Exam Prep Flashcards

Question 1

Q

What is the notion among hackers that something is worth doing or is interesting?

A) Zero-Day
B) Doxing
C) Hack Value
D)Exploit

Answer

A

C) Hack Value

Question 2

Q

What is an existence of a weakness,design, or implementation error that may lead to compromising the security of the system?

A) Exploit
B) Payload
C) Vulnerability
D) Bot

Answer

A

C) Vulnerability

Question 3

Q

What is breach of IT system security through vulnerabilities?

A) Doxing
B) Daisy Chaining
C) Exploit
D) Payload

Answer

A

C) Exploit

Question 4

Q

What is a part of an exploit code that performs the malicious action? i.e. destroying, creating, backdoor, hijacking computers

A) Vulnerability
B) Bot
C) Hack Value
D) Payload

Answer

A

D) Payload

Question 5

Q

What is an attack that exploits computer application vulnerabilities before a patch was able to be released?

A) Bot
B) Daisy Chaning
C) Zero-Day Attack
D) Hack Value

Answer

A

C) Zero-Day Attack

Question 6

Q

What involves gaining access to one network and/or computer to obtain information that will enable them to gain access to multiple other computers and/or networks?

A) Bot
B) Exploit
C) Daisy Chaining
D) Payload

Answer

A

C) Daisy Chaining

Question 7

Q

What involves publishing personally identifiable information about an individual that was obtain from public databases and social media?

A) Doxing
B) Zero-Day Attack
C) Vulnerability
D) Daisy Chaining

Answer

A

A) Doxing

Question 8

Q

What is a software application that can be remotely controlled to execute/automate predefined tasks?

A) Bot
B) Payload
C) Hack Value
D) Doxing

Question 9

Q

What is a state of infrastructure and information well-being to keep the possibility of theft, tampering, disruption of information and services kept tolerable and low?

A) Confidentiality
B) Information Security
C) Authenticity
D) Integrity

Answer

A

B) Information Security

Question 10

Q

What is the assurance that information is only accessible to authorized individuals?

A) Authenticity
B) Availability
C) Integrity
D)Confidentiality

Answer

A

D) Confidentiality

Question 11

Q

What is the trustworthiness of preventing improper and unauthorized changes of data or resources?

A) Availability
B) Integrity
C) Information Security
D) Non-Repudiation

Answer

A

B) Integrity

Question 12

Q

What refers to the assurance that the system which is responsible for the processing, delivering and storing of information is accessible to the authorized users when required?

A) Availability
B) Authenticity
C) Confidentiality
D) Non-Repudiation

Answer

A

A) Availability

Question 13

Q

What refers to any data, communication or document characteristics which ensures the quality of being genuine?

A) Availability
B) Authenticity
C) Non-Repudiation
D)Confidentiality

Answer

A

B) Authenticity

Question 14

Q

What guarantees that an individual cannot later deny sending a message and the recipient cannot deny receiving a message?

A) Availability
B) Non-Repudiation
C) Authenticity
D) Confidentiality

Answer

A

B) Non-Repudiation

Question 15

Q

What three components can any systems level of security be defined by?

A) Authenticity, Confidentiality, Integrity
B) Security, Functionality, Usability
C) Non-Repudiation, Usability, Authenticity
D) Authenticity, Integrity, Security

Answer

A

B) Security, Functionality, Usability

Question 16

Q

What three components make up attacks?

A) Attacks = Motive (goal) + Method + Vulnerability
B) Attacks = Security + Method + Confidentiality
C) Attacks = Availability + Vulnerability + Motive
D) Attacks = Security + Integrity + Method

Answer

A

A) Attacks = Motive (goal) + Method + Vulnerability

Question 17

Q

What originates out of the awareness that a target system processes or stores valuable data, which may lead towards an attack on the system?

A) Method
B) Vulnerability
C) Attackers
D) Motive

Answer

A

D) Motive

Question 18

Q

Who utilizes a variety of different tools and attack techniques to exploit vulnerabilities within a computer system to accomplish their motives?

A) System Analysts
B) Attackers
C) White Hat
D) All of the above

Answer

A

B) Attackers

Question 19

Q

What is an on-demand delivery of IT capabilities where an organizations sensitive data and clients are stored?

A) Cloud Computing
B) Botnet
C) Workstation
D) Access Control

Answer

A

A) Cloud Computing

Question 20

Q

What attack vector is a flaw in within a client’s application cloud which can enable attackers to access other client’s data?

A) Mobile Threats
B) Ransomware
C) Advanced Persistent Threats
D) Cloud Computing Threats

Answer

A

D) Cloud Computing Threats

Question 21

Q

What attack vector focuses on stealing data from a victims machine without their knowledge?

A) Advanced Persistent Threats (APT)
B) Ransomware
C) Mobile Threats
D) Cloud Computing Threats

Answer

A

A) Advanced Persistent Threats (APT)

Question 22

Q

What is the most prevalent networking threat that is capable of infecting an entire network within seconds?

A) Mobile Threats
B) Viruses and Worms
C) Advanced Persistent Threats
D) Cloud Computing Threats

Answer

A

B) Viruses and Worms

Question 23

Q

What attack restricts access to files and folders within a computer system and demands an online payment to remove the restrictions?

A) Advanced Persistent Threats (APT)
B) Ransomware
C) Mobile Threats
D) Cloud Computing Threats

Answer

A

B) Ransomware

Question 24

Q

Why have the focus of attackers shifted towards mobile devices?

A) The increase of mobile device adoption for business and personal purposes, and it also has less security controls.
B) No security controls
C) Individuals do not use mobile devices often
D) All of the above

Answer

A

A) The increase of mobile device adoption for business and personal purposes, and it also has less security controls.

Question 25

Q

What is a huge network of compromised systems that are utilized by attackers to perform a variety of different network attacks.

A) Insider Attacks
B) IoT Threats
C) Phishing
D) Botnet

Answer

A

D) Botnet

Question 26

Q

What attack is performed on a network or single computer by an entrusted individual who has authorized access?

A) Insider Attacks
B) IoT Threats
C) Phishing
D) Botnet

Answer

A

A) Insider Attacks

Question 27

Q

What attack send an illegitimate email claiming to be a legitimate site in as an attempt to acquire a users personal /account information?

A) Insider Attacks
B) IoT Threats
C) Phishing
D) Botnet

Answer

A

C) Phishing

Question 28

Q

Which security attack vector threatens the performance of a website and hampers its security to steal user credentials, set up a phishing site or acquire private data by targeting web applications?

A) Insider Attacks
B) Web Application Threats
C) Phishing
D) Botnet

Answer

A

B) Web Application Threats

Question 29

Q

What enables attackers to remotely gain access into an IoT device in order to perform a variety of different attacks?

A) Insider Attacks
B) IoT Threats
C) Phishing
D) Botnet

Answer

A

B) IoT Threats

Question 30

Q

What are the three different Information Security Threat Categories?

A) Network Threats, Host Threats, Application Threats
B) Host Threats, IoT Threats, Web Application Threats
C) Mobile Threats, Network Threats, IoT threats
D) Security Threats, Confidentiality Threats, IoT Threats

Answer

A

A) Network Threats, Host Threats, Application Threats

Question 31

Q

What type of attack does an attacker search for OS vulnerabilities and exploits them to gain access to the system?

A) Misconfiguration Attacks
B) Operating System Attacks
C) Shrink Wrap Code Attacks
D) Application Level Attacks

Answer

A

B) Operating System Attacks

Question 32

Q

What type of attack affects the web servers, application platforms, databases, networks, or frameworks that can lead towards illegal access or even the possibility of owning the system?

A) Misconfiguration Attacks
B) Operating System Attacks
C) Shrink Wrap Code Attacks
D) Application Level Attacks

Answer

A

A) Misconfiguration Attacks

Question 33

Q

What type of attack exploits that vulnerabilities in applications that are running on a company’s information system in order to steal or manipulate the data or gain unauthorized access?

A) Misconfiguration Attacks
B) Operating System Attacks
C) Shrink Wrap Code Attacks
D) Application Level Attacks

Answer

A

D) Application Level Attacks

Question 34

Q

What type of attack will exploit default configurations and settings of off- the-shelf libraries and code?

A) Misconfiguration Attacks
B) Operating System Attacks
C) Shrink Wrap Code Attacks
D) Application Level Attacks

Answer

A

C) Shrink Wrap Code Attacks

Question 35

Q

What refers to the utilization of information and communication technologies (ICT) for a competitive advantage over an opponent?

A) Information Warfare (InfoWar)
B) Vulnerability Warfare
C) Attacker Warfare
D) Exploit Warfare

Answer

A

A) Information Warfare (InfoWar)

Question 36

Q

What refers to all of the strategies/actions used to to defend against ICT asset attacks?

A) Defensive Information Warfare
B) Offensive Information Warfare
C) Attacker Warfare

Answer

A

A) Defensive Information Warfare

Question 37

Q

What refers to information warfare which involves the attacks against the opponents ICT assets?

A) Defensive Information Warfare
B) Offensive Information Warfare
C) Attacker Warfare

Answer

A

B) Offensive Information Warfare

Question 38

Q

What refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized access to a system?

A) Hacking
B) Analysis
C) Vulnerability
D) Authorized User

Answer

A

A) Hacking

Question 39

Q

Who are people with extraordinary computing skills, resorting to malicious or destructive activities and are also known as crackers?

A) Black Hats
B) Script Kiddies
C) White Hats
D) Gray Hats

Answer

A

A) Black Hats

Question 40

Q

Who are unskilled hackers who compromise systems by running scripts, tools, and software developed by real hackers?

A) Black Hats
B) Script Kiddies
C) White Hats
D) Gray Hats

Answer

A

B) Script Kiddies

Question 41

Q

Who are people who profess hacking skills and utilize them for defensive proposes and are also known as security analysts?

A) Black Hats
B) Script Kiddies
C) White Hats
D) Gray Hats

Answer

A

C) White Hats

Question 42

Q

Who are people that have a wide range of skills, motivated by religious or political beliefs to create fear by large-scale disruption of computer networks?

A) Black Hats
B) Script Kiddies
C) Cyber Terrorists
D) Gray Hats

Answer

A

C) Cyber Terrorists

Question 43

Q

Who are individuals that work both offensively and defensively at various items?

A) Gray Hats
B) Script Kiddies
C) Cyber Terrorists
D) Gray Hats

Answer

A

A) Gray Hats

Question 44

Q

Who are people that are employed by the government to penetrate and gain top - secret information and to damage information systems of the other governments?

A) Gray Hats
B) Script Kiddies
C) State Sponsored Hackers
D) Gray Hats

Answer

A

C) State Sponsored Hackers

Question 45

Q

Who are people who aim to bring down critical infrastructure for a “cause” and are not worried about facing jail time or punishment?

A) Gray Hats
B) Script Kiddies
C) State Sponsored Hackers
D) Suicide Hackers

Answer

A

D) Suicide Hackers

Question 46

Q

Who are individuals who promote a political agenda by hacking especially by defacing or disabling websites?

A) Gray Hats
B) Hacktivist
C) State Sponsored Hackers
D) Suicide Hackers

Answer

A

B) Hacktivist

Question 47

Q

What is the second hacking phase?

A) Reconnaissance
B) Scanning
C) Gaining access
D) Maintaining access
E) Clearing tracks

Answer

A

B) Scanning

Question 48

Q

What is the third hacking phase?

A) Reconnaissance
B) Scanning
C) Gaining access
D) Maintaining access
E) Clearing tracks

Answer

A

C) Gaining access

Question 49

Q

What is the fourth hacking phase?

A) Reconnaissance
B) Scanning
C) Gaining access
D) Maintaining access
E) Clearing tracks

Answer

A

D) Maintaining access

Question 50

Q

What is the last hacking phase?

A) Reconnaissance
B) Scanning
C) Gaining access
D) Maintaining access
E) Clearing tracks

Answer

A

E) Clearing tracks

Question 51

Q

What is the first hacking phase?

A) Reconnaissance
B) Scanning
C) Gaining access
D) Maintaining access
E) Clearing tracks

Answer

A

A) Reconnaissance

Question 52

Q

What refers to the preparatory phase where an attacker seeks to gather information about a target prior to launching an attack?

A) Scanning 
B) Reconnaissance
C) Gaining Access
D) Maintaining Access
E) Clearing tracks

Answer

A

B) Reconnaissance

Question 53

Q

What refers to the pre-attack phase when the attacker scans the network for specific information.

A) Scanning 
B) Reconnaissance
C) Gaining Access
D) Maintaining Access
E) Clearing tracks

Answer

A

A) Scanning

Question 54

Q

What refers to the point where the attacker obtains access to the operating system or application?

A) Scanning 
B) Reconnaissance
C) Gaining Access
D) Maintaining Access
E) Clearing tracks

Answer

A

C) Gaining Access

Question 55

Q

What refers to the phase when the attacker tries to retain his or her ownership of the system?

A) Scanning 
B) Reconnaissance
C) Gaining Access
D) Maintaining Access
E) Clearing tracks

Answer

A

D) Maintaining Access

Question 56

Q

What refers to the activities carried out by an attacker to hide malicious acts?

A) Scanning 
B) Reconnaissance
C) Gaining Access
D) Maintaining Access
E) Clearing tracks

Answer

A

E) Clearing tracks

Question 57

Q

What involves the use of hacking tools , tricks, and technical techniques to identify vulnerabilities to ensure system security?

A) Ethical Hacking
B) Hacking
C) Scanning
D) Reconnaissance

Answer

A

A) Ethical Hacking

Question 58

Q

What refers to the assurance that the integrity, availability, confidentiality and authenticity of information and information systems are protected during usage, processing, storage, and transmission of information?

A) Information Assurance (AI)
B) Hacking
C) Ethical Hacking
D) Scanning

Answer

A

A) Information Assurance (AI)

Question 59

Q

What is a well-defined level of information security that includes policies, processes, procedures, standards and guidelines?

A) Information Security Management Program
B) Enterprise Information Security Architecture (EISA)
C) Network Security Zoning
D) Defense-In-Depth

Answer

A

A) Information Security Management Program

Question 60

Q

What is a set of requirements,processes,principles and models that determines the structure and behavior of an organization’s information systems?

A) Information Security Management Program
B) Enterprise Information Security Architecture (EISA)
C) Network Security Zoning
D) Defense-In-Depth

Answer

A

B) Enterprise Information Security Architecture (EISA)

Question 61

Q

What mechanism allows an organization to manage a secure network environment by selecting the appropriate security levels for the different zones of internet and intranet networks?

A) Information Security Management Program
B) Enterprise Information Security Architecture (EISA)
C) Network Security Zoning
D) Defense-In-Depth

Answer

A

C) Network Security Zoning

Question 62

Q

What is an uncontrolled zone, as it is outside the boundaries of an organization?

A) Internet DMZ
B) Internet Zone
C) Production Network Zone 
D) Intranet Zone
E) Management Network Zone

Answer

A

B) Internet Zone

Question 63

Q

What is a controlled zone, as it provides a barrier between internal networks and internet?

A) Internet DMZ
B) Internet Zone
C) Production Network Zone 
D) Intranet Zone
E) Management Network Zone

Answer

A

A) Internet DMZ

Question 64

Q

What is a restricted zone, as it strictly controls direct access for uncontrolled networks?

A) Internet DMZ
B) Internet Zone
C) Production Network Zone 
D) Intranet Zone
E) Management Network Zone

Answer

A

C) Production Network Zone

Answer 64

A

D) Intranet Zone

Answer 65

A

E) Management Network Zone

Answer 66

A

D) Defense-In-Depth

Answer 67

A

A) Security Policies

Answer 68

A

B) Information Security Policies

Answer 69

A

A) Promiscuous Policy

Answer 70

A

B) Permissive Policy

Answer 71

A

C) Prudent Policy

Answer 72

A

D) Paranoid Policy

Answer 73

A

A) Access Control Policy

Answer 74

A

B) Remote-Access Policy

Answer 75

A

C) User- Account Policy

Answer 76

A

A) Information-Protection Policy

Answer 77

A

C) Firewall- Management Policy

Answer 78

A

B) Special-Access Policy

Answer 79

A

D) Email Security Policy

Answer 80

A

C) Acceptable-Use Policy

Answer 81

A

A) Passwords Policy

Answer 82

A

C) Network-Connection Policy

Answer 83

A

B) Risk Management

Answer 84

A

D) Threat Modeling

Answer 85

A

C) Incident Management

Answer 86

A

A) Do Not Fragment

Answer 87

A

B) Send buffer size

Answer 88

A

C) tracert

Answer 89

A

B) Perform a full restore

Answer 90

A

C) End of Line Comment

Answer 91

A

A) Fuzzing

Answer 92

A

B) To only provide direct access to the notes within the DMZ and protect the network behind it

Answer 93

A

C) Install Cryptcat and encrypt outgoing packets from this server.

Answer 94

A

D) Yagi antenna

Answer 95

A

C) Service Oriented Architecture

Answer 96

A

D) Tune to avoid False positive and False Negatives

Answer 97

A

B) Traffic is Blocked on UDP port 53.

Answer 98

A

B) Report immediately to the administrator.

Answer 99

A

C) Internet Firewall / Proxy log

Answer 100

A

B) Defense in depth

Answer 101

A

B) Likelihood is the probability that a threat source will exploit a vulnerability.

Answer 102

A

B) GET/restricted/accounts/?name=Ned HTTP/1.1

Host: westbank.com

Answer 103

A

D) Hexadecimal

Answer 104

A

A) Public Keys

Answer 105

A

B) Web application firewall

Answer 106

A

B) 802.11g

Answer 107

A

A) 128 bit and CCMP

Answer 108

A

B) It can accelerate benchmark tests and repeat them with a consistent test setup. But it cannot replace manual testing completely.

Answer 109

A

A) Nmap -sT -O -T0

Answer 110

A

A) SYN/FIN scanning using IP fragments\

Answer 111

A

C) tcpdump

Answer 112

A

A) Cross Site Request Forgery ( CSRF)

Answer 113

A

C. The internal operation of a system is only partly accessible to the tester.

Answer 114

A

C. Only the external operation of a system is accessible to the tester.

Answer 115

A

C. III and IV

Answer 116

A

D. The internal operation of a system is completely known to the tester.

Answer 117

A

A. Place a front-end web server in a demilitarized zone that only handles external web traffic.

Answer 118

A

A. Incident Management Process

Answer 119

A

C. zero-day

Answer 120

A

B. The tester will have an actual security posture visibility of the target network.

Answer 121

A

C. Payment Card Industry (PCI)

Answer 122

A

A. Preparation phase

Answer 123

A

C. Remote access policy

Answer 124

A

A. Install a CCTV with cameras pointing to the entrance doors and the street

Answer 125

A

C. Remote access policy

Answer 126

A

B. 0-day vulnerability

Answer 127

A

B. Containment

Answer 128

A

B. Defense in depth

Answer 129

A

A. Bollards

Answer 130

A

D. Internal, Blackbox

Answer 131

A

B. UDP 514

Answer 132

A

A. Tailgating

Answer 133

A

C. Inserts text into a data field that gets interpreted as code.

Answer 134

A

C. Adaptive chosen-plaintext attack

Answer 135

A

B. Modifying and replaying captured network traffic

Answer 136

A

A. Use the 802.1x protocol.

Answer 137

A

B. The solution implements the two authentication factors: physical object and physical characteristic

Answer 138

A

B. A behavioral IDS

Answer 139

A

B. False Positive Generation

Answer 140

A

D. Heartbleed Bug

Answer 141

A

A. Code Emulation

Answer 142

A

A. Wireless Access Control List

Answer 143

A

C. Install Cryptcat and encrypt outgoing packets from this server.

Answer 144

A

D. A ping scan

Answer 145

A

A. Watering Hole Attack

Answer 146

A

D. USB Dumper

Answer 147

A

D. Cavity virus

Answer 148

A

A. SYN/FIN scanning using IP fragments\

Answer 149

A

B. nslookup -norecursive update.antivirus.com

Answer 150

A

C. Cross-Site Scripting (XSS)

Answer 151

A

A. Public keys

Answer 152

A

A. Cross-site request forgery

Answer 153

A

A. Can identify unknown attacks

Answer 154

A

B. At least once a year and after any significant infrastructure or application upgrade or modification

Answer 155

A

A. Bob is totally wrong. DMZ is always relevant when the company has internet servers and workstations.

Answer 156

A

D. Both B and C

Answer 157

A

D. Business Impact Analysis (BIA)

Answer 158

A

A. Cross-Site Request Forgery (CSRF)

Answer 159

A

B. Web application firewall

Answer 160

A

B. Alice also stores her private key in the cloud, and Harry breaks into the cloud server as before

Answer 161

A

D. Port scanning, banner grabbing, service identification

Answer 162

A

A. IPsec driver

Answer 163

A

C. Ettercap

Answer 164

A

A. A web server facing the Internet, an application server on the internal network, a database server on the internal network.

Answer 165

A

A. Botnet Attack

Answer 166

A

B. TCP Connect / Full Open Scan

Answer 167

A

D. This is Xmas scan. URG, PUSH and FIN are set.

Answer 168

A

B. [site:]

Answer 169

A

A. Confidentiality, Integrity, Availability

Answer 170

A

C. File checksums

Answer 171

A

B. Userland Exploit

Answer 172

A

C. Network Time Protocol

Answer 173

A

A. Rubber Hose Attack

Answer 174

A

Transmission Control Protocol

Answer 175

A

Synchronize segment

Answer 176

A

Synchronize Acknowledgment segment

Answer 177

A

Acknowledgment segment

Answer 178

A

Address Resolution Protocol

Answer 179

A

SYN, SYN/ACK, ACK

Answer 180

A

Personally Identifiable Information

Answer 181

A

Incident Response Team

Answer 182

A

Enterprise Information Security Architecture is a
collection of requirements and processes that help determine how an organization’s information systems are built and how they
work.

Answer 183

A

physical, technical, and administrative

Answer 184

A

guards, lights, and cameras

Answer 185

A

encryption, smartcards, and access control lists

Answer 186

A

training, awareness, and policy efforts

Answer 187

A

Authentication (preventative), alarm bells for unauthorized access to a physical location, alerts on unauthorized access to resources, audits (detective), and backups and restore options (corrective).

Answer 188

A

Confidentiality, Integrity, Availability

Answer 189

A

hematical

algorithm (such as MD5 and SHA-1) that generates a specific, fixed-length number which is a hash value.

Answer 190

A

mathematical algorithm (such as MD5 and SHA-1) that generates a specific, fixed-length number which is a hash value.

Answer 191

A

The attacker isn’t interested in learning the entirety of the plain-text message. Instead, bits are manipulated in the cipher text itself to generate a predictable outcome in the plain text once it is decrypted.

Answer 192

A

Set standard of controls and testing

method

Answer 193

A

What is being tested

Answer 194

A

The documentation describing the TOE and security requirements

Answer 195

A

A set of security requirements specifically for the type of product being tested

Answer 196

A

method of access control where security policy is controlled by a
security administrator: users can’t set access controls themselves.

Answer 197

A

Allows users to set access controls on the resources they own or controls.

Answer 198

A

Mandatory rules used to achieve consistency.

Answer 199

A

Provide the minimum security level necessary

Answer 200

A

Flexible recommended actions users are to take in the event there is no standard to follow.

Answer 201

A

Detailed step-by-step instructions for accomplishing a task or goal.

Answer 202

A

Someone who manipulates telecommunications

systems in order to make free calls.

Answer 203

A

The use of offensive and defensive techniques to create advantage over your adversary.

Answer 204

A

Preparation, Assessment, and Conclusion

Answer 205

A

The preparation phase defines the time period during which the actual contract is hammered out. The scope of the test, the types of attacks allowed, and the individuals assigned to perform the activity are all agreed upon in this phase.

Answer 206

A

The assessment phase (sometimes also known as the security evaluation phase or the conduct phase) is exactly what it sounds like —the actual assaults on the security controls are conducted during this time.

Answer 207

A

The conclusion (or post-assessment) phase defines the time when final reports are prepared for the customer, detailing the findings of the tests (including the types of tests performed) and many times even providing recommendations to improve security.

Answer 208

A

A security standard for organizations handling credit cards, ATM cards, and other point-of sales cards.

Answer 209

A

C. If you’re doing something as a deterrent, you’re trying to prevent an attack in the first place. In this physical security deterrent control, a guard visible outside the door could help prevent physical attacks.

Answer 210

A

A. FISMA has been around since 2002 and was updated in 2014. It gave certain information security responsibilities to NIST, OMB, and other government agencies, and declared the Department of Homeland Security (DHS) as the operational lead for budgets and guidelines on security matters.

Answer 211

A

B. ALE = ARO × SLE. To determine ARO, divide the number of occurrences by the number of years (1 occurrence / 10
years = 0.1). To determine SLE, add the purchase cost (1200) plus the amount of time to replace (5 × 50 = 250) plus the
amount of lost work (5 hours × 5 employees × 25 = 625). In this case, it all adds up to $2075. ALE = 0.1 × 2075, or
$207.50

Answer 212

A

A. In this example, an ethical hacker was hired under a specific agreement, making him a white hat. The test he was hired to perform is a no-knowledge attack, making it a black-box test.

Answer 213

A

D. Hackers who use their skills and talents to forward a cause or a political agenda are practicing hactivism.

Answer 214

A

D. The ethical hacker always obtains written permission before testing and never performs a test without it!

Answer 215

A

B. The second of the five phases of an ethical hack attempt, scanning and enumeration, is the step where ethical hackers take the information they gathered in recon and actively apply tools and techniques to gather more in-depth information on the targets.

Answer 216

A

B. A white-box attack is intended to simulate an internal attacker with elevated privileges, such as a network
administrator.

Answer 217

A

D. The target of evaluation (TOE) is the system or product being tested.

Answer 218

A

A. The Information Security Policy defines what is allowed and not allowed, and what the consequences are for misbehavior in regard to resources on the corporate network. Generally this is signed by employees prior to their account creation.

Answer 219

A

B. The assessment phase, which EC-Council also likes to interchangeably denote as the “conduct” phase sometimes, is where all the activity takes place—including the passive information gathering performed by Sally in this example

Answer 220

A

B. A suicide hacker doesn’t care about being caught. Jail time and punishment mean nothing to these guys. While
sometimes they are tied to a political or religious group or function, sometimes they’re just angry folks looking to make an entity pay for some perceived wrongdoing.

Answer 221

A

C. A hash is a unique numerical string, created by a hashing algorithm on a given piece of data, used to verify data integrity. Generally, hashes are used to verify the integrity of files after download (comparison to the hash value on the site before download) and/or to store password values. Hashes are created by a one-way algorithm.

Answer 222

A

B. The Business Impact Analysis best matches this description. Although maximum tolerable downtime is part of the process, and a continuity plan certainly addresses it, a BIA is the actual process to identify those critical systems.

Answer 223

A

Defines the hostname and port number of servers providing specific services, such as a Directory
Services server.

Answer 224

A

Identifies the primary name server for the zone. The SOA record contains the hostname of
the server responsible for all DNS records within the namespace, as well as the basic properties of the domain.

Answer 225

A

Maps an IP address to a hostname (providing for reverse DNS lookups).

Answer 226

A

Defines the name servers within your namespace.

Answer 227

A

Identifies the e-mail servers within your domain.

Answer 228

A

Provides for domain name aliases within your zone.

Answer 229

A

Maps an IP address to a hostname and is used most often for DNS lookups.

Answer 230

A

C. Netcraft is the best choice here. From the site: “Netcraft provides internet security services including anti-fraud and
anti-phishing services, application testing and PCI scanning.”

Answer 231

A

A. MX records define a server as an e-mail server. An associated A record will define the name-to-IP-address
translation for the server.

Answer 232

A

B. CSIRT provides incident response services for any user, company, agency, or organization in partnership with the Department of Homeland Security.

Answer 233

A

A. A zero-day vulnerability is one that security personnel, vendors, and even vulnerability scanners simply don’t know about yet. It’s more likely the attacker is using an attack vector unknown to the security personnel than he somehow managed to turn off all security measures without alerting anyone.

Answer 234

A

A. Whois provides information on the domain registration, including technical and business POCs’ addresses and e-
mails.

Answer 235

A

D. The Google search operator allintitle allows for the combination of strings in the title. The operator inurl looks only
in the URL of the site.

Answer 236

A

A, B. Passive footprinting is all about publicly accessible sources.

Answer 237

A

C. A records provide IP-address-to-name mappings.

Answer 238

A

C. CNAME records provide for aliases within the zone.

Answer 239

A

B. All the methods discussed are passive in nature, per EC-Council’s definition.

Answer 240

A

A. The –A switch turns on OS detection, version detection, script scanning, and traceroute, just as the –O, -sV, -sC, and –traceroute switches do in conjunctions with each other

Answer 241

A

A, C. Both Telnet and netcat, among others, can be used for banner grabbing. The correct syntax for both have the port
number last.

Answer 242

A

A. Fragmenting packets is a great way to evade an IDS, for any purpose. Sometimes referred to as IP fragments, splitting a TCP header across multiple packets can serve to keep you hidden while scanning.

Answer 243

A

B. Generally speaking, any activity noted in a question that does not explicitly state you are crafting packets and injecting them toward a system indicates you are passively observing traffic—in this case, most likely with a sniffed traffic log.

Answer 244

A

C. A three-way TCP handshake has the originator forward a SYN. The recipient, in step 2, sends a SYN and an ACK. In step 3, the originator responds with an ACK. The steps are referred to as SYN, SYN/ACK, ACK.

Answer 245

A

A. According to ECC, if the TTL of the returned RST packet is less than 64, the port is open.

Answer 246

A

A. An ACK packet received by a stateful firewall will not be allowed to pass unless it was “sourced” from inside the network. No response indicates the firewall filtered that port packet and did not allow it passage.

Answer 247

A

A. The RST flag forces both sides of the communications channel to stop. A FIN flag signifies an ordered close to the communications.

Answer 248

A

D. If you look at the address 52.93.24.42 in binary, it looks like this: 00110100.01011101.00011000.00101010. The
subnet mask given, /20, tells us only the first 24 bits count as the network ID (which cannot change if we are to stay in the same subnet), and the remaining 12 bits belong to the host. Turning off all the host bits (after the 20th) gives us our network ID: 00110100.01011101.00010000.00000000 (52.93.16.0/20). Turning on all the host bits gives us our broadcast address: 00110100.01011101.00011111.11111111 (52.93.31.255/20).

Answer 249

A

D. Syslog uses 514 by default. Even if you had no idea, the other answers provided are very well-known default ports (FTP, Telnet, TFTP) that you can use to eliminate them as possible answers.

Answer 250

A

C, D. Both the –sn and –PI switches will accomplish the task quickly and efficiently.

Answer 251

A

B. Since the IPID incremented by only 1, this means the zombie hasn’t sent anything since your original SYN/ACK to figure out the starting IPID. If the IPID had increased by two, then the port would be open because the zombie would have responded to the target machine’s SYN/ACK.

Answer 252

A

A. A Type 11 ICMP packet indicates the TTL for the packet has reached 0; therefore, it must take the Carrousel (from the movie Logan’s Run) and disappear to a better place.

Answer 253

A

C. ECC defines what most of us used to call a half-open scan (although I suppose it would actually make more sense mathematically to call it a two-third scan, since it’s a three-way handshake and only two are used) a stealth scan. This is also known as a SYN scan.

Answer 254

A

D. Port scanning has a singular purpose—to knock on ports and see if they’re open (listening). Does an open port necessarily mean something is wrong? No, but it does represent a potential vulnerability you can exploit later

Answer 255

A

B. A honeypot is designed to draw attackers in so you can watch what they do, how they do it, and where they do it from.

Answer 256

A

A, C. In Wireshark filter questions, always pay attention to the operators. While answer A shows any packet with the correct IP in it, anywhere, the or operator in answer C shows packets meeting both options

Answer 257

A

B, D. If you’re on a hub, why bother with active sniffing techniques? You’re already seeing everything. Also, active sniffing is much more likely to get you caught than simply plugging in a wire and sitting back.

Answer 258

A

A. Encryption is the bane of IDS’s existence. If traffic is encrypted, the IDS is blind as a bat.

Answer 259

A

B. The appropriate Wireshark display filter is the following: tcp contains search-string.

Answer 260

A

C. Snort rules follow the same syntax: action protocol src address src port -> dest address port (options).

Answer 261

A

A. When traffic gets to the IDS, is examined, and is still let through even though it’s naughty, a false negative has
occurred. And a false negative is really, really bad.

Answer 262

A

B. ARP poisoning is done on the machine creating the frame—the sender. Changing the default gateway entry on the
sending machine results in all frames intended for an IP out of the subnet being delivered to the attacker. Changing the
ARP cache on the other machine or the router is pointless.

Answer 263

A

C. IDSs can be signature or anomaly based. Anomaly-based systems build a baseline of normal traffic patterns overtime, and anything that appears outside of the baseline is flagged

Answer 264

A

C. There are a bunch of reasons for having a proxy. In this case, you’re using it to filter traffic between internal hosts and the rest of the world. Generally speaking, proxies don’t act as file servers, websites, or DHCP servers.

Answer 265

A

A, C. Switches filter or flood traffic based on the address. Broadcast traffic, such as ARP requests and answers, is
flooded to all ports. Unicast traffic, such as traffic intended for the laptop itself or the default gateway, is sent only to the port on which the machine rests.

Answer 266

A

A, B. ARP poisoning can be used to trick a system into sending packets to your machine instead of recipients (including the default gateway). MAC flooding is an older attack used to fill a CAM table and make a switch behave like a hub.

Answer 267

A

C. WinPcap is the library used for Windows devices. Libpcap is used on Linux devices for the same purpose.

Answer 268

A

C. I admit, this one is tricky. Yes, circuit-level firewalls work at Layer 5. Stateful firewalls can be said to work at Layer 5, but they’re focused on Layers 3 and 4. Application works at Layer 7.

Answer 269

A

A. Steganography is designed to place information in files where it will lay hidden until needed. Information can be hidden in virtually any file, although image and video files are traditionally associated with steganography.

Answer 270

A

C. LAN Manager (LM), an old and outdated authentication system, used DES, an old and outdated means for hashing files (in this case, passwords).

Answer 271

A

B. Passive online attacks simply involve stealing passwords passed in clear text or copying the entire password exchange in the hopes of pulling off a reply or man-in-the-middle attack.

Answer 272

A

C. Because Joe’s users need something they have—a token—and something they know—the PIN—this is considered two-factor authentication.

Answer 273

A

C. The hybrid attack takes any old dictionary list and juices it up a little. It will substitute numbers for letters, inject a character or two, and run all sorts of hybrid versions of your word list in an attempt to crack passwords.

Answer 274

A

C. LM hashes pad a password with blank spaces to reach 14 characters, split it into two 7-character sections, and then hash both separately. Because the LM hash of seven blank characters is always AAD3B435B51404EE, you can tell from the hash that the user has used only seven or fewer characters in the password. Because CEH has recommended that a password be a minimum of eight characters, be complex, and expire after 30 days, the user is not following good policy

Answer 275

A

C. The SAM file is stored in the same folder on most Windows machines: C:\Windows\System32\Config.

Answer 276

A

B. It’s a database server during normal business hours and there’s nothing in the log? Forget the fact a reboot would’ve showed up somewhere—none of the users complained about it being down at all. No, we think this one is going to require some forensics work. Call the IR team.

Answer 277

A

A. The hypervisor-level rootkit is defined by ECC as one that basically replaces your physical OS with a virtual one

Answer 278

A

B, C. Net use commands were the rage back in the day. This command connects to a shared folder on MATTBOX. The shared folder is named BankFiles, and the mapping will display as a drive (F:) on the local machine. The persistent:yes portion means it will remain mapped forever, until you turn it off.

Answer 279

A

B. The command start readme.txt:badfile.exe says “Start the executable badfile.exe that is hidden in the readme.txt file.” In other variants of this question, the bad guy could create a link and execute it simply by typing the link name (for example, mklink innocent.exe readme.txt:badfile.exe would create a link and the bad file could be executed simply by typing innocent).

Answer 280

A

A, C. The ampersand (&) after the command dictates that the process should run in the background. Without anything indicating a persistent process (that is, adding nohup before the process name), it will die when the user logs out

Answer 281

A

A. In this case, because the logs and IDSs show no direct attack, it’s most likely the attacker has copied the source code directly to his machine and altered the hidden “price” fields on the order form. All other types of attack would have, in some form or fashion, shown themselves easily.

Answer 282

A

C. “Best” is always a tricky word. In this case, configuring server-side operations to validate what’s being put in the input field is by far the best mitigation. Could vulnerability scans and pen tests tell you something is wrong? Sure, but by
themselves they don’t do anything to protect you.

Answer 283

A

D. While usually implemented in three tiers, n-tier simply means you have three or more independently monitored, managed, and maintained collection of servers, each providing a specific service or tasking.

Answer 284

A

D. The single quote should begin SQL injection attempts, even though in many database systems it’s not always an absolute.

Answer 285

A

D. The requests from the bad guy masquerading with your session ID through your browser can be largely stopped by making sure each request has a challenge token—if the server gets one without a token, it’s naughty and dropped.

Answer 286

A

C. SOAP is compatible with HTTP and SMTP, and usually the messages are “one way” in nature.

Answer 287

A

A. SOAP formats its information exchange in XML.

Answer 288

A

B. The )(&) indicates an LDAP injection attempt.

Answer 289

A

C. Of the answers provided, XSS is the only one that makes sense. This setting prevents cookies from being accessible by a client-side script.

Answer 290

A

B, C. WebGoat has 30 or so “lessons” imbedded to display how security vulnerabilities work on a system. It is maintained by OWASP, can be installed on virtually any platform, works well with Java and .NET, and provides the perfect “black box” testing opportunity for new, and seasoned, pen testers to practice on without fear of breaking
something.

Answer 291

A

A. WPA2 is a strong encryption method, but almost everything can be hacked given time. Capturing the password pairwise master key (PMK) during the handshake is the only way to do it, and even then it’s virtually impossible if it’s a complicated password.

Answer 292

A

D. Turning off the broadcast of an SSID is a good step, but SSIDs do nothing in regard to security. The SSID is included in every packet, regardless of whether it’s broadcast from the AP.

Answer 293

A

C. MAC filtering is easily hacked by sniffing the network for a valid MAC and then spoofing it, using any number of options available.

Answer 294

A

A, B. The MAC address of the AP and the SSID are required for attempting a WEP crack.

Answer 295

A

A. MIC provides integrity checking in WPA, verifying frames are authentic and have not been tampered with. Part of how it accomplishes this is a sequence number—if any arrive out of sequence, the whole session is dropped.

Answer 296

A

D. Blooover is designed for bluebugging. BBProxy and PhoneSnoop are both Blackberry tools, and btCrawler is a discovery option.

Answer 297

A

C. Mobile Device Management won’t mitigate all the risks associated with unending use of mobile devices on your
network—but at least it’s something.

Answer 298

A

B. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (say that three times fast) uses Message Integrity Codes (MICs) for integrity purposes.

Answer 299

A

D. An SSID is used for nothing more than identifying the network. It is not designed as a security measure.

Answer 300

A

B. WPA uses temporal keys, making it a much stronger encryption choice than WEP.

Answer 301

A

C. WEP uses RC4, which is part of the reason it’s so easily hacked and not considered a secure option.

Answer 302

A

B. SuperOneClick is designed for rooting Android. The others are jailbreaking iOS options.

Answer 303

A

B. If untethered jailbreaking has been performed, the device is in a jailbroken state forever, with or without connection to another device.

Answer 304

A

D. While implementing cloud computing doesn’t fully address separation of duties, of the choices provided it’s the only one that makes sense. The cloud, by its nature, can separate the data owner from the data custodian (the cloud provider assumes the role).

Answer 305

A

C. Service Oriented Architecture (SOA) is all about software components delivering information to one another on a network, and this is the best available answer.

Answer 306

A

B. PaaS provides a development platform that allows subscribers to develop applications without building the
infrastructure it would normally take to develop and launch software.

Answer 307

A

A. Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via an API, thus
fitting the definition of IaaS.

Answer 308

A

C. Software as a Service best describes this. SaaS is simply a software distribution model—the provider offers ondemand applications to subscribers over the Internet.

Answer 309

A

A. Session riding is simply CSRF under a different name and deals with cloud services instead of traditional data
centers.

Answer 310

A

C. Wrapping attacks involve messing with SOAP messages and replaying them as legitimate.

Answer 311

A

B. Akin to the power distributor for the electric grid, the carrier is the intermediary for connectivity and transport
between subscriber and provider.

Answer 312

A

C. The broker “acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value added cloud services as well.”

Answer 313

A

D. The consumer is the subscriber, who engages a provider for services.

Answer 314

A

D. Overt channels are legitimate, and used legitimately. Everything else listed is naughty.

Answer 315

A

A. Sparse infector viruses only fire when a specific condition is met. For example, maybe the fifth time Calculator is run, whammo—virus execution.

Answer 316

A

B. Much like Skynet from the Terminator movies, worms do not need us.

Answer 317

A

A, D. A SYN flood doesn’t use ICMP at all, nor does a peer-to-peer attack.

Answer 318

A

B. Backing up a hard drive that’s already infected makes as much sense as putting ketchup on a doughnut. The malicious files are on the drive, so backing it up does nothing but ensure you’ll reinfect something later on.

Answer 319

A

B, E. Unpredictable sequence numbers make session hijacking nearly impossible, and implementing ICMP—which provides encryption and authentication services—is also probably a good idea.

Answer 320

A

C. Session hijacking takes advantage of connections already in place and already authenticated.

Answer 321

A

D. Tripwire is one of the better-known file integrity verifiers, and it can help prevent Trojans by notifying you
immediately when an important file is altered.

Answer 322

A

B. Volumetric attacks consume all available bandwidth for the system or service.

Answer 323

A

A. Starting with the acknowledged sequence number of 101, the server will accept packets between 102 and 106 before sending an acknowledgment.

Answer 324

A

C. This is the correct syntax for using Netcat to leave a command shell open on port 56.

Answer 325

A

B. The distributed reflection denial of service (DRDoS) attack is, for all intents and purposes, a botnet. Secondary systems carry out the attacks so the attacker remains hidden

Answer 326

A

B. In a teardrop attack, the reassembly of fragments takes down the target.

Answer 327

A

A. In a POODLE attack, the man-in-the-middle interrupts all handshake attempts by TLS clients, forcing a degradation to a vulnerable SSL version.

Answer 328

A

B. RC4 is a simple, fast, symmetric stream cipher. It can be used for almost everything you can imagine an encryption cipher could be used for (you can even find it in WEP).

Answer 329

A

C. AES is a symmetric algorithm, which means that the same key is used for encryption and decryption. The organization will have to find a secured means to transmit the key to both parties before any data exchange

Answer 330

A

B. In a known plain-text attack, the hacker has both plain-text and cipher-text messages; the plain-text copies are scanned for repeatable sequences, which are then compared to the cipher-text versions. Over time, and with effort, this can be used to decipher the key.

Answer 331

A

C. FDE is the appropriate control for data-at-rest protection. Pre-boot Authentication provides protection against loss or theft.

Answer 332

A

D. A digital certificate contains, among other things, the sender’s public key, and it can be used to identify the sender.

Answer 333

A

A. When two or more plain-text entries create the same fixed-value hash result, a collision has occurred.

Answer 334

A

B. Heartbleed takes advantage of the data-echoing acknowledgement heartbeat in SSL. OpenSSL version 1.0.1 through version 1.0.1f are vulnerable to this attack.

Answer 335

A

C. Symmetric algorithms are fast, are good for bulk encryption, but have scalability problems.

Answer 336

A

D. Bob’s public key is used to encrypt the message. His private key is used to decrypt it.

Answer 337

A

B. Block encryption takes a fixed-length block of plain text and converts it to an encrypted block of the same length.

Answer 338

A

C. Rivest Cipher (RC) uses variable block sizes (from 32 to 128 bits).

Answer 339

A

A. SHA-1 produces a 160-bit output value.

Answer 340

A

D. When PKIs need to talk to one another and trust certificates from either side, the CAs need to set up a mutual trust known as cross-certification.

Answer 341

A

A. A registration authority (RA) validates an applicant into the system, making sure they are real, valid, and allowed to use the system.

Answer 342

A

A. Pretty Good Privacy (PGP) is used for signing, compression, and encrypting and decrypting e-mails, files, directories, and even whole disk partitions, mainly in an effort to increase the security of e-mail communications.

Answer 343

A

B. In tailgating, the attacker holds a fake entry badge of some sort and follows an authorized user inside.

Answer 344

A

C. Because he is already inside (thus rendering tailgating and piggybacking pointless), the attacker could employ
shoulder surfing to gain the access credentials of a user.

Answer 345

A

D. Reverse social engineering occurs when the attacker uses marketing, sabotage, and support to gain access credentials and other information

Answer 346

A

B. Computer-based social engineering attacks include any measures using computers and technology.

Answer 347

A

C. Spear phishing occurs when the e-mail is being sent to a specific audience, even if that audience is one person. In this example, the attacker used recon information to craft an e-mail designed to be more realistic to the intended victim and therefore more successful.

Answer 348

A

A. Positive pressure will do wonderful things to keep dust and other contaminants out of the room, but on its own it does nothing against static electricity.

Answer 349

A

A, B, C. Phishing e-mails can be spotted by who they are from, who they are addressed to, spelling and grammar errors, and unknown or malicious embedded links.

Answer 350

A

A. Physical security controls fall into three categories: physical, technical, and operational. Physical measures include lighting, fences, and guards.

Answer 351

A

C. The term smishing refers to the use of text messages to socially engineer mobile device users. By definition it is a mobile-based social engineering attack. As an aside, it also sounds like something a five-year-old would say about killing a bug.

Answer 352

A

C. Operational measures are the policies and procedures you set up to enforce a security-minded operation.

Answer 353

A

B. Mantraps are specifically designed to prevent tailgating.

Answer 354

A

C. Everyone recognizes insider threats as the worst type of threat, and a disgruntled employee on the inside is the single biggest threat for security professionals to plan for and deal with.

Answer 355

A

D. Social engineering is designed to test the human element in the organization. Of the answers provided, it is the only real option.

Answer 356

A

D. Pen tests always begin with an agreement with the customer that identifies the scope and activities. An ethical hacker will never proceed without written authorization.

Answer 357

A

A. Blue teams are defense-oriented. They concentrate on preventing and mitigating attacks and efforts of the red team/bad guys.

Answer 358

A

A. All reconnaissance efforts occur in the pre-attack phase.

Answer 359

A

A. Vulnerability assessments (a.k.a. security audits) seek to discover open vulnerabilities on the client’s systems but do not actively or intentionally exploit any of them.

Answer 360

A

C, D. Core Impact and CANVAS are both automated, all-in-one test tool suites capable of performing a test for a client. Other tools may be used in conjunction with them to spot vulnerabilities, including Nessus, Retina, SAINT, and Sara

Answer 361

A

D. Automatic testing involves the use of a tool suite and generally runs faster than an all-inclusive manual test. However, it is susceptible to false negatives and false positives and can oftentimes overrun the scope boundary.

Answer 362

A

D. Joe is on a system internal to the network and has no knowledge of the target’s network. Therefore, he is performing an internal, black-box test.

Answer 363

A

A, B, C. The final report for a pen test includes an executive summary, a list of the findings (usually in order of highest risk), the names of all participants, a list of all findings (in order of highest risk), analysis of findings, mitigation recommendations, and any logs or other relevant files.

Answer 364

A

A. A security audit is used to verify security policies and procedures in place.

Answer 365

A

B. Red teams are on offense. They are employed to go on the attack, simulating the bad guys out in the world trying to exploit anything they can find

Answer 366

A

Operating System Attacks

Answer 367

A

Misconfiguration attack

Answer 368

A

Application-level attack

Answer 369

A

Shrink-wrap code attack

Answer 370

A

Electronic warfare

Answer 371

A

Intelligence-based warfare

Answer 372

A

Command and control warfare (C2 warfare)

Answer 373

A

Economic warfare

Brainscape's Knowledge GenomeTM

Exam Prep Flashcards

Brainscape's Knowledge Genome^TM