Mock Exam1 Flashcards
You are the Chief Information Security Officer (CISO), and have been invited to meet with the board of directors at their monthly meeting. In that meeting, the CEO states that someone called Joe Hopkins from the help desk has been calling him and some of the board members to help reset their passwords as the old passwords were too insecure. The financial director found this very strange as this Joe Hopkins is not on the payroll. Which of the following is the BEST answer for what has been discovered?
A. Social engineering.
B. Spear phishing.
C. Vishing attack.
D. Password cracking.
E. Phishing.
F. Replay.
A Social engineering.
Concept: This is a social engineering impersonation attack where Joe pretends to be from the help desk. The financial director confirms this.
You are the cybersecurity administrator for a large company that has offices in Stuttgart. The SIEM system alerts you that files are being deleted on file server FS001. The cyber administrator cannot find any remote connection to the file server. He then quarantines the file server from the network. The deletion of the files is still in progress. The forensics team discovers that a script was placed there by Dave Lloyd, who had left the company exactly four weeks ago. Which of the following BEST describes the actions of Dave Lloyd?
a. Dave Lloyd installed a RAT into the file server and is actively removing files.
b. Dave Lloyd placed a logic bomb on the file server to delete the files once he had gone so that he was not a suspect.
c. Dave Lloyd installed ransomware to encrypt the customers’ critical files.
d. Dave Lloyd connected through a VPN connection and remotely deleted files.
B
David Lloyd left exactly 4 weeks ago and logic bombs work on a trigger; here, it was the time of 4 weeks.
Following an annual penetration test, the chief information security officer notices in the final report that all of the company’s domain controllers are vulnerable to a pass‐the‐hash attack. Which of the following actions should the company take to mitigate the risk (choose TWO)?
a. Enable CHAP.
b. Disable CHAP.
c. Disable NTLM.
d. Disable MD5.
e. Enable Kerberos.
f. Disable PAP.
c, e
A pass‐the‐hash attack needs NTLM authentication, therefore, if you disable it or use Kerberos authentication, both will prevent the attack.
The new interns in the IT team are having a heated discussion on the differences between cross-site scripting and cross-site reverse forgery vulnerabilities. They have four different scenarios and want you as the chief information security officer to provide a solution. Which of the following will you select?
a. Cross-site reverse forgery does not need the victim to be authenticated by a domain controller.
b. Cross-site scripting needs the attacker to be authenticated by the domain controller.
c. Cross-site scripting does not need the victim to be authenticated by the trusted server.
d. Cross-site reverse forgery needs the victim to be authenticated by the trusted server.
c.
Cross-Site Scripting (XSS) normally can be identified by using HTML tags and JavaScript. The target of the attack does not need any type of authentication. Cross site reverse forgery (XSRF or CSRF) needs the victim to be authenticated to the web server not the trusted server.
A well‐known hacker called Mark Birch has been detained by the local police. When they searched his home, they found various pieces of information about your company on a large whiteboard. The information has been obtained from a social media website, such as Facebook and LinkedIn. It has details about the company’s hierarchy, the executives, administrators, and help-desk staff. Which of the following BEST describes the type of attack he has carried out?
a. White-box testing.
b. Passive reconnaissance.
c. Black-box testing.
d. Initial exploitation.
e. Gray-box testing.
g. Intrusive scanning.
b
Passive reconnaissance is where information is gathered about the company, but no real action has been taken.
You are a cybersecurity analyst working for the local police department because of an increase in crime being carried out by the vulnerabilities of IoT devices. You are running a one‐hour session to advise homeowners due to vulnerabilities:
- The attack vector of MFD used at home
- Control of passwords with IoT devices
- How to ensure that no attacks can be carried out through IoT devices
Which of the following BEST meets with the preceding objectives (choose THREE)?
a. Prevent IoT devices connecting directly to the internet.
b. Ensure that you have faster bandwidth to enable the smooth running of IoT devices.
c. MFD devices are attacked via their spooler.
d. MFD devices are attacked via their network interface.
e. Change the default username and password one day after device activation, as it takes that long to be established.
f. Change the default username and password immediately.
a, d, f
Most IoT devices are used at home, however, the home user is not aware of any vulnerabilities. If we prevent them from connecting directly to the internet, change the default setting including the password, will make it safer as these passwords are freely available on the internet. You must not assume all IoT have printing capabilities as it uses the phrase printers and MFD devices. They connect to the internet via their network interface whether it is wireless or cabled.
You are the chief information security officer for a large multinational corporation that has offices in Hong Kong, London, Paris, and New York. The New York office has 100 employees, The Hong Kong office has five employees, Paris has four employees, and London has the most, with 10,000 employees. You have purchased a small company based in Alaska that has four people. They have been using weak passwords. Which of the following is a compensating control that was adopted to BEST mitigate the risk of using weak passwords?
a. Use a password history with a value of 3.
b. Implement time‐based one-time passwords.
c. Increase the password history to a value of 20.
d. Set the account lockout to a value of 1.
e. Set the password expiry to three days.
e
We should never use weak passwords, however, if the exam says we are using them, then we need to accept it. The only way to mitigate the risk is to use a very short password expiry time.
What type of attack is a padding oracle on downgrading legacy encryption attack (Choose TWO)?
a. IV attack.
b. Replay attack.
c. Man‐in‐the-middle attack.
d. TLS 1.0 with electronic-code book.
e. SSL 3.0 with chain-block cipher.
c, e
A POODLE attack is a man in the middle that exploits a downgraded browser using SSL 3.0 with CBC.
The cybersecurity team have set up a honeypot to track the attack vector of a newly released malware. As they review the virus, they notice that the hash value of the malware changes from host to host. Which of the following types of malware has been detected?
a. Virus.
b. RAT.
c. Worm.
d. Logic bomb.
e. Polymorphic virus.
e
A polymorphic virus mutates as it replicates; that is why the hash is changing.
The cybersecurity team have looked at the latest trends and have identified that there has been an increase in brute-force attacks. Which of the following is a random value that can be appended to the stored password to make it more difficult for a brute-force password attack to be carried out (choose TWO)?
a. Obfuscation.
b. Nonce.
c. Key stretching.
d. Salting.
c, d
Both salting and key stretching increase the password length by appending random characters to the end of the password.
There has been a spate of DNS-poisoning attacks and your company wants to make itself resilient against these attacks. Your company wants to encrypt the DNS traffic by using DNSSEC. Once you have signed the zone, what record is created for each host?
a. CNAME.
b. SPF.
c. RRSIG.
d. MX.
e. PTR
c
DNSSEC encrypts DNS traffic preventing DNS poisoning and produces RRSIG records.
A security administrator discovers that an attacker used a compromised host as a platform for launching attacks deeper into a company’s network. What terminology BEST describes the use of the compromised host?
a. Brute force.
b. Active reconnaissance.
c. Pivoting.
d. Passing point.
c
Pivoting is where an attacker enters your network via a vulnerable host then attacks a secondary host.
At what stage of the SDLC are computer systems no longer supported by the original vendor?
a. Sandboxing.
b. End‐of‐life systems.
c. Resource exhaustion.
d. System sprawl.
b
End‐of‐life systems are no longer supported, updated, or patched by the vendor, making them vulnerable to attack.
Company A has just developed a bespoke system for booking airline tickets. What is it called if a freelance coding specialist tests it for security flaws?
a. Code review.
b. Static-code review.
c. Regression testing.
d. Dynamic-code review.
c
Regression testing is where a coding expert checks your code.
You are the security administrator for an airline company that suffered a loss of availability of their systems last month. Which of the following attacks would MOST LIKELY affect the availability of your IT systems?
a. Spear phishing.
b. Replay.
c. Man‐in‐the‐middle.
d. DoS.
d
Loss of availability means the system is down; DoS is where one host takes down another and is the most likely answer.
You are a lecturer in a college and you need to deliver a session on salting passwords. What are the two main reasons you would salt passwords?
a. To slow down brute-force attacks.
b. To make access to the password slower.
c. To prevent duplicate passwords from being stored.
d. To stop simple passwords from being used.
a,c
Salting appends random characters to a password; therefore, it makes the password longer and more difficult to crack. If two people use the same password, the random characters appended to them make them unique.
- An auditor is carrying out an annual inspection of a SCADA network and finds that the programmable logic controllers (PLCs) have not been updated since last year. Upon further investigation, it is discovered that the company manufacturing these PLCs has gone into liquidation, making these controls end-of-life systems. The manufacturer is currently looking for another company to make an upgraded PLC. Which of the following recommendations should the auditor make to the management team to mitigate the risk in the short term?
a. Remove the PLCs from the manufacturing infrastructure.
b. Produce their own updated PLCs for the firmware.
c. Set up a SIEM system for real-time monitoring of the SCADA system.
d. Place the PLCs in a VLAN.
d
If a system or a printer is vulnerable and it cannot be replaced, we can segment it from the rest of the network by placing it in a VLAN.
- The security administrator has identified an unknown vulnerability on an application that is used infrequently. They have isolated the application and gathered information to send to the vendor so that a patch can be produced. Once the company receives a patch for the application, what is the best way for the company to test the application before rolling it out into production?
a. Obfuscation.
b. VLAN.
c. Regression testing.
d. Sandboxing.
d
Sandboxing can be used to isolate an application for testing or patching or because it is dangerous. The Linux version is called chroot jail.
What is it called when a user has exploited an IT system so that he has obtained access to all files on the file server?
a. Remote exploit.
b. Zero‐day exploit.
c. Privilege escalation.
d. Pivoting.
c
It takes someone with admin right to access all files, therefore the user would need to have privilege escalation to do so
Which of the following is an email‐based attack on all members of the sales team?
a. Phishing.
b. Vishing.
c. Spear phishing.
d. Pharming.
c
An email attack on a group of users is called spear phishing. Watch out in the exam for plural words. Phishing is attacking one person by email.