Matt Walker - REAL PRE-ASSESSMENT Flashcards
RPRE.1 A vendor is alerted of a newly discovered flaw in its software that presents a major vulnerability to systems. While working to prepare a fix action, the vendor releases a notice alerting the community of the discovered flaw and providing best practices to follow until the patch is available. Which of the following best describes the discovered flaw?
A. Input validation flaw
B. Shrink-wrap vulnerability
C. Insider vulnerability
D. Zero day
D
D. Zero day means there has been no time to work on a solution. The bad news is that the discovery by security personnel of the existing vulnerability doesn’t mean it just magically popped up—it means it has been there without the good guys’ knowledge and could have already been exploited. A, B, and C are incorrect. A is incorrect because input validation refers to verifying that a user’s entry into a form or field contains only what the form or field was designed to accept. B and C are incorrect because the terms shrink-wrap vulnerability and insider vulnerability are not valid so far as your exam is concerned.
RPRE.2A security professional applies encryption methods to communication channels. Which security control role is she attempting to meet? A. Preventive B. Detective C. Defensive D. Corrective
A
A. Controls fall into three categories: preventive, detective, and corrective. In this instance, encryption of data is designed to prevent unauthorized eyes from seeing it. Depending on the encryption used, this can provide for confidentiality and nonrepudiation and is most definitely preventive in nature.
B, C, and D are incorrect. B is incorrect because detective controls are designed to watch for security breaches and detect when they occur. C is incorrect because corrective controls are designed to fix things after an attack has been discovered and stopped. D is incorrect because defensive is not a control category.
RPRE.3 Bob is working with senior management to identify the systems and processes that are critical for operations. As part of this business impact assessment, he performs calculations on various systems to place a value on them. On a certain server he discovers the following: • The server costs $2500 to purchase. •The server typically fails once every five years. •The salary for the technician to repair a server failure is $40 an hour, and it typically takes two hours to fully restore the server after a failure. •The accounting group has five employees paid at $25 an hour who are at a standstill during an outage. What is the ALE for the server?
A. 20%
B. $2830
C. $566
D. $500
C
C. ALE = ARO × SLE. To find the correct annualized loss expectancy, multiply the percentage of time it is likely to occur annually (annual rate of occurrence—in this case, 0.2 [1 failure / 5 years = 20%]) by the amount of cost incurred from a single failure (single loss expectancy—in this case, $80 [for the repair guy] + $250 [5 employees at $25 an hour for 2 hours] + $2500 (replacement of server) = $2830). ALE = 0.2 × $2830, so the ALE for this case is $566.
A, B, and D are incorrect. A is incorrect because 20% is the ARO for this scenario (1 failure / 5 years). B is incorrect because $2830 is the SLE for this scenario (repair guy cost + lost work from accounting guys + replacement of server, or $80 + $250 + $2500). D is incorrect because $500 would be the ALE if you did not take into account the technician and lost work production.
RPRE.4 You’ve discovered a certain application in your environment that has been proven to contain vulnerabilities. Which of the following actions best describes avoiding the risk?
A. Remove the software from the environment.
B.Install all known security patches for the application.
C.Install brand-new software guaranteed by the publisher to be free of vulnerabilities.
D. Leave the software in place.
A
A. Removing the software or service that contains a vulnerability is described as avoiding the risk—if it’s not there to be exploited, there’s no risk.
B, C, and D are incorrect. B is incorrect because installing patches (or a new version) is an attempt to mitigate risk. C is incorrect because installing different software without vulnerabilities is called transferring risk (however, I don’t care what the software publisher says, the community will determine if there are vulnerabilities). D is incorrect because leaving the software in place is an example of accepting the risk: maybe there are security controls in place to where the chance of the vulnerabilities being exploited is so small you’re willing to just accept that they exist.
RPRE.5 James is a member of a pen test team newly hired to test a bank’s security. He begins searching for IP addresses the bank may own, using public records on the Internet, and he also looks up news articles and job postings to discover information that may be valuable. In what phase of the pen test is James working? A. Reconnaissance B. Pre-attack C. Assessment D. Attack E. Scanning
B
B. The pre-attack phase (a.k.a. the preparation phase) is where all this activity takes place—including the passive information gathering performed by James in this example. This would be followed by the attack and post-attack phases.
A, C, and D are incorrect.
A and D are incorrect because reconnaissance and scanning are part of the ethical hacking phases (reconnaissance, scanning/enumeration, gaining access, maintaining access, and clearing tracks).
C is incorrect because assessment is akin to the attack phase.
RPRE.6 Enacted in 2002, this U.S. law requires every federal agency to implement information security programs, including significant reporting on compliance and accreditation. Which of the following is the best choice for this definition? A. FISMA B. HIPAA C. NIST 800-53 D. OSSTMM
A
A. FISMA has been around since 2002 and was updated in 2014. It gave certain information security responsibilities to NIST, OMB, and other government agencies, and declared the Department of Homeland Security (DHS) as the operational lead for budgets and guidelines on security matters.
B, C, and D are incorrect. These do not match the description.
RPRE.7 You are examining a Wireshark capture. Which of the following MAC addresses would indicate a broadcast packet?
A. AA:AA:AA:AA:AA:AA
B. FF:FF:FF:FF:FF:FF
C. 11:11: 11:11: 11:11
D. 99:99: 99:99: 99:99
B
B. You’ll see a few base-level network knowledge questions peppered throughout the exam, and this is one example. A NIC seeing a MAC of FF:FF:FF:FF:FF:FF knows the packet is broadcast in nature and passes it up the stack for processing.
A, C, and D are incorrect. These addresses do not match broadcast frames.
RPRE.8 Which Google operator is the best choice in searching for a particular string in the website’s title? A. intext: B. inurl: C. site: D. intitle:
D
D. Google hacking refers to manipulating a search string with additional specific operators to search for valuable information. The intitle: operator will return websites with a particular string in their title. Website titles can contain legitimate descriptions of the page, author information, or a list of words useful for a search engine.
A, B, and C are incorrect. A is incorrect because the intext: operator looks for pages that contain a specific string in the text of the page body. B is incorrect because the inurl: operator looks for a specific string within the URL. C is incorrect because the site: operator limits the current search to only the specified site (instead of the entire Internet).
RPRE.9 An ethical hacker begins by visiting the target’s website and then peruses social networking sites and job boards looking for information and building a profile on the organization. Which of the following best describes this effort? A. Active footprinting B. Passive footprinting C. Internet footprinting D. Sniffing.
B
B. Footprinting competitive intelligence is a passive effort because of competitive intelligence being open and accessible to anyone. Passive footprinting is an effort that doesn’t usually put you at risk of discovery. A, C, and D are incorrect. A is incorrect because this is not active footprinting, meaning no internal targets have been touched and there is little to no risk of discovery. C is incorrect because Internet footprinting isn’t a legitimate term to commit to memory. D is incorrect because sniffing is irrelevant to this question.
RPRE.10 Internet attackers—state sponsored or otherwise—often discover vulnerabilities in a service or product but keep the information quiet and to themselves, ensuring the vendor is unaware of the vulnerability, until the attackers are ready to launch an exploit. Which of the following best describes this? A. Zero day B. Zero hour C. No day D. Nada sum
A
A. A zero-day attack is one carried out on a vulnerability the good guys didn’t even know existed. The true horror of this attack is that you do not know about the vulnerability until it’s far too late.
B, C, and D are incorrect. These answers are not legitimate terms.
RPRE.11 The organization has a DNS server out in the DMZ and a second one internal to the network. Which of the following best describes this DNC configuration? A. Schematic DNS B. Dynamic DNS C. DNSSEC D. Split DNS
D
D. Split DNS is recommended virtually everywhere. Internal hosts may need to see everything internal, but external hosts do not. Keep internal DNS records split away from external ones, as there is no need for anyone outside your organization to see them.
A, B, and C are incorrect. These answers are all distractors.
RPRE.12 Search engines assist users in finding the information they want on the Internet. Which of the following is known as the hacker’s search engine, explicitly allowing you to find specific types of computers (for example, routers or servers) connected to the Internet? A. Whois B. Shodan C. Nslookup D. Burp Suite
B
B. Shodan allows users to search for very specific types of hosts, which can be very helpful to attackers—ethical or not.
A, C, and D are incorrect.
A is incorrect because whois provides registrar and technical POC information.
C is incorrect because nslookup is a command-line tool for DNS lookups.
D is incorrect because Burp Suite is a website/application hacking tool.
RPRE13. Which of the following methods correctly performs banner grabbing with telnet on a Windows system?
A. telnet 80
B. telnet 80
C. telnet 80 -u
D. telnet 80 -u
A
A. Telnetting to port 80 will generally pull a banner from a web server. You can telnet to any port you want to check, for that matter, and ideally pull a port; however, port 80 just seems to be the one used on the exam the most.
B, C, and D are incorrect. These are all bad syntax for telnet.
RPRE.14 Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data? A. URG B. PSH C. RST D. BUF
B
B. It may look like an urgent request, but don’t fall for it—the URG flag isn’t apropos here; the PSH flag is designed for these scenarios.
A, C, and D are incorrect.
A is incorrect because the URG flag is used to inform the receiving stack that certain data within a segment is urgent and should be prioritized (not used much by modern protocols).
C is incorrect because the RST flag forces a termination of communications (in both directions).
D is incorrect because BUF is not a TCP flag.
RPRE.15 Which of the following correctly describes the TCP three-way handshake? A. SYN, ACK, SYN/ACK B. SYN, SYN/ACK, ACK C. ACK, SYN, ACK/SYN D. ACK, ACK/SYN, SYN
B
B. This is bedrock knowledge you should already have memorized from Networking 101 classes. TCP starts a communication with a synchronize packet (with the SYN flag set). The recipient acknowledges this by sending both the SYN and ACK flags. Finally, the originator acknowledges communications can begin with an ACK packet.
A, C, and D are incorrect. These answers do not have the correct three-way handshake order.
RPRE.16 You are examining the results of a SYN scan. A port returns a RST/ACK. What does this mean?
A. The port is open.
B. The port is closed.
C. The port is filtered.
D. Information about this port cannot be gathered.
B
B. Think about a TCP handshake—SYN, SYN/ACK, ACK—and then read this question again. Easy, right? In a SYN scan, an open port is going to respond with a SYN/ACK, and a closed one is going to respond with a RST/ACK.
A, C, and D are incorrect. A is incorrect because the return response indicates the port is closed. C is incorrect because a filtered port likely wouldn’t respond at all. D is incorrect because an open port would respond with a SYN/ACK.
RPRE.17 You want to run a reliable scan but remain as stealthy as possible. Which of the following nmap commands best accomplishes your goal?
A. nmap -sN targetIPaddress
B. nmap -sO targetIPaddress
C. nmap -sS targetIPaddress
D. nmap -sT targetIPaddress
C
C. A full-connect scan would probably be best, provided you run it slowly. However, given the choices, a half-open scan, as defined by this nmap command line, is the best remaining option.
A, B, and D are incorrect. A is incorrect because a null (-sN) scan probably won’t provide the reliability asked for because it doesn’t work on Windows hosts at all. B is incorrect because an operating system (-sO) scan would prove too noisy. D is incorrect because a full scan (-sT) would provide reliable results, but without a timing modifier to greatly slow it down, it will definitely be seen.
RPRE.18 You are examining a host with an IP address of 65.93.24.42/20, and you want to determine the broadcast address for the subnet. Which of the following is the correct broadcast address for the subnet? A. 65.93.24.255 B. 65.93.0.255 C. 65.93.32.255 D. 65.93.31.255 E. 65.93.255.255
D
D. If you view the address 65.93.24.42 in binary, it looks like this: 01000001.01011101.00011000.00101010. The subnet mask given (/20) tells you only the first 24 bits count as the network ID (which cannot change if we are to stay in the same subnet), and the remaining 12 bits belong to the host. Turning off all the host bits (after the 20th bit) gives you your network ID: 01000001.01011101.00010000.00000000 (52.93.16.0/20). Turning on all the host bits gives you our broadcast address: 01000001.01011101.00011111.11111111 (65.93.31.255/20).
A, B, and C are incorrect. These answers do not match the broadcast address for this subnet.
RPRE.19 Angie captures traffic using Wireshark. Which filter should she apply to see only packets sent from 220.99.88.77? A. ip = 220.99.88.77 B. ip.src == 220.99.88.77 C. ip.equals 220.99.88.77 D. ip.addr == 220.99.88.77
B
B. The ip.src== xxxx filter tells Wireshark to display only those packets with the IP address xxxx in the source field.
A, C, and D are incorrect. These are incorrect Wireshark filters.
RPRE.20 A systems administrator notices log entries from a host named MATTSYS (195.16.88.12) are not showing up on the syslog server (195.16.88.150). Which of the following Wireshark filters would show any attempted syslog communications from the machine to the syslog server?
A. tcp.dstport==514 && ip.dst==195.16.88.150
B. tcp.srcport==514 && ip.src==195.16.88.12
C. tcp.dstport==514 && ip.src==195.16.88.12
D. udp.dstport==514 && ip.src==195.16.88.12
D
D. This Wireshark filter basically says, “Show all packets with a destination port of 514 (generally associated with—and some would say defaulting as—syslog) coming from MATTSYS (whose IP address is 195.16.88.12).”
A, B, and C are incorrect. They do not match the correct syntax.
RPRE.21 Which IoT communication model allows the data from IoT devices to be accessed by a third party? A. Device-to-Device B. Device-to-Cloud C. Device-to-Gateway D. Back-End Data Sharing
D
D. In the Back-End Data-Sharing model, a third party is allowed access to data from the devices. The IoT devices upload data to the cloud, where the third party can collect and analyze it.
A, B, and C are incorrect. These are all valid IoT communication models; however, they do not match the criteria of data sharing with third parties.
RPRE.22 A pen tester connects a laptop to a switch port and enables promiscuous mode on the NIC. He then turns on Wireshark and leaves for the day, hoping to catch interesting traffic over the next few hours. Which of the following statements is true regarding this scenario? (Choose all that apply.)
A.The packet capture will provide the MAC addresses of other machines connected to the switch.
B.The packet capture will provide only the MAC addresses of the laptop and the default gateway.
C.The packet capture will display all traffic intended for the laptop.
D.The packet capture will display all traffic intended for the default gateway.
A, C
A, C. Switches are designed to filter traffic—that is, they send traffic intended for a destination MAC—to only the port that holds the MAC address as an attached host. The exceptions, however, are broadcast and multicast traffic, which get sent out every port. Because ARP is broadcast in nature, all machines’ ARP messages would be viewable.
B and D are incorrect. The switch will filter traffic to the laptop, and MAC addresses will be available from the broadcast ARPs.
RPRE.23 Which of the following statements best describes port security?
A.It stops traffic sent to a specified MAC address from entering a port.
B.It allows traffic sent to a specific MAC address to enter a port.
C.It stops traffic from a specific MAC from entering a port.
D.It allows traffic from a specific MAC address to enter to a port.
C
C. In ARP poisoning, the bad guy keeps injecting a bad IP-to-MAC mapping in order to have traffic intended for the target go somewhere else.
A, B, and D are incorrect. None of these answers correctly describes ARP poisoning. Yes, it’s true an attacker may be sending thousands of ARP packets through a switch to the target, but that in and of itself does not ARP poisoning make.
