Matt Walker - Pre Assessment Test

Question 1

Pre.1 A vendor is alerted of a newly discovered flaw in its software that presents a major vulnerability to systems. While working to prepare a fix action, the vendor releases a notice alerting the community of the discovered flaw and providing best practices to follow until the patch is available. Which of the following best describes the discovered flaw? 
A.   Input validation flaw 
B.   Shrink-wrap vulnerability 
C.   Insider vulnerability 
D.   Zero day

Answer 1

C

Question 2

Pre.2 A security professional applies encryption methods to communication channels. Which security control role is she attempting to meet? 
A.   Preventive 
B.   Detective 
C.   Defensive 
D.   Corrective

Answer 2

A

Question 3

Pre.3 Bob is working with senior management to identify the systems and processes that are critical for operations. As part of this business impact assessment, he performs calculations on various systems to place a value on them. On a certain server he discovers the following:
• The server costs $2500 to purchase.
•The server typically fails once every five years.
•The salary for the technician to repair a server failure is $40 an hour, and it typically takes two hours to fully restore the server after a failure.
•The accounting group has five employees paid at $25 an hour who are at a standstill during an outage.

What is the ALE for the server? 
A.   20% 
B.   $2830
C.   $566
D.   $500

Answer 3

B

Question 4

Pre.4 You’ve discovered a certain application in your environment that has been proven to contain vulnerabilities. Which of the following actions best describes avoiding the risk?
A. Remove the software from the environment.
B.Install all known security patches for the application.
C.Install brand-new software guaranteed by the publisher to be free of vulnerabilities.
D. Leave the software in place.

Answer 4

A

Question 5

Pre.5 James is a member of a pen test team newly hired to test a bank’s security. He begins searching for IP addresses the bank may own, using public records on the Internet, and he also looks up news articles and job postings to discover information that may be valuable. In what phase of the pen test is James working? 
A.   Reconnaissance 
B.   Pre-attack 
C.   Assessment 
D.   Attack 
E.   Scanning

Answer 5

B

Question 6

Pre.6 Enacted in 2002, this U.S. law requires every federal agency to implement information security programs, including significant reporting on compliance and accreditation. Which of the following is the best choice for this definition? 
A.   FISMA 
B.   HIPAA 
C.   NIST 800-53 
D.   OSSTMM

Answer 6

A

Question 7

Pre.7 You are examining a Wireshark capture. Which of the following MAC addresses would indicate a broadcast packet? 
A.   AA:AA:AA:AA:AA:AA 
B.   FF:FF:FF:FF:FF:FF 
C.   11:11: 11:11: 11:11 
D.   99:99: 99:99: 99:99

Answer 7

C

Question 8

Pre.8 Which Google operator is the best choice in searching for a particular string in the website’s title? 
A.   intext: 
B.   inurl: 
C.   site: 
D.   intitle:

Answer 8

D

Question 9

Pre.9 An ethical hacker begins by visiting the target’s website and then peruses social networking sites and job boards looking for information and building a profile on the organization. Which of the following best describes this effort? 
A.   Active footprinting 
B.   Passive footprinting 
C.   Internet footprinting 
D.   Sniffing

Answer 9

A

Question 10

Pre.10 Internet attackers—state sponsored or otherwise—often discover vulnerabilities in a service or product but keep the information quiet and to themselves, ensuring the vendor is unaware of the vulnerability, until the attackers are ready to launch an exploit. Which of the following best describes this? 
A.   Zero day 
B.   Zero hour 
C.   No day 
D.   Nada sum

Answer 10

A

Question 11

Pre.11 The organization has a DNS server out in the DMZ and a second one internal to the network. Which of the following best describes this DNC configuration? 
A.   Schematic 
DNS 
B.   Dynamic DNS 
C.   DNSSEC 
D.   Split DNS

Answer 11

B

Question 12

Pre.12 Search engines assist users in finding the information they want on the Internet. Which of the following is known as the hacker’s search engine, explicitly allowing you to find specific types of computers (for example, routers or servers) connected to the Internet?
A.   Whois 
B.   Shodan 
C.   Nslookup 
D.   Burp Suite

Answer 12

D

Question 13

Pre.13 An organization’s leadership is concerned about social engineering and hires a company to provide training for all employees. How is the organization handling the risk associated with social engineering? 
A.   They are accepting the risk. 
B.   They are avoiding the risk. 
C.   They are mitigating the risk.
D.   They are transferring the risk.

Answer 13

C
C. When it comes to risks, there are four different methods of attempting to deal with them. In risk mitigation, steps are taken to reduce the chance that the risk even will occur, and in this example that’s exactly what’s happening. Training on social engineering should help reduce the likelihood an employee will fall victim (real-life concerns on this notwithstanding—we are talking about test questions here).

A is incorrect because the acceptance of risk means the organization understands the risk is there, but they don’t do anything about it. Why would a company take this action? Perhaps the chance a threat agent will (or even can) exploit the risk is so low it makes the effort to mitigate it pointless. Or it could be the cost to mitigate simply costs more than any damage or recovery from exploitation in the first place. In any case, if the organization does nothing, they’re accepting risk.

B is incorrect because avoidance of risk means the organization takes steps to eliminate the service, action, or technology altogether. In other words, the risk is deemed so great the company would rather do without the asset or service in the first place. In the case of social engineering, unless the organization can work without employees, avoiding this risk is nearly impossible.

D is incorrect because transferring risk occurs when the organization puts the burden of risk on another party. For example, the company might hire an insurance company to pay off in the event a risk is exploited.

Question 14

Pre.14 In which phase of the ethical hacking methodology would a hacker be expected to discover available targets on a network? 
A.   Reconnaissance 
B.   Scanning and enumeration 
C.   Gaining access 
D.   Maintaining access 
E.   Covering tracks

Answer 14

B
B. The scanning and enumeration phase is where you’ll use things such as ping sweeps to discover available targets on the network. This step occurs after reconnaissance. In this step, tools and techniques are actively applied to information gathered during recon to obtain more in-depth information on the targets. For example, reconnaissance may show a network subnet to have 500 or so machines connected inside a single building, whereas scanning and enumeration would discover which ones are Windows machines and which ones are running FTP.

A is incorrect because the reconnaissance phase is nothing more than the steps taken to gather evidence and information on the targets you want to attack. Activities that occur in this phase include dumpster diving and social engineering. Another valuable tool in recon is the Internet. Look for any of these items as key words in answers on your exam. Of course, in the real world you may actually gather so much information in your recon you’ll already be way ahead of the game in identifying targets and whatnot, but when it comes to the exam, stick with the hard-and-fast boundaries they want you to remember and move on.

C is incorrect because the gaining access phase is all about attacking the machines themselves. You’ve already figured out background information on the client and have enumerated the potential vulnerabilities and security flaws on each target. In this phase, you break out the big guns and start firing away. Key words you’re looking for here are the attacks themselves: accessing an open and unsecured wireless access point, manipulating network devices, writing and delivering a buffer overflow, and performing SQL injection against a web application are all examples.

D is incorrect because this phase is all about backdoors and the steps taken to ensure you have a way back in. For the savvy readers out there who noticed I skipped a step here (escalating privileges), well done. Key words you’ll look for on this phase (maintaining access) are backdoors, zombies, and rootkits.

E is incorrect because this phase is all about cleaning up when you’re done and making sure no one can see where you’ve been. Clearing tracks involves steps to conceal success and avoid detection

Question 15

Pre.15 Which of the following was created to protect shareholders and the general public from corporate accounting errors and fraudulent practices, and to improve the accuracy of corporate disclosures? 
A.   GLBA 
B.   HIPAA 
C.   SOX 
D.   FITARA

Answer 15

C
C. The Sarbanes-Oxley Act (SOX; https://www.sec.gov/about/laws.shtml#sox2002) introduced major changes to the regulation of financial practice and corporate governance in 2002 and is arranged into 11 titles. SOX mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures, and combat corporate and accounting fraud, and it created the “Public Company Accounting Oversight Board,” also known as the PCAOB, to oversee the activities of the auditing profession.

A is incorrect because the Gramm-Leach-Bliley Act (GLBA; https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act) requires financial institutions—companies that offer consumers financial products or services such as loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data. Under the Safeguards Rule, financial institutions must protect the consumer information they collect. GLBA protects the confidentiality and integrity of personal information collected by financial institutions.

B is incorrect because the Health Insurance Portability and Accountability Act (HIPAA; www.hhs.gov/hipaa/) was designed to protect the confidentiality of private health information. HIPAA contains privacy and security requirements, and provides steps and procedures for handling and protecting private health data.

D is incorrect because the Federal Information Technology Acquisition Reform Act (FITARA; https://www.congress.gov/bill/113th-congress/house-bill/1232) didn’t actually pass in full, but did contain sections that were eventually added as part of the National Defense Authorization Act (NDAA) for fiscal year 2015.

Question 16

Pre.16 Which of the following best defines a logical or technical control? 
A.   Air conditioning 
B.   Security tokens 
C.   Fire alarms 
D.   Security policy

Answer 16

B
B. A logical (or technical) control is one used for identification, authentication, and authorization. It can be embedded inside an operating system, application, or database management system. A security token (such as RSA’s SecureID) can provide a number that changes on a recurring basis that a user must provide during authentication, or it may provide a built-in number on a USB device that must be attached during authentication. A physical control is something, well, physical in nature, such as a lock or key or maybe a guard.

A and C are incorrect because air conditioning and fire alarms both fall into the category of physical control.

D is incorrect because a security policy isn’t a logical or technical control.

Question 17

Pre.17 Which of the following was created to protect credit card data at rest and in transit in an effort to reduce fraud? 
A.   TCSEC 
B.   Common Criteria 
C.   ISO 27002 
D.   PCI-DSS

Answer 17

D
D. The Payment Card Industry Data Security Standard (PCI-DSS) is a security standard for organizations that handle credit cards. A council including American Express, JCB, Discover, MasterCard, and Visa developed standards for the protection and transmission of card data to reduce credit card fraud. It’s administered by the Payment Card Industry Security Standards Council. Validation of compliance is performed annually. The standard is composed of 12 requirements: •Requirement 1: Install and maintain firewall configuration to protect data.
•Requirement 2: Remove vendor-supplied default passwords and other default security features.
• Requirement 3: Protect stored data.
• Requirement 4: Encrypt transmission of cardholder data.
•Requirement 5: Install, use, and update AV (antivirus).
• Requirement 6: Develop secure systems and applications.
•Requirement 7: Use “need to know” as a guideline to restrict access to data.
•Requirement 8: Assign a unique ID to each stakeholder in the process (with computer access).
•Requirement 9: Restrict any physical access to the data.
•Requirement 10: Monitor all access to data and network resources holding, transmitting, or protecting it.
•Requirement 11: Test security procedures and systems regularly.
•Requirement 12: Create and maintain an information security policy.

A is incorrect because the Trusted Computer System Evaluation Criteria (TCSEC), also known as the Orange Book, was created by the Department of Defense (DoD) and defines and provides guidance on evaluating access controls within a system. TCSEC defines four levels of validation: verified protection, mandatory protection, discretionary protection, and minimal protection.

B is incorrect because Common Criteria (www.commoncriteriaportal.org/) is an international standard to test and evaluate IT products. Per the website, CC is a “framework in which computer system users can specify their security requirements through the use of Protection Profiles (PPs), vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use.”

C is incorrect because ISO 27002 (www.iso27001security.com/html/27002.html) is an “information security standard published by ISO and the International Electrotechnical Commission (IEC) that recommends security controls based on industry best practices.” This standard includes 13 objectives, ranging from structure, risk assessment, and policy to access controls, human resources security, and compliance.

Question 18

Pre.18 As part of the preparation phase for a pen test you are participating in, the client relays their intent to discover security flaws and possible remediation. They seem particularly concerned about internal threats from the user base. Which of the following best describes the test type the client is looking for? 
A.   Gray box 
B.   Black box 
C.   White hat 
D.   Black hat

Answer 18

A
A. Once again, this is a play on words the exam will throw at you. Note the question is asking about a test type, not the attacker. Reviewing CEH documentation, you’ll see there are three types of tests—white, black, and gray—with each designed to test a specific threat. White tests the internal threat of a knowledgeable systems administrator or an otherwise elevated privilege level user. Black tests external threats with no knowledge of the target. Gray tests the average internal user threat to expose potential security problems inside the network.

B is incorrect because black-box testing is designed to simulate the external threat. Black-box testing takes the most amount of time to complete because it means a thorough romp through the five stages of an attack (and removes any preconceived notions of what to look for) and is usually the most expensive option. Another drawback to this type of test is that it focuses solely on the threat outside the organization and does not take into account any trusted users on the inside.

C is incorrect because a hat color refers to the attacker himself. True, the client is hiring a white hat in this instance to perform the test; however, the hat does not equate to the test. White hats are the “good guys”—ethical hackers hired by a customer for the specific goal of testing and improving security. White hats don’t use their knowledge and skills without prior consent.

D is incorrect because this question refers to the test itself, not the type of attacker. Black hats are the “bad guys” and are otherwise known as crackers. They illegally use their skills either for personal gain or for malicious intent, seeking to steal or destroy data or to deny access to resources and systems. Black hats do not ask for permission or consent.

Question 19

Pre.19 In which phase of the attack would a hacker set up and configure “zombie” machines? 
A.   Reconnaissance 
B.   Covering tracks 
C.   Gaining access 
D.   Maintaining access

Answer 19

D
D. Zombies are basically machines the hacker has commandeered to do his work for him. If the attacker is really good, the owners of the zombie machines don’t even know their machines have been drafted into the war. There are a bajillion methods for maintaining access on a machine you’ve already compromised, and maintaining that access does not necessarily mean the system will be used as a zombie—you could, for example, simply want to check in from time to time to see what new juicy information the user has decided to leave in a file or folder for you, or to check on new logins, credentials, and so on. However, configuring zombie systems definitely belongs in this phase.

A is incorrect because the reconnaissance phase is all about gaining knowledge and information on a target. In reconnaissance, you’re learning about the target itself—for example, what system types they may have in use, what their operating hours are, whether they use a shredder, and what personal information about their employees is available. Think of reconnaissance as the background information on a good character in a novel; it may not be completely necessary to know before you read the action scenes, but it sure makes it easier to understand why the character behaves in a certain manner during the conflict phase of the book. Setting up zombie systems goes far beyond the boundaries of gathering information.

B is incorrect because this phase is where attackers attempt to conceal their success and avoid detection by security professionals. This can involve removing or altering log files, concealing files with via hidden attributes or directories, and using tunneling protocols to communicate with the system.

C is incorrect because in this phase attacks are leveled against the targets identified during the scanning and enumeration phase. Key words to look for in identifying this phase are the attacks themselves (such as buffer overflow and SQL injection). Finally, be careful about questions relating to elevating privileges. Sometimes this is counted as its own phase, so pay close attention to the question’s wording in choosing your answer.

Question 20

Pre.20 Which of the following should not be included in a security policy?
A. Policy exceptions
B. Details on noncompliance disciplinary actions
C. Technical details and procedures
D. Supporting document references

Answer 20

C
C. The whole policy/standard/procedure/guideline thing can get confusing sometimes. Policy is a high-level document that doesn’t get down and dirty into technical details/specifications and is intended to improve awareness. Policies are mandatory, generally short, and easy to understand, providing everyone with the rules of the road. Standards are mandatory rules designed to support a policy, and they must include one or more specifications for hardware, software, or behavior. Procedures are step-by-step instructions for completing a task. Guidelines are not mandatory, but rather are recommendations for accomplishing a goal or on how to act in a given situation.

A, B, and D are incorrect because all these are perfectly acceptable security policy entries. Exceptions to the policy and what happens to you should you decide not to follow the policy are expected entries. And supporting documents—such as various procedures, standards, and guidelines—are always referenced in the policy.

Question 21

Pre.21 Which of the following is best defined as a set of processes used to identify, analyze, prioritize, and resolve security incidents? 
A.   Incident management 
B.   Vulnerability management 
C.   Change management 
D.   Patch management

Answer 21

A
A. Admittedly, this one is fairly easy—or at least it should be. Incident management is the process of dealing with incidents and generally always has the same features/steps—identify the problem or root cause, analyze and research the issue, contain the malicious effort, eradicate the effort, and resolve any damage caused. ECC defines the process as having eight steps: 1. Preparation, 2. Detection and Analysis, 3. Classification/Prioritization, 4. Notification, 5. Containment, 6. Forensic Investigation, 7. Eradication and Recovery, and 8. Post-incident Activities. The incident response team (IRT) is charged with handling this process.

B is incorrect because vulnerability management isn’t about responding to incidents; it’s about identifying and eradicating vulnerabilities before an incident can occur.

C is incorrect because change management involves implementing procedures or technologies to identify and implement required changes within a computer system.

D is incorrect because patch management is designed to manage the identification, installations, and tracking of security patches necessary within the environment.

Question 22

Pre.22 During an assessment, your pen test team discovers child porn on a system. Which of the following is the appropriate response?
A.Continue testing and report findings at the out-brief.
B.Continue testing but report findings to the business owners.
C.Cease testing immediately and refuse to continue work for the client.
D. Cease testing immediately and contact authorities.

Answer 22

D
D. I hesitated to add this question, for reasons that are obvious and some that aren’t, but in the interest of covering everything, I felt I must. First and foremost, in the real world, discovery of something that you think might be illegal activity puts you and your team in a very, very tricky spot. Should you accuse fill-in-the-blank of a crime and involve the authorities, you could be setting yourself up for lawsuits and all sorts of trouble. On the other hand, if you ignore it, you might be found complicit, or at the very least negligent. In the real world, the answer is to make sure your scope agreement advises you and the client of your duty regarding potential criminal activity found during the scope of your investigation. No guessing is allowed—it better be iron-clad evidence, obvious to all, or you’re in a world of hurt. Lastly, what potentially illegal activity you discover may determine your response regardless of ROE (Rules of Engagement). If you discover child porn, you could be guilty of a crime for not reporting it, which isn’t necessarily true for many other crimes. For example, if you witness someone breaking into a house across your street, or were performing a pen test and reasonably suspected someone had already compromised the network, you are not compelled by law, in most states, to notify authorities. However, if you witness bodily harm, you likely would be compelled by law in most states. Speaking purely academically, it’s fairly clear cut and will be so on your exam. In the real world the true answer is to know the laws regarding your testing very well, and make sure your team has a good lawyer. In this example, however, the choices present make this relatively easy. ECC wants ethical hackers to report any illegal activity they find. Period. Possession of child porn is a crime no matter what, so again in this particular case, stop your testing and report it to the authorities.

A and B are incorrect because regardless of reporting, you should immediately stop
D. I hesitated to add this question, for reasons that are obvious and some that aren’t, but in the interest of covering everything, I felt I must. First and foremost, in the real world, discovery of something that you think might be illegal activity puts you and your team in a very, very tricky spot. Should you accuse fill-in-the-blank of a crime and involve the authorities, you could be setting yourself up for lawsuits and all sorts of trouble. On the other hand, if you ignore it, you might be found complicit, or at the very least negligent. In the real world, the answer is to make sure your scope agreement advises you and the client of your duty regarding potential criminal activity found during the scope of your investigation. No guessing is allowed—it better be iron-clad evidence, obvious to all, or you’re in a world of hurt. Lastly, what potentially illegal activity you discover may determine your response regardless of ROE (Rules of Engagement). If you discover child porn, you could be guilty of a crime for not reporting it, which isn’t necessarily true for many other crimes. For example, if you witness someone breaking into a house across your street, or were performing a pen test and reasonably suspected someone had already compromised the network, you are not compelled by law, in most states, to notify authorities. However, if you witness bodily harm, you likely would be compelled by law in most states. Speaking purely academically, it’s fairly clear cut and will be so on your exam. In the real world the true answer is to know the laws regarding your testing very well, and make sure your team has a good lawyer. In this example, however, the choices present make this relatively easy. ECC wants ethical hackers to report any illegal activity they find. Period. Possession of child porn is a crime no matter what, so again in this particular case, stop your testing and report it to the authorities. A and B are incorrect because regardless of reporting, you should immediately stop testing. Anything you do after discovery not only could destroy evidence but actually put you at risk. Who’s to say you didn’t put the item in question on the system, or by your action cause it to be there? Rest assured the defense attorney will posit that argument, should it come to that.

C is incorrect because you’ve already agreed to perform this work, and refusing to speak with the client isn’t helping anything at all. Again, this needs to be addressed in the scope agreement up front, so there should be no surprises. It may well be that Employee Joe has illegal stuff on his system, but that doesn’t necessarily mean the organization is complicit.

Question 23

Pre.23 Which of the following best describes an intranet zone?
A. It has few heavy security restrictions.
B.A highly secured zone, usually employing VLANs and encrypted communication channels.
C.A controlled buffer network between public and private networks.
D. A very restricted zone with no users.

Answer 23

A
A. An intranet can be thought of, for testing purposes, as your own happy little networking safe space. It’s protected from outside attacks and interference by the DMZ and all the layers of security on the outside. Internally, you don’t assign loads of heavy security restrictions, because, as explained in the security versus usability discussion in the CEH All-in-One Exam Guide, Fourth Edition, as security increases, usability and functionality decrease. If your organization’s users are on the intranet, you want them as productive as possible, right?

B is incorrect because this describes the management network zone. This zone is usually cordoned off specifically for infrastructure and management traffic. For obvious reasons, it’s highly secured. Look for “VLAN” and “IPSec” as keywords for this zone.

C is incorrect because this describes the DMZ. The demilitarized zone in military parlance refers to a section of land between two adversarial parties where there are no weapons and no fighting. The idea is you could see an adversary coming across and have time to work up a defense. In networking, the idea is the same: it’s a controlled, buffer network between you and the uncontrolled chaos of the Internet. And keep in mind DMZs aren’t just between the Internet and a network; they can be anywhere an organization decides they want or need a buffer—inside or outside various inter and intra nets. DMZ networks provide great opportunity for good security measures, but can also sometimes become an Achilles’ heel when too much trust is put into their creation and maintenance.

D is incorrect because this describes the production network zone (PNZ). The PNZ is a very restricted zone that strictly controls direct access from uncontrolled zones. The PNZ supports functions and actions that must have strict access control. As an aside, the PNZ is not designed to hold users.

Question 24

Pre.1.2 A security team is implementing various security controls across the organization. After several configurations and applications, a final agreed-on set of security controls is put into place; however, not all risks are mitigated by the controls. Of the following, which is the next best step?
A.Continue applying controls until all risk is eliminated.
B.Ignore any remaining risk as “best effort controlled.”
C.Ensure that any remaining risk is residual or low and accept the risk.
D. Remove all controls.

Answer 24

C
C. Remember at the beginning of this chapter when I said the process of elimination may be your best bet in some cases? Well, even if you aren’t well-versed in risk management and security control efforts, you could narrow this down to the correct answer. It is impossible to remove all risk from any system and still have it usable. I’m certain there are exceptions to this rule (maybe super-secret machines in underground vaults buried deep within the earth, running on geothermal-powered batteries, without any network access at all and controlled by a single operator who hasn’t seen daylight in many years), but in general the goal of security teams has always been to reduce risk to an acceptable level.

A is incorrect because, as I just mentioned, it’s impossible to reduce risk to absolute zero and still have a functional system. CEH Certified Ethical Hacker All-in-One Exam Guide, Fourth Edition, discusses the Security, Functionality, and Usability triangle, where as you move toward more security, you move further away from functionality and usability.

B is incorrect because it’s just silly. If you’re a security professional and your response to a risk—any risk—is to ignore it, I can promise you won’t be employed for long. Sure, you can point out that it’s low or residual and that the chance for actual exploitation is next to nonexistent, but you can’t ignore it. Best effort is for kindergarten trophies and IP packet delivery.

D is incorrect because removing all controls is worse than ignoring the risk. If you remove everything, then all risks remain. Remember, the objective is to balance your security controls to cover as much risk as possible while leaving the system as usable and functional as possible.

Question 25

Pre.2.2 A Certified Ethical Hacker (CEH) follows a specific methodology for testing a system. Which step comes after footprinting in the CEH methodology? 
A.   Scanning 
B.   Enumeration 
C.   Reconnaissance 
D.   Application attack

Answer 25

A
A. CEH methodology is laid out this way: reconnaissance (footprinting), scanning and enumeration, gaining access, escalating privileges, maintaining access, and covering tracks. While you may be groaning about scanning and enumeration both appearing as answers, they’re placed here in this way on purpose. This exam is not only testing your rote memorization of the methodology but also how the methodology actually works. Remember, after scoping out the recon on your target, your next step is to scan it. After all, you have to know what targets are there first before enumerating information about them.

B is incorrect because, although it is mentioned as part of step 2, it’s actually secondary to scanning. Enumerating is used to gather more in-depth information about a target you already discovered by scanning. Things you might discover in scanning are IPs that respond to a ping. In enumerating each “live” IP, you might find open shares, user account information, and other goodies.

C is incorrect because reconnaissance and footprinting are interchangeable in CEH parlance. An argument can be made that footprinting is a specific portion of an overall recon effort; however, in all CEH documentation, these terms are used interchangeably.

D is incorrect because it references an attack. As usual, there’s almost always one answer you can throw out right away, and this is a prime example. We’re talking about step 2 in the methodology, where we’re still figuring out what

Question 26

Pre.3.2 
Your organization is planning for the future and is identifying the systems and processes critical for their continued operation. Which of the following best describes this effort? 
A.   BCP 
B.   BIA 
C.   DRP 
D.   ALE

Answer 26

B. A business impact analysis (BIA) best matches this description. In a BIA, the organization looks at all the systems and processes in use and determines which ones are absolutely critical to continued operation. Additionally, the assessor (the person or company conducting the analysis) will look at all the existing security architecture and make an evaluation on the likelihood of any system or resource being compromised. Part of this is assigning values to systems and services, determining the maximum tolerable downtime (MTD) for any, and identifying any overlooked vulnerabilities.

A is incorrect because a business continuity plan (BCP) contains all the procedures that should be followed in the event of an organizational outage—such as a natural disaster or a cyberattack. BCPs include the order in which steps should be taken and which system should be returned to service first. BCPs include DRPs (disaster recovery plans).

C is incorrect because a disaster recovery plan (DRP) contains steps and procedures for restoring a specific resource (service, system, and so on) after an outage. Usually DRPs are part of a larger BCP.

D is incorrect because the annualized loss expectancy (ALE) is a mathematical measurement of the cost of replacing or repairing a specific resource. ALE is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). For example, if the total cost of a single loss of a resource is calculated at $1000 and you calculate there is a 10 percent chance it will fail in any given year, your ALE would be $100.

Question 27

Pre.4.2 Which incident response (IR) phase is responsible for setting rules, identifying the workforce and roles, and creating backup and test plans for the organization? 
A.   Preparation 
B.   Identification 
C.   Containment 
D.   Recovery

Answer 27

A. So even if you weren’t aware of incident response phases, this one should’ve been a rather easy guess. In the preparation phase, your IR (incident response) team should be preparing for an incident. Preparation includes lots of things—some of which are mentioned here. But virtually anything you can think of that does not involve actions taken during the incident belongs here. Training, exercises, and policies are all examples. As an aside, IR phases can be different depending on whom you ask and what the moon phase is, but generally IR is broken down into six phases: preparation, identification, containment, eradication, recovery, and lessons learned. Preparation we already covered. Identification refers to the steps taken to verify it’s actually an incident, and all the information surrounding that—source, destination(s), exploit used, malware used, and so on. Containment is the step used to cordon off the infected system(s) and to prevent any further spread of infection or attack. Eradication refers to steps taken to remove the malware (or other attack-related residuals, such as backdoors). Recovery involves the steps taken to rebuild and restore the system(s) and network to pre-attack status (with better security, I might add). Finally, lessons learned is exactly what it sounds like, and should feed right back into your organization’s preparation phase.

B is incorrect because the identification phase refers to the steps taken to verify the legitimacy of an active incident, as well as to gather information on the details of the attack.

C is incorrect because the containment phase deals with steps taken to reduce or prevent the spread of the infection or attack inside the network.

D is incorrect because the recovery phase deals with steps taken to restore and replace any resources damaged or affected by the attack footprint.

Question 28

Pre5.2 You’ve been hired as part of a pen test team. During the brief, you learn the client wants the pen test attack to simulate a normal user who finds ways to elevate privileges and create attacks. Which test type does the client want? 
A.   White box 
B.   Gray box 
C.   Black box 
D.   Hybrid

Answer 28

B. A gray-box test is designed to replicate an inside attacker. Otherwise known as the partial knowledge attack (don’t forget this term), the idea is to simulate a user on the inside who might know a little about the network, directory structure, and other resources in your enterprise. You’ll probably find this one to be the most enlightening attack in out-briefing your clients in the real world—it’s amazing what you can get to when you’re a trusted, inside user. As an aside, you’ll often find in the real world that gray-box testing can also refer to a test where any inside information is given to a pen tester—you don’t necessarily need to be a fully knowledgeable inside user. In other words, if you have usable information handed to you about your client, you’re performing gray-box testing.

A is incorrect because a white-box test provides all knowledge to the pen tester up front and is designed to simulate an admin on your network who, for whatever reason, decides to go on the attack. For most pen testers, this test is really just unfair. It’s tantamount to sending him into the Roman Colosseum armed with a .50-caliber automatic weapon to battle a gladiator who is holding a knife.

C is incorrect because black-box testing indicates no knowledge at all. And if you think about it, the name is easy to correlate and remember: black = no light. Therefore, you can’t “see” anything. This is the test most people think about when it comes to hacking. You know nothing and are (usually) attacking from the outside.

D is incorrect because, as far as I can tell from the EC-Council’s documentation, there is no terminology for a “hybrid-box” test. This is a little tricky because the term hybrid is used elsewhere—for attacks and other things. If you apply a little common sense here, this answer is easy to throw out. If you know everything about the target, it’s white. If you know nothing, it’s black. If you’re in the middle, it’s gray. See?

Question 29

Which of the following is defined as ensuring that the enforcement of organizational security policy does not rely on voluntary user compliance by assigning sensitivity labels on information and comparing this to the level of security a user is operating at? 
A.   Mandatory access control 
B.   Authorized access control 
C.   Role-based access control 
D.   Discretionary access control

Answer 29

A. Access control is defined as the selective restraint of access to a resource, and there are several overall mechanisms to accomplish this goal. Mandatory access control (MAC) is one type that constrains the ability of a subject to access or perform an operation on an object by assigning and comparing “sensitivity labels.” Suppose a person (or a process) attempts to access or edit a file. With MAC, a label is placed on the file indicating its security level. If the entity attempting to access it does not have that level, or higher, then access is denied. With mandatory access control, security is centrally controlled by a security policy administrator, and users do not have the ability to override security settings. This should not be confused with role-based access control (RBAC) systems, which may actually use MAC to get the job done. The difference is in whether the information itself has a labeled description or whether the person accessing it has their own label. For example, in a classified area, the information classified as Top Secret will have a label on it identifying it as such, while you, as an auditor, will have your own clearance and need-to-know label allowing you to access certain information. MAC is a property of an object; RBAC is a property of someone accessing an object.

B is incorrect because while authorized access control may sound great, it’s not a valid term.

C is incorrect because role-based access control can use MAC or discretionary access control to get the job done. With RBAC, the goal is to assign a role, and any entity holding that role can perform the duties associated with it. Users are not assigned permissions directly; they acquire them through their role (or roles). The roles are assigned to the user’s account, and each additional role provides its own unique set of permissions and rights.

D is incorrect because discretionary access control (DAC) allows the data owner, the user, to set security permissions for the object. If you’re on a Windows machine right now, you can create files and folders and then set sharing and permissions on them as you see fit. MAC administrators in the Department of Defense are shuddering at that thought right now.

Question 30

Pre.7.2 Which of the following statements is true regarding the TCP three-way handshake?
A.The recipient sets the initial sequence number in the second step.
B.The sender sets the initial sequence number in the third step.
C.When accepting the communications request, the recipient responds with an acknowledgement and a randomly generated sequence number in the second step.
D.When accepting the communications request, the recipient responds with an acknowledgement and a randomly generated sequence number in the third step.

Answer 30

C. The three-way handshake will definitely show up on your exam, and in much trickier wording than this. It’s easy enough to memorize “SYN, SYN/ACK, ACK,” but you’ll need more than that for the exam. In step 1, the host sends a segment to the server, indicating it wants to open a communications session. Inside this segment, the host turns on the SYN flag and sets an initial sequence number (any random 32-bit number). When the recipient gets the segment, it crafts a segment in response to let the host know it’s open and ready for the communications session. It does this by turning on the SYN and ACK flags, acknowledging the initial sequence number by incrementing it, and adding its own unique sequence number. Lastly, when the host gets this response back, it sends one more segment before the comm channel opens. In this segment, it sets the ACK flag and acknowledges the other’s sequence number by incrementing it. For example, suppose Host A is trying to open a channel with Server B. In this example, Host A likes the sequence number 2000, while Server B likes 5000. The first segment would look like this: SYN=1, ACK=0, ISN=2000. The response segment would look like this: SYN=1, ACK=1, ISN=5000, ACK NO=2001. The third and final segment would appear this way: SYN=0, ACK=1, SEQ NO=2001, ACK NO=5001.

A is incorrect because the initial sequence number is set in the first step.

B is incorrect for the same reason—the ISN is set in the first step.

D is incorrect because this activity occurs in the second step.

Question 31

Pre.8.2 Your network contains certain servers that typically fail once every five years. The total cost of one of these servers is $1000. Server technicians are paid $40 per hour, and a typical replacement requires two hours. Ten employees, earning an average of $20 per hour, rely on these servers, and even one of them going down puts the whole group in a wait state until it’s brought back up. Which of the following represents the ARO for a server? 
A.   $296 
B.   $1480 
C.   $1000 
D.   0.20

Answer 31

B. When performing business impact analysis (or any other value analysis for that matter), the annualized loss expectancy (ALE) is an important measurement for every asset. To compute the ALE, multiply the annualized rate of occurrence (ARO) by the single loss expectancy (SLE). The ARO is the frequency at which a failure occurs on an annual basis. In this example, servers fail once every five years, so the ARO would be 1 failure / 5 years = 20 percent.

A is incorrect because this value equates to the ALE for the example. ALE = ARO × SLE. In this example, the ARO is 20 percent and the SLE is $1480: cost of a server ($1000) plus the cost of technician work to replace it ($80) plus lost time for workers (10 employees × 2 hours × $20 an hour, which works out to $400). Therefore, ALE = 20 percent × $1480, or $296.

B is incorrect because this value corresponds to the SLE for this scenario. The SLE is the total cost for a single loss, so we need to count the cost of the server, plus the cost of the technician’s hours, plus any downtime measurements for other workers. In this case, SLE = $1000 (cost of server) + $80 (server tech hours) + $400 (10 employees × 2 hours × $20 an hour), or $1480.

C is incorrect because this number doesn’t match the ARO for the example.

Question 32

Pre.9.2 An ethical hacker is given no prior knowledge of the network and has a specific framework in which to work. The agreement specifies boundaries, nondisclosure agreements, and a completion date definition. Which of the following statements is true?
A.A white hat is attempting a black-box test.
B.A white hat is attempting a white-box test.
C.A black hat is attempting a black-box test.
D.A black hat is attempting a gray-box test.

Answer 32

A
A. I love these types of questions. Not only is this a two-for-one question, but it involves identical but confusing descriptors, causing all sorts of havoc. The answer to attacking such questions—and you will see them, by the way—is to take each section one at a time. Start with what kind of hacker he is. He’s hired under a specific agreement, with full knowledge and consent of the target, thus making him a white hat. That eliminates C and D right off the bat. Second, to address what kind of test he’s performing, simply look at what he knows about the system. In this instance, he has no prior knowledge at all (apart from the agreement), thus making it a black-box test.

B is incorrect because although the attacker is one of the good guys (a white hat, proceeding with permission and an agreement in place), he is not provided with full knowledge of the system. In fact, it’s quite the opposite—according to the question he knows absolutely nothing about the system, making this particular “box” as black as it can be. A white-box target indicates one that the attacker already knows everything about. It’s lit up and wide open.

C is incorrect right off the bat because it references a black hat. Black-hat attackers are the bad guys—the ones proceeding without the target’s knowledge or permission. They usually don’t have inside knowledge of their target, so their attacks often start “black box.”

D is incorrect for the same reason just listed: because this attacker has permission to proceed and is operating under an agreement, he can’t be a black-box attacker. Additionally, this answer went the extra mile to convince you it was wrong—and missed on both swings. Not only is this a white-hat

Question 33

Pre.10.2 Which of the following is a detective control? 
A.   Audit trail 
B.   CONOPS 
C.   Procedure 
D.   Smartcard authentication 
E.   Process

Answer 33

A
A. A detective control is an effort used to identify problems, errors, or (in the case of post-attack discovery) cause or evidence of an exploited vulnerability—and an audit log or trail is a perfect example. Ideally, detective controls should be in place and working such that errors can be corrected as quickly as possible. Many compliance laws and standards (the Sarbanes-Oxley Act of 2002 is one example) mandate the use of detective controls.

B is incorrect because a concept of operations (CONOPS) isn’t detective in nature. A CONOPS defines what a system is and how it is supposed to be used.

C is incorrect because a procedure is a document the spells out specific step-by-step instructions for a given situation or process.

D is incorrect because smartcard authentication is a preventive control, not a detective one. It’s designed to provide strong authentication, ideally preventing a problem in the first place.

E is incorrect because a process can refer to a lot of different things, depending on your definition and viewpoint, but is not detective in nature as a control. A process, in general, refers to a set of steps or actions directed at accomplishing a goal.

Question 34

Pre11.2 As part of a pen test on a U.S. government system, you discover files containing Social Security numbers and other sensitive personally identifiable information (PII). You are asked about controls placed on the dissemination of this information. Which of the following acts should you check? 
A.   FISMA 
B.   Privacy Act 
C.   PATRIOT Act 
D.   Freedom of Information Act

Answer 34

B
B. The Privacy Act of 1974 protects information of a personal nature, including Social Security numbers. The Privacy Act defines exactly what “personal information” is, and it states that government agencies cannot disclose any personal information about an individual without that person’s consent. It also lists 12 exemptions for the release of this information (for example, information that is part of a law enforcement issue may be released). In other questions you see, keep in mind that the Privacy Act generally will define the information that is not available to you in and after a test. Dissemination and storage of privacy information needs to be closely controlled to keep you out of hot water. As a side note, how you obtain PII is oftentimes just as important as how you protect it once discovered. In your real-world adventures, keep the Wiretap Act (18 U.S. Code Chapter 119—Wire and Electronic Communications Interception and Interception of Oral Communications) and others like it in mind.

A is incorrect because the Federal Information Security Management Act (FISMA) isn’t designed to control the dissemination of PII or sensitive data. Its primary goal is to ensure the security of government systems by promoting a standardized approach to security controls, implementation, and testing. The act requires government agencies to create a security plan for their systems and to have it “accredited” at least once every three years.

C is incorrect because the PATRIOT Act is not an effort to control personal information. Its purpose is to aid the U.S. government in preventing terrorism by increasing the government’s ability to monitor, intercept, and maintain records on almost every imaginable form of communication. As a side effect, it has also served to increase observation and prevention of hacking attempts on many systems.

D is incorrect because the Freedom of Information Act wasn’t designed to tell you what to do with information. Its goal is to define how you can get information—specifically information regarding how your governments work. It doesn’t necessarily help you in hacking, but it does provide a cover for a lot of information. Anything you uncover that could have been gathered through the Freedom of Information Act is considered legal and should be part of your overall test.

Question 35

Pre.12.2 Four terms make up the Common Criteria process. Which of the following contains seven levels used to rate the target? 
A.   TOE 
B.   ST 
C.   PP 
D.   EAL

Answer 35

D
D. Common Criteria is an international standard of evaluation of Information Technology (IT) products. Per the website (https://www.commoncriteriaportal.org/), Common Criteria ensures evaluations and ratings “are performed to high and consistent standards and are seen to contribute significantly to confidence in the security of those products and profiles.” Four terms within Common Criteria make up the process. The EAL (Evaluation Assurance Level) is made up of seven levels, which are used to rate a product after it has been tested. The current EAL levels are as follows: • EAL1: Functionally tested • EAL2: Structurally tested • EAL3: Methodically tested and checked • EAL4: Methodically designed, tested, and reviewed • EAL5: Semi-formally designed and tested • EAL6: Semi-formally verified, designed, and tested • EAL7: Formally verified, designed, and tested

A is incorrect because TOE is the target of evaluation—the system or product actually being tested.

B is incorrect because ST is the security target—the documentation describing the target of evaluation and any security requirements.

C is incorrect because PP is the protection profile—a set of security requirements for the product type being tested.

Question 36

Pre.24 A machine in your environment uses an open X-server to allow remote access. The X-server access control is disabled, allowing connections from almost anywhere and with little to no authentication measures. Which of the following are true statements regarding this situation? (Choose all that apply.)

A.An external vulnerability can take advantage of the misconfigured X-server threat.
B.An external threat can take advantage of the misconfigured X-server vulnerability.
C.An internal vulnerability can take advantage of the misconfigured X-server threat.
D.An internal threat can take advantage of the misconfigured X-server vulnerability.

Answer 36

B, D
B, D. This is an easy one because all you have to understand are the definitions of threat and vulnerability. A threat is any agent, circumstance, or situation that could potentiality cause harm or loss to an IT asset. In this case, the implication is the threat is an individual (hacker) either inside or outside the network. A vulnerability is any weakness, such as a software flaw or logic design, that could be exploited by a threat to cause damage to an asset. In both these answers, the vulnerability—the access controls on the X-server are not in place—can be exploited by the threat, whether internal or external.

A and C are both incorrect because they list the terms backward. Threats take advantage of vulnerabilities and exploit them, not the other way around.

Question 37

Pre.25 While performing a pen test, you find success in exploiting a machine. Your attack vector took advantage of a common mistake—the Windows 7 installer script used to load the machine left the administrative account with a default password. Which attack did you successfully execute? 
A.   Application level 
B.   Operating system 
C.   Shrink wrap 
D.   Social engineering 
E.   Misconfiguration

Answer 37

B
B. Operating system (OS) attacks target common mistakes many people make when installing operating systems (for instance, accepting and leaving all the defaults). Examples usually include things such as administrator accounts with no passwords, ports left open, and guest accounts left behind. Another OS attack you may be asked about deals with versioning. Operating systems are never released fully secure and are consistently upgraded with hotfixes, security patches, and full releases. The potential for an old vulnerability within the enterprise is always high.

A is incorrect because application-level attacks are centered on the actual programming code of an application. These attacks are usually successful in an overall pen test because many people simply discount the applications running on their OS and network, preferring to spend their time hardening the OSs and network devices. Many applications on a network aren’t tested for vulnerabilities as part of their creation and, therefore, have many vulnerabilities built in.

C is incorrect because shrink-wrap attacks take advantage of the built-in code and scripts most off-the-shelf applications come with. These attacks allow hackers to take advantage of the very things designed to make installation and administration administration easier. These shrink-wrapped snippets make life easier for installation and administration, but they also make it easier for attackers to get in.

D is incorrect because social engineering isn’t relevant at all in this question. There is no human element here, so this one can be thrown out.

E is incorrect because misconfiguration attacks take advantage of systems that are, on purpose or by accident, not configured appropriately for security. For example, suppose an administrator wants to make things as easy as possible for the users and, in keeping with security and usability being on opposite ends of the spectrum, leaves security settings at the lowest possible level, enabling services, opening firewall ports, and providing administrative privileges to all users. It’s easier for the users but creates a target-rich environment for the hacker.