which of the following is a true statement? A. Configuring the web server to send random challenge tokens is the best mitigation for XSS attacks. B. Configuring the web server to send random challenge tokens is the best mitigation for buffer overflow attacks. C. Configuring the web server to send random challenge tokens is the best mitigation for parameter-manipulation attacks. D. Configuring the web server to send random challenge tokens is the best mitigation for CSRF attacks.

D. The requests from the bad guy masquerading with your session ID through your browser can be largely stopped by making sure each request has a challenge token—if the server gets one without a token, it’s naughty and dropped.

Which of the following is a true statement? A. SOAP cannot bypass a firewall. B. SOAP encrypts messages using HTTP methods. C. SOAP is compatible with HTTP and SMTP. D. SOAP messages are usually bidirectional.

C. SOAP is compatible with HTTP and SMTP, and usually the messages are “one way” in nature.

SOAP is used to package and exchange information for web services. What does SOAP use to format this information? A. XML B. HTML C. HTTP D. Unicode

A. SOAP formats its information exchange in XML.

A security administrator monitoring logs comes across a user login attempt that reads UserJoe)(&). What can you infer from this username login attempt? A. The attacker is attempting SQL injection. B. The attacker is attempting LDAP injection. C. The attacker is attempting SOAP injection. D. The attacker is attempting directory traversal.

B. The )(&) indicates an LDAP injection attempt.

A security administrator sets the HttpOnly flag in cookies. Which of the following is he most likely attempting to mitigate ``` against? A. CSRF B. CSSP C. XSS D. Buffer overflow E. SQL injection ```

C. Of the answers provided, XSS is the only one that makes sense. This setting prevents cookies from being accessible by a client-side script.

Which of the following are true statements? (Choose two.) A. WebGoat is maintained by the IETF. B. WebGoat is maintained by OWASP. C. WebGoat can be installed on Windows or Linux. D. WebGoat is designed for Apache systems only.

B, C. WebGoat has 30 or so “lessons” imbedded to display how security vulnerabilities work on a system. It is maintained by OWASP, can be installed on virtually any platform, works well with Java and .NET, and provides the perfect “black box” testing opportunity for new, and seasoned, pen testers to practice on without fear of breaking something.

A WPA2 wireless network is discovered during a pen test. Which of the following methods is the best way to crack the network key? A. Capture the WPA2 authentication traffic and crack the key. B. Capture a large amount of initialization vectors and crack the key inside. C. Use a sniffer to capture the SSID. D. WPA2 cannot be cracked.

A. WPA2 is a strong encryption method, but almost everything can be hacked given time. Capturing the password pairwise master key (PMK) during the handshake is the only way to do it, and even then it’s virtually impossible if it’s a complicated password.

You are discussing wireless security with your client. He tells you he feels safe with his network because he has turned off SSID broadcasting. Which of the following is a true statement regarding his attempt at security? A. Unauthorized users will not be able to associate because they must know the SSID in order to connect. B. Unauthorized users will not be able to connect because DHCP is tied to SSID broadcast. C. Unauthorized users will still be able to connect because nonbroadcast SSID puts the AP in ad hoc mode. D. Unauthorized users will still be able to connect because the SSID is still sent in all packets, and a sniffer can easily discern the string.

D. Turning off the broadcast of an SSID is a good step, but SSIDs do nothing in regard to security. The SSID is included in every packet, regardless of whether it’s broadcast from the AP.

You are discussing wireless security with your client. He tells you he feels safe with his network as he has implemented MAC filtering on all access points, allowing only MAC addresses from clients he personally configures in each list. You explain this step will not prevent a determined attacker from connecting to his network. Which of the following explains why the APs are still vulnerable? A. WEP keys are easier to crack when MAC filtering is in place. B. MAC addresses are dynamic and can be sent via DHCP. C. An attacker could sniff an existing MAC address and spoof it. D. An attacker could send a MAC flood, effectively turning the AP into a hub.

C. MAC filtering is easily hacked by sniffing the network for a valid MAC and then spoofing it, using any number of options available.

What information is required in order to attempt to crack a WEP AP? (Choose two.) A. Network SSID B. MAC address of the AP C. IP address of the AP D. Starting sequence number in the first initialization vector

A, B. The MAC address of the AP and the SSID are required for attempting a WEP crack.

Which of the following protects against man-in-the-middle attacks in WPA? A. MIC B. CCMP C. EAP D. AES

A. MIC provides integrity checking in WPA, verifying frames are authentic and have not been tampered with. Part of how it accomplishes this is a sequence number—if any arrive out of sequence, the whole session is dropped.

Which of the following is the best choice for performing a bluebugging attack? A. PhoneSnoop B. BBProxy C. btCrawler D. Blooover

D. Blooover is designed for bluebugging. BBProxy and PhoneSnoop are both Blackberry tools, and btCrawler is a discovery option.

Operations promotes the use of mobile devices in the enterprise. Security disagrees, noting multiple risks involved in adding mobile devices to the network. Which of the following provides some protections against the risks security is concerned about? A. Implement WPA. B. Add MAC filtering to all WAPs. C. Implement MDM. D. Ensure all WAPs are from a single vendor.

C. Mobile Device Management won’t mitigate all the risks associated with unending use of mobile devices on your network—but at least it’s something.

Which of the following provides for integrity in WPA2? A. AES B. CCMP C. TKIP D. RADIUS

B. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (say that three times fast) uses Message Integrity Codes (MICs) for integrity purposes.

Which of the following is a true statement? A. Configuring a strong SSID is a vital step in securing your network. B. An SSID should always be more than eight characters in length. C. An SSID should never be a dictionary word or anything easily guessed. D. SSIDs are important for identifying networks but do little to nothing for security

D. An SSID is used for nothing more than identifying the network. It is not designed as a security measure.

Which wireless encryption technology makes use of temporal keys? A. WAP B. WPA C. WEP D. EAP

B. WPA uses temporal keys, making it a much stronger encryption choice than WEP.

Which wireless technology uses RC4 for encryption? ``` A. WAP B. WPA C. WEP D. WPA2 E. All of the above ```

C. WEP uses RC4, which is part of the reason it’s so easily hacked and not considered a secure option.

You wish to gain administrative privileges over your Android device. Which of the following tools is the best option for rooting the device? A. Pangu B. SuperOneClick C. Cydia D. evasi0n7

B. SuperOneClick is designed for rooting Android. The others are jailbreaking iOS options.

Which of the following jailbreaking techniques will leave the phone in a jailbroken state even after a reboot? A. Tethered B. Untethered C. Semi-tethered D. Rooted

B. If untethered jailbreaking has been performed, the device is in a jailbroken state forever, with or without connection to another device.

Implementing cloud computing provides many benefits. Which of the following is the best choice of a security principle applicable to implementing cloud security? A. Need to know B. Least privilege C. Job rotation D. Separation of duties

D. While implementing cloud computing doesn’t fully address separation of duties, of the choices provided it’s the only one that makes sense. The cloud, by its nature, can separate the data owner from the data custodian (the cloud provider assumes the role).

Which of the following best represents SOA? A. File server B. An application containing both the user interface and the code allowing access to the data C. An API that allows different components to communicate D. A single database accessed by multiple sources

C. Service Oriented Architecture (SOA) is all about software components delivering information to one another on a network, and this is the best available answer.

Which cloud computing model is geared toward software development? A. IaaS B. PaaS C. SaaS D. Private

B. PaaS provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.

Amazon’s EC2 provides virtual machines that can be controlled through a service API. Which of the following best defines this service? A. IaaS B. PaaS C. SaaS D. Public

A. Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via an API, thus fitting the definition of IaaS.

Google Docs and Salesforce CRM are two examples of which cloud computing model? A. IaaS B. PaaS C. SaaS D. Public

C. Software as a Service best describes this. SaaS is simply a software distribution model—the provider offers ondemand applications to subscribers over the Internet.

Google Docs and Salesforce CRM are two examples of which cloud computing model? A. IaaS B. PaaS C. SaaS D. Public

A. Session riding is simply CSRF under a different name and deals with cloud services instead of traditional data centers.

Which of the following best describes a wrapping attack? A. CSRF-type attack against cloud computing resources. B. An attack involving leveraging a new or existing VM on a physical device against another VM. C. A SOAP message is intercepted, data in the envelope is changed, and then the data is sent/replayed. D. The virtual machine management system on the physical machine is corrupted or administrative control is gained over it.

C. Wrapping attacks involve messing with SOAP messages and replaying them as legitimate.

In the NIST Cloud Computing Reference Architecture, which of the following has the responsibility of transmitting the data? A. Cloud provider B. Cloud carrier C. Cloud broker D. Cloud consumer

B. Akin to the power distributor for the electric grid, the carrier is the intermediary for connectivity and transport between subscriber and provider.

In the NIST Cloud Computing Reference Architecture, which component acts to manage use, performance, and delivery of cloud services, as well as the relationships between providers and subscribers? A. Cloud provider B. Cloud carrier C. Cloud broker D. Cloud consumer

C. The broker “acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value added cloud services as well.”

In the NIST Cloud Computing Reference Architecture, which component acquires and uses cloud products and services? A. Cloud provider B. Cloud carrier C. Cloud broker D. Cloud consumer

D. The consumer is the subscriber, who engages a provider for services.

Which of the following doesn’t define a method of transmitting data that violates a security policy? A. Backdoor channel B. Session hijacking C. Covert channel D. Overt channel

D. Overt channels are legitimate, and used legitimately. Everything else listed is naughty.

Which virus type is only executed when a specific condition is met? A. Sparse infector B. Multipartite C. Metamorphic D. Cavity

A. Sparse infector viruses only fire when a specific condition is met. For example, maybe the fifth time Calculator is run, whammo—virus execution.

Which of the following propagates without human interaction? A. Trojan B. Worm C. Virus D. MITM

B. Much like Skynet from the Terminator movies, worms do not need us.

Which of the following don’t use ICMP in the attack? (Choose two.) A. SYN flood B. Ping of Death C. Smurf D. Peer to peer

A, D. A SYN flood doesn’t use ICMP at all, nor does a peer-to-peer attack.

Which of the following is not a recommended step in recovering from a malware infection? A. Delete system restore points. B. Back up the hard drive. C. Remove the system from the network. D. Reinstall from original media.

B. Backing up a hard drive that’s already infected makes as much sense as putting ketchup on a doughnut. The malicious files are on the drive, so backing it up does nothing but ensure you’ll reinfect something later on.

Which of the following is a recommendation to protect against session hijacking? (Choose two.) A. Use only nonroutable protocols. B. Use unpredictable sequence numbers. C. Use a file verification application, such as Tripwire. D. Use a good password policy. E. Implement ICMP throughout the environment.

B, E. Unpredictable sequence numbers make session hijacking nearly impossible, and implementing ICMP—which provides encryption and authentication services—is also probably a good idea.

Which of the following attacks an already-authenticated connection? A. Smurf B. Denial of service C. Session hijacking D. Phishing

C. Session hijacking takes advantage of connections already in place and already authenticated.

How does Tripwire (and programs like it) help against Trojan attacks? A. Tripwire is an AV application that quarantines and removes malware immediately. B. Tripwire is an AV application that quarantines and removes malware after a scan. C. Tripwire is a file-integrity-checking application that rejects malware packets intended for the kernel. D. Tripwire is a file-integrity-checking application that notifies you when a system file has been altered, potentially indicating malware.

D. Tripwire is one of the better-known file integrity verifiers, and it can help prevent Trojans by notifying you immediately when an important file is altered.

Which of the following DoS categories consume all available bandwidth for the system or service? A. Fragmentation attacks B. Volumetric attacks C. Application attacks D. TCP state-exhaustion attacks

B. Volumetric attacks consume all available bandwidth for the system or service.

During a TCP data exchange, the client has offered a sequence number of 100, and the server has offered 500. During acknowledgments, the packet shows 101 and 501, respectively, as the agreed-upon sequence numbers. With a window size of 5, which sequence numbers would the server willingly accept as part of this session? A. 102 through 104 B. 102 through 501 C. 102 through 502 D. Anything above 501

A. Starting with the acknowledged sequence number of 101, the server will accept packets between 102 and 106 before sending an acknowledgment.

Which of the following is the proper syntax on Windows systems for spawning a command shell on port 56 using Netcat? A. nc -r 56 -c cmd.exe B. nc -p 56 -o cmd.exe C. nc -L 56 -t -e cmd.exe D. nc -port 56 -s -o cmd.exe

C. This is the correct syntax for using Netcat to leave a command shell open on port 56.

Which of the following best describes a DRDoS? A. Multiple intermediary machines send the attack at the behest of the attacker. B. The attacker sends thousands upon thousands of SYN packets to the machine with a false source IP address. C. The attacker sends thousands of SYN packets to the target but never responds to any of the return SYN/ACK packets. D. The attack involves sending a large number of garbled IP fragments with overlapping, oversized payloads to the target machine.

B. The distributed reflection denial of service (DRDoS) attack is, for all intents and purposes, a botnet. Secondary systems carry out the attacks so the attacker remains hidden

Which of the following best describes a teardrop attack? A. The attacker sends a packet with the same source and destination address. B. The attacker sends several overlapping, extremely large IP fragments. C. The attacker sends UDP Echo packets with a spoofed address. D. The attacker uses ICMP broadcast to DoS targets.

B. In a teardrop attack, the reassembly of fragments takes down the target.

Which of the following attacks acts as a man-in-the-middle, exploiting fallback mechanisms in TLS clients? A. POODLE B. Heartbleed C. FREAK D. DROWN

A. In a POODLE attack, the man-in-the-middle interrupts all handshake attempts by TLS clients, forcing a degradation to a vulnerable SSL version.

RC4 is a simple, fast encryption cipher. Which of the following is not true regarding RC4? A. RC4 can be used for web encryption. B. RC4 uses block encryption. C. RC4 is a symmetric encryption cipher. D. RC4 can be used for file encryption.

B. RC4 is a simple, fast, symmetric stream cipher. It can be used for almost everything you can imagine an encryption cipher could be used for (you can even find it in WEP).

An organization has decided upon AES with a 256-bit key to secure data exchange. What is the primary consideration for this? A. AES is slow. B. The key size makes data exchange bulky and complex. C. It uses a shared key for encryption. D. AES is a weak cypher.

C. AES is a symmetric algorithm, which means that the same key is used for encryption and decryption. The organization will have to find a secured means to transmit the key to both parties before any data exchange

Joe and Bob are both ethical hackers and have gained access to a folder. Joe has several encrypted files from the folder, and Bob has found one of them unencrypted. Which of the following is the best attack vector for them to follow? A. Cipher text only B. Known plain text C. Chosen cipher text D. Replay

B. In a known plain-text attack, the hacker has both plain-text and cipher-text messages; the plain-text copies are scanned for repeatable sequences, which are then compared to the cipher-text versions. Over time, and with effort, this can be used to decipher the key.

You are reviewing security plans and policies, and you wish to provide protection to organization laptops. Which effort listed protects system folders, files, and MBR until valid credentials are provided at pre-boot? A. Cloud computing B. SSL/TLS C. Full disk encryption D. AES

C. FDE is the appropriate control for data-at-rest protection. Pre-boot Authentication provides protection against loss or theft.

Which of the following is used to distribute a public key within the PKI system, verifying the user’s identity to the recipient? A. Digital signature B. Hash value C. Private key D. Digital certificate

D. A digital certificate contains, among other things, the sender’s public key, and it can be used to identify the sender.

A hacker feeds plain-text files into a hash, eventually finding two or more that create the same fixed-value hash result. This anomaly is known as what? A. Collision B. Chosen plain text C. Hash value compromise D. Known plain text

A. When two or more plain-text entries create the same fixed-value hash result, a collision has occurred.

An attacker uses a Metasploit auxiliary exploit to send a series of small messages to a server at regular intervals. The server responds with 64 bytes of data from its memory. Which of the following best describes the attack being used? A. POODLE B. Heartbleed C. FREAK D. DROWN

B. Heartbleed takes advantage of the data-echoing acknowledgement heartbeat in SSL. OpenSSL version 1.0.1 through version 1.0.1f are vulnerable to this attack.

Which of the following statements is true regarding encryption algorithms? A. Symmetric algorithms are slower, are good for bulk encryption, and have no scalability problems. B. Symmetric algorithms are faster, are good for bulk encryption, and have no scalability problems. C. Symmetric algorithms are faster, are good for bulk encryption, but have scalability problems. D. Symmetric algorithms are faster but have scalability problems and are not suited for bulk encryption

C. Symmetric algorithms are fast, are good for bulk encryption, but have scalability problems.

Within a PKI system, Joe encrypts a message for Bob and sends it. Bob receives the message and decrypts the message using what? A. Joe’s public key B. Joe’s private key C. Bob’s public key D. Bob’s private key

D. Bob’s public key is used to encrypt the message. His private key is used to decrypt it.

Which of the following is a symmetric encryption method that transforms a fixed-length amount of plain text into an encrypted version of the same length? A. Stream B. Block C. Bit D. Hash

B. Block encryption takes a fixed-length block of plain text and converts it to an encrypted block of the same length.

Which symmetric algorithm uses variable block sizes (from 32 to 128 bits)? A. DES B. 3DES C. RC D. MD5

C. Rivest Cipher (RC) uses variable block sizes (from 32 to 128 bits).

Which hash algorithm produces a 160-bit output value? A. SHA-1 B. SHA-2 C. Diffie-Hellmann D. MD5

A. SHA-1 produces a 160-bit output value.

Two different organizations have their own public key infrastructure up and running. When the two companies merged, security personnel wanted both PKIs to validate certificates from each other. What must the CAs for both companies establish to accomplish this? A. Key exchange portal B. Key revocation portal C. Cross-site exchange D. Cross-certification

D. When PKIs need to talk to one another and trust certificates from either side, the CAs need to set up a mutual trust known as cross-certification.

Within a PKI, which of the following verifies the applicant? A. Registration authority B. User authority C. Revocation authority D. Primary authority

A. A registration authority (RA) validates an applicant into the system, making sure they are real, valid, and allowed to use the system.

Which of the following is a software application used to asymmetrically encrypt and digitally sign e-mail? A. PGP B. SSL C. PPTP D. HTTPS

A. Pretty Good Privacy (PGP) is used for signing, compression, and encrypting and decrypting e-mails, files, directories, and even whole disk partitions, mainly in an effort to increase the security of e-mail communications.

An attacker creates a fake ID badge and waits next to an entry door to a secured facility. An authorized user swipes a key card and opens the door. Jim follows the user inside. Which social engineering attack is in play here? A. Piggybacking B. Tailgating C. Phishing D. Shoulder surfing

B. In tailgating, the attacker holds a fake entry badge of some sort and follows an authorized user inside.

An attacker has physical access to a building and wants to attain access credentials to the network using nontechnical means. Which of the following social engineering attacks is the best option? A. Tailgating B. Piggybacking C. Shoulder surfing D. Sniffing

C. Because he is already inside (thus rendering tailgating and piggybacking pointless), the attacker could employ shoulder surfing to gain the access credentials of a user.

Bob decides to employ social engineering during part of his pen test. He sends an unsolicited e-mail to several users on the network advising them of potential network problems and provides a phone number to call. Later that day, Bob performs a DoS on a network segment and then receives phone calls from users asking for assistance. Which social engineering practice is in play here? A. Phishing B. Impersonation C. Technical support D. Reverse social engineering

D. Reverse social engineering occurs when the attacker uses marketing, sabotage, and support to gain access credentials and other information

Phishing, pop-ups, and IRC channel use are all examples of which type of social engineering attack? A. Human based B. Computer based C. Technical D. Physical

B. Computer-based social engineering attacks include any measures using computers and technology.

An attacker performs a Who is search against a target organization and discovers the technical point of contact (POC) and site ownership e-mail addresses. He then crafts an e-mail to the owner from the technical POC, with instructions to click a link to see web statistics for the site. Instead, the link goes to a fake site where credentials are stolen. Which attack has taken place? A. Phishing B. Man in the middle C. Spear phishing D. Human based

C. Spear phishing occurs when the e-mail is being sent to a specific audience, even if that audience is one person. In this example, the attacker used recon information to craft an e-mail designed to be more realistic to the intended victim and therefore more successful.

Which of the following is not a method used to control or mitigate against static electricity in a computer room? A. Positive pressure B. Proper electrical grounding C. Anti-static wrist straps D. A humidity control system

A. Positive pressure will do wonderful things to keep dust and other contaminants out of the room, but on its own it does nothing against static electricity.

Phishing e-mail attacks have caused severe harm to a company. The security office decides to provide training to all users in phishing prevention. Which of the following are true statements regarding identification of phishing attempts? (Choose all that apply.) A. Ensure e-mail is from a trusted, legitimate e-mail address source. B. Verify spelling and grammar is correct. C. Verify all links before clicking them. D. Ensure the last line includes a known salutation and copyright entry (if required).

A, B, C. Phishing e-mails can be spotted by who they are from, who they are addressed to, spelling and grammar errors, and unknown or malicious embedded links.

Lighting, locks, fences, and guards are all examples of __________ measures within physical security. A. physical B. technical C. operational D. exterior

A. Physical security controls fall into three categories: physical, technical, and operational. Physical measures include lighting, fences, and guards.

A man receives a text message on his phone purporting to be from Technical Services. The text advises of a security breach and provides a web link and phone number to follow up on. When the man calls the number, he turns over sensitive information. Which social engineering attack was this? A. Phishing B. Vishing C. Smishing D. Man in the middle

C. The term smishing refers to the use of text messages to socially engineer mobile device users. By definition it is a mobile-based social engineering attack. As an aside, it also sounds like something a five-year-old would say about killing a bug.

Background checks on employees, risk assessments on devices, and policies regarding key management and storage are examples of __________ measures within physical security. A. physical B. technical C. operational D. None of the above

C. Operational measures are the policies and procedures you set up to enforce a security-minded operation.

Your organization installs mantraps in the entranceway. Which of the following attacks is it attempting to protect against? A. Shoulder surfing B. Tailgating C. Dumpster diving D. Eavesdropping

B. Mantraps are specifically designed to prevent tailgating.

Which threat presents the highest risk to a target network or resource? A. Script kiddies B. Phishing C. A disgruntled employee D. A white-hat attacker

C. Everyone recognizes insider threats as the worst type of threat, and a disgruntled employee on the inside is the single biggest threat for security professionals to plan for and deal with.

A security staff is preparing for a security audit and wants to know if additional security training for the end user would be beneficial. Which of the following methods would be the best option for testing the effectiveness of user training in the environment? A. Vulnerability scanning B. Application code reviews C. Sniffing D. Social engineering

D. Social engineering is designed to test the human element in the organization. Of the answers provided, it is the only real option.

What marks the major difference between a hacker and an ethical hacker (pen test team member)? A. Nothing. B. Ethical hackers never exploit vulnerabilities; they only point out their existence. C. The tools they use. D. The predefined scope and agreement made with the system owner.

D. Pen tests always begin with an agreement with the customer that identifies the scope and activities. An ethical hacker will never proceed without written authorization.

Which of the following best describes a blue team? A. Security team members defending a network B. Security team members attacking a network C. Security team members with full knowledge of the internal network D. A performance group at Universal Studios in Orlando

A. Blue teams are defense-oriented. They concentrate on preventing and mitigating attacks and efforts of the red team/bad guys.

In which phase of a penetration test is scanning performed? A. Pre-attack B. Attack C. Post-attack D. Reconnaissance

A. All reconnaissance efforts occur in the pre-attack phase.

Which type of security assessment notifies the customer of vulnerabilities but does not actively or intentionally exploit them? A. Vulnerability assessment B. Scanning assessment C. Penetration test D. None of the above

A. Vulnerability assessments (a.k.a. security audits) seek to discover open vulnerabilities on the client’s systems but do not actively or intentionally exploit any of them.

Which of the following would be a good choice for an automated penetration test? (Choose all that apply.) A. nmap B. Netcat C. Core Impact D. CANVAS

C, D. Core Impact and CANVAS are both automated, all-in-one test tool suites capable of performing a test for a client. Other tools may be used in conjunction with them to spot vulnerabilities, including Nessus, Retina, SAINT, and Sara

Which of the following tests is generally faster and costs less but is susceptible to more false reporting and contract violation? A. Internal B. External C. Manual D. Automatic

D. Automatic testing involves the use of a tool suite and generally runs faster than an all-inclusive manual test. However, it is susceptible to false negatives and false positives and can oftentimes overrun the scope boundary.

Joe is part of a penetration test team and is starting a test. The client has provided him a system on one of their subnets but did not provide any authentication information, network diagrams, or other notable data concerning the systems. Which type of test is Joe performing? A. External, white box B. External, black box C. Internal, white box D. Internal, black box

D. Joe is on a system internal to the network and has no knowledge of the target’s network. Therefore, he is performing an internal, black-box test.

In which of the following would you find in a final report from a full penetration test? (Choose all that apply.) A. Executive summary B. A list of findings from the test C. The names of all the participants D. A list of vulnerabilities patched or otherwise mitigated by the team

A, B, C. The final report for a pen test includes an executive summary, a list of the findings (usually in order of highest risk), the names of all participants, a list of all findings (in order of highest risk), analysis of findings, mitigation recommendations, and any logs or other relevant files.

Which security assessment is designed to check policies and procedures within an organization? A. Security audit B. Vulnerability assessment C. Pen test D. None of the above

A. A security audit is used to verify security policies and procedures in place.

Which of the following best describes a red team? A. Security team members defending a network B. Security team members attacking a network C. Security team members with full knowledge of the internal network D. Security team members dedicated to policy audit review

B. Red teams are on offense. They are employed to go on the attack, simulating the bad guys out in the world trying to exploit anything they can find

Attackers search for vulnerabilities in an operating system’s design, installation or configuration and exploit them to gain access to a system.

Operating System Attacks

Security misconfiguration or poorly configured security controls might allow attackers to gain unauthorized access to the system, compromise files, or perform other unintended actions. Misconfiguration vulnerabilities affect web servers, application platforms, databases, networks, or frameworks that may result in illegal access or possible system takeover.

Misconfiguration attack

Attackers exploit the vulnerabilities in applications running on organizations’ information system to gain unauthorized access and steal or manipulate data.

Application-level attack

Software developers often use free libraries and code licensed from other sources in their programs to reduce development time and cost. This means that large portions of many pieces of software will be the same, and if an attacker discovers vulnerabilities in that code, many pieces of software are at risk. Attackers exploit default configuration and settings of the off-the-shelf libraries and code. The problem is that software developers leave the libraries and code unchanged.

Shrink-wrap code attack

Electronic warfare uses radio electronic and cryptographic techniques to degrade communication. Radio electronic techniques attack the physical means of sending information, whereas cryptographic techniques use bits and bytes to disrupt the means of sending information.

Electronic warfare

Intelligence-based warfare is a sensor-based technology that directly corrupts technological systems. Intelligence-based warfare is a warfare that consists of the design, protection, and denial of systems that seek sufficient knowledge to dominate the battlespace.

Intelligence-based warfare

In the computer security industry, C2 warfare refers to the impact an attacker possesses over a compromised system or network that they control.

Command and control warfare (C2 warfare)

Economic information warfare can affect the economy of a business or nation by blocking the flow of information. This could be especially devastating to organizations that do a lot of business in the digital world.

Economic warfare