Practice Exam 12 Flashcards
PE12.1 While observing a target organization’s building, you note the lone entrance has a guard posted just inside the door. After entering the external door, you note the lobby of the building is separated from the external door by a small glass-paneled room, with a closed door facing the exterior and a closed door to the interior. There appears to be an RFID scanning device and a small keyboard with video display in the room. Which of the following best defines this physical security control?
A. Guard shack
B. Turnstile
C. Man shack
D. Man trap
D
D. If you took a test on college football history, you know it would contain a question about Alabama. If you took one on trumpet players, there’d be one about Dizzy Gillespie. And if you take a test on physical security measures for Certified Ethical Hacker, you’re going to be asked about the man trap. EC-Council loves it that much. A man trap is nothing more than a locked space you can hold someone in while verifying their right to proceed into the secured area. It’s usually a glass (or clear plastic) walled room that locks the exterior door as soon as the person enters. Then there is some sort of authentication mechanism, such as a smartcard with a PIN or a biometric system. Assuming the authentication is successful, the second door leading to the interior of the building will unlock, and the person is allowed to proceed. If it’s not successful, the doors will remain locked until the guard can check things out. As an aside, in addition to authentication, some man traps add other checks, such as measuring the person’s weight to see if they’ve mysteriously gained or lost 20 pounds since Friday. A few other notes here may be of use to you: First, I’ve seen a man trap defined as either manual or automatic, where manual has a guard locking and unlocking the doors, and automatic has the locks tied to the authentication system, as described previously. Second, a man trap is also referred to in some definitions as an air lock. Should you see that term on the exam, know that it is referring to the man trap. Lastly, man traps in the real world can sometimes come in the form of a rotating door or turnstile, locking partway around if the person doesn’t authenticate properly. And, on some of the really fancy ones, sensors will lock the man trap if two people are trying to get through at the same time.
A is incorrect because this question is not describing a small location at a gate where guards are stationed. Traditionally, guard shacks are positioned at gates to the exterior wall or the gate of the facility, where guards can verify identity before allowing people through to the parking lot.
B is incorrect because a turnstile is not being described here, and, frankly, it does absolutely nothing for physical security. Anyone who has spent any time in subway systems knows this is true: watching people jump the turnstiles is a great spectator sport.
C is incorrect because, so far as I know, man shack is not a physical security term within CEH. It’s maybe the title of a 1970s disco hit, but not a physical security term you’ll need to know for the exam.
PE12.2 In your social engineering efforts, you call the company help desk and pose as a user who has forgotten a password. You ask the technician to help you reset your password, which they happily comply with. Which social engineering attack is in use here?
A. Piggybacking
B. Reverse social engineering
C. Technical support
D. Halo effect
C
C. Although it may seem silly to label social engineering attacks (because many of them contain the same steps and bleed over into one another), you’ll need to memorize them for your exam. A technical support attack is one in which the attacker calls the support desk in an effort to gain a password reset or other useful information. This is a valuable method because if you get the right help desk person (that is, someone susceptible to a smooth-talking social engineer), you can get the keys to the kingdom.
A is incorrect because piggybacking refers to a method to gain entrance to a facility—not to gain passwords or other information. Piggybacking is a tactic whereby the attacker follows authorized users through an open door without any visible authorization badge at all.
B is incorrect because reverse social engineering refers to a method where an attacker convinces a target to call him with information. The method involves marketing services (providing the target with your phone number or e-mail address in the event of a problem), sabotaging the device, and then awaiting for a phone call from the user.
D is incorrect because halo effect refers to a psychological principle that states a person’s overall impression (appearance or pleasantness) can impact another person’s judgment of them. For example, a good-looking, pleasant person will be judged as more competent and knowledgeable simply because of their appearance. The lesson here is to look good and act nice while you’re trying to steal all the target’s information.
PE12.3 Which of the following is a true statement regarding biometric systems?
A.The lower the CER, the better the biometric system.
B.The higher the CER, the better the biometric system.
C.The higher the FRR, the better the biometric system.
D.The higher the FAR, the better the biometric system.
A
A. The crossover error rate (CER) is the point on a chart where the false acceptance rate (FAR) and false rejection rate (FRR) meet, and the lower the number, the better the system. It’s a means by which biometric systems are calibrated—getting the FAR and FRR the same. All that said, though, keep in mind that in certain circumstances a client may be more interested in a lower FAR than FRR, or vice versa, and therefore the CER isn’t as much a concern. For example, a bank may be far more interested in preventing false acceptance than it is in preventing false rejection. In other words, so what if a user is upset they can’t log on, so long as their money is safe from a false acceptance?
B is incorrect because this is exactly the opposite of what you want. A high CER indicates a system that more commonly allows unauthorized users through and rejects truly authorized people from access.
C is incorrect because the false rejection rate needs to be as low as possible. The FRR represents the amount of time a true, legitimate user is denied access by the biometric system.
D is incorrect because the false acceptance rate needs to be as low as possible. The FAR represents the amount of time an unauthorized user is allowed access to the system.
PE12.4 A pen tester sends an unsolicited e-mail to several users in the target organization. The e-mail is well crafted and appears to be from the company’s help desk, advising users of potential network problems. The e-mail provides a contact number to call in the event a user is adversely affected. The pen tester then performs a denial of service on several systems and receives phone calls from users asking for assistance. Which social engineering practice is in play here?
A. Technical support
B. Impersonation
C. Phishing
D. Reverse social engineering
D
D. This may turn out to be a somewhat confusing question for some folks, but it’s actually pretty easy. Reverse social engineering involves three steps. First, in the marketing phase, an attacker advertises himself as a technical point of contact for problems that may be occurring soon. Second, in the sabotage phase, the attacker performs a denial of service or other attack on the user. Third, in the tech support phase, the user calls the attacker and freely hands over information, thinking they are being assisted by company’s technical support team. As an aside, there are two things to remember about employing this social engineering practice in the real world. First, be sure to market to the appropriate audience: attempting this against IT staff probably won’t work as well as the “average” user and may get you caught. Second, and perhaps more important, you’ll need to remember that the more lies you tell, the more things you have to make true. Complexity is risky, and reverse social engineering involves a lot of complexity. It’s best used in special cases, and then only if you can’t find something else to do.
A is incorrect because a technical support attack involves the attacker calling a technical support help desk, not having the user calling back with information.
B is incorrect because this is not just impersonation—the attack described in the question revolves around the user contacting the attacker, not the other way around. Impersonation can cover anybody, from a “normal” user to a company executive. And impersonating a technical support person can result in excellent results; just remember if you’re going through steps to have the user call you back, you’ve moved into reverse social engineering.
C is incorrect because a phishing attack is an e-mail crafted to appear legitimate but in fact contains links to fake websites or to download malicious content. In this example, there is no link to click—just a phone number to call in case of trouble. Oddly enough, in my experience, people will question a link in an e-mail far more than just a phone number.
PE12.5 A pen test member has gained access to a building and is observing activity as he wanders around. In one room of the building, he stands just outside a cubicle wall opening and watches the onscreen activity of a user. Which social engineering attack is in use here?
A. Eavesdropping
B. Tailgating
C. Shoulder surfing
D. Piggybacking
C
C. This one is so easy I hope you maintain your composure and stifle the urge to whoop and yell in the test room. Shoulder surfing doesn’t necessarily require you to actually be on the victim’s shoulder—you just have to be able to watch their onscreen activity. I once shoulder surfed in front of someone (a mirror behind her showed her screen clear as day). You don’t even really need to be close to the victim—there are plenty of optics that can zoom in a field of vision from a very long distance away. As an aside, in the real world, if you are close enough to see someone’s screen, you’re probably close enough to listen to them as well. EC-Council puts the emphasis of shoulder surfing on the visual aspect—eavesdropping would be auditory.
A is incorrect because eavesdropping is a social engineering method where the attacker simply remains close enough to targets to overhear conversations. Although it’s doubtful users will stand around shouting passwords at each other, you’d be surprised how much useful information can be gleaned by just listening in on conversations.
B is incorrect because tailgating is a method for gaining entrance to a facility by flashing a fake badge and following an authorized user through an open door.
D is incorrect because piggybacking is another method to gain entrance to a facility. In this effort, though, you don’t have a badge at all; you just follow people through the door.
PE12.6 A recent incident investigated by the local IR team involved a user receiving an e-mail that appeared to be from the U.S. Postal Service, notifying her of a package headed her way and providing a link for tracking the package. The link provided took the user to what appeared to be the USPS site, where she input her user information to learn about the latest shipment headed her way. Which attack did the user fall victim to?
A. Phishing
B. Internet level
C. Reverse social engineering
D. Impersonation
A
A. Phishing is one of the most pervasive and effective social engineering attacks on the planet. It’s successful because crafting a legitimate-looking e-mail that links a user to an illegitimate site or malware package is easy to do. What’s more, the e-mail is easy to spread, and it preys on our human nature to trust. If the source of the e-mail looks legitimate or the layout looks legitimate, most people will click away without even thinking about it. Phishing e-mails can often include pictures lifted directly off the legitimate website and use creative means of spelling that aren’t easy to spot: www.regions.com is a legitimate bank website that could be spelled in a phishing e-mail as www.regi0ns.com. When it comes to real-world use of phishing by ethical hackers and pen testers, there are a couple items of note: First, phishing has an extreme liability aspect to it when spoofing a legitimate business. If you’re pen testing an organization and phish using a variant of a real business name, you could be opening yourself up to some serious costs: the first time someone calls the real Regions bank to complain is the moment that the attacker just became liable for the costs associated with the attack. Second is the risk involved with people simply forwarding your phishing attempt to recipients you never intended, allowing it to take on a life of its own. In short, the pen tester will certainly limit the bait (malware or website link embedded in the phishing attempt), but they will have no control over what a user decides to do with the e-mail. Suppose the pen tester doesn’t know the exact IP range or makes a simple mistake in the configuration of the malware, and a user sends it home. Or to a banking friend. Or to the FBI. Or to a friend who works on a DoD system. Now you’ve not only hooked the wrong fish, but maybe infected something in the government. That’s nothing to joke about, and it may be a lot worse than a simple mistake. The bottom line is, in the real world, phishing is dangerous if not planned and implemented almost perfectly, and pen test teams need to use extreme caution in implementing it.
B is incorrect because Internet level is not a recognized form of social engineering attack by this exam. It’s included here as a distractor.
C is incorrect because reverse social engineering is an attack where the attacker cons the target into calling back with useful information.
D is incorrect because this particular description does not cover impersonation. Impersonation is an attack where a social engineer pretends to be an employee, a valid user, or even an executive (or other VIP). Generally speaking, when it comes to the exam, any impersonation question will revolve around an in-person visit or a telephone call.
Walker, Matt. CEH Certified Ethical Hacker Practice Exams, Fourth Edition (pp. 290-291). McGraw-Hill Education. Kindle Edition.
PE12.7 Which type of social engineering attack uses phishing, pop-ups, and IRC channels?
A.Technical
B.Computer based
C.Human based
D.Physical
B. All social engineering attacks fall into one of two categories: human based or computer based. Computer-based attacks are those carried out with the use of a computer or other data-processing device. Some examples are fake pop-up windows, SMS texts, e-mails, and chat rooms or services. Social media sites (such as Facebook and LinkedIn) are consistent examples as well, and spoofing entire websites isn’t out of the realm here either.
A is incorrect because technical is not a social engineering attack type and is included here as a distractor.
C is incorrect because human-based social engineering involves the art of human interaction for information gathering. Human-based social engineering uses interaction in conversation or other circumstances between people to gather useful information.
D is incorrect because physical is not a social engineering attack type and is included here as a distractor.
PE12.8 An attacker identifies a potential target and spends some time profiling her. After gaining some information, the attacker sends a text to the target’s cell phone. The text appears to be from her bank and advises her to call a provided phone number immediately regarding her account information. She dials the number and provides sensitive information to the attacker, who is posing as a bank employee. Which of the following best defines this attack?
A.Vishing
B.Smishing
C.Phishing
D.Tishing
B. Aren’t you excited to have another memorization term added to your CEH vocabulary? In smishing (for SMS text-based phishing), the attacker sends SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. The user unwittingly calls the number and provides sensitive data in response.
A is incorrect because vishing is an attack using a phone call or voice message. In vishing, the attacker calls the target or leaves them a voicemail with instructions to follow.
C. is incorrect because phishing makes use of specially crafted e-mails to elicit responses and actions.
D is incorrect because this term does not exist.
PE12.9 Which of the following constitutes the highest risk to the organization?
A.Black-hat hacker
B.White-hat hacker
C.Gray-hat hacker
D.Disgruntled employee
D. When we consider security measures, most of our attention is usually aimed outside the company, because that’s where all the bad guys are, right? Unfortunately, this line of thinking leads to all sorts of exposure, for many reasons, and it’s more common than you might think. A disgruntled employee is still an employee, after all, which leads to the main reason they’re so dangerous: location. They are already inside the network. Inside attacks are generally easier to launch, are more successful, and are harder to prevent. When you add the human element of having an axe to grind, this can boil over quickly—whether or not the employee has the technical knowledge to pull off the attack. The idea that someone wanting to do harm to our organization’s network not only already has the access to do so but has it because we gave it to them and we’re not watching them should be frightening to us all.
A is incorrect because black-hat hackers aren’t necessarily already inside the network. They have a lot of work to do in getting access and a lot of security levels to wade through to do it.
B is incorrect because a white-hat hacker is one of the good guys—an ethical hacker, hired for a specific purpose.…
PE12.10 After observing a target organization for several days, you discover that finance and HR records are bagged up and placed in an outside storage bin for later shredding/recycling. One day you simply walk to the bin and place one of the bags in your vehicle, with plans to rifle through it later. Which social engineering attack was used here?
A.Offline
B.Physical
C.Piggybacking
D.Dumpster diving
D. Dumpster diving doesn’t necessarily mean you’re actually taking a header into a dumpster outside. It could be any waste canister, in any location, and you don’t even have to place any more of your body in the canister than you need to extract the old paperwork with. And you’d be amazed what people just throw away without thinking about it: password lists, network diagrams, employee name and number listings, and financial documents are all examples. Lastly, don’t forget that EC-Council defines this as a passive activity. Sure, in the real world, you run a real risk of discovery and questioning by any number of the organization’s staff, but on your exam it’s considered passive.
A is incorrect because offline is not a social engineering…
PE12.11 An attacker waits outside the entry to a secured facility. After a few minutes an authorized user appears with an entry badge displayed. He swipes a key card and unlocks the door. The attacker, with no display badge, follows him inside. Which social engineering attack just occurred? A.Tailgating B.Piggybacking C.Identity theft D.Impersonation
B. This is one of those questions that just drives everyone batty—especially people who actually perform pen tests for a living. Does knowing that gaining entry without flashing a fake ID badge of any kind is called piggybacking make it any easier or harder to pull off? I submit having two terms for what is essentially the same attack, separated by one small detail, is a bit unfair, but there’s not a whole lot we can do about it. If it makes it easier to memorize, just keep in mind that pigs wouldn’t wear a badge—they don’t have any clothes to attach it to.
A is incorrect because a tailgating attack requires the attacker to be holding a fake badge of some sort. I know it’s silly, but that’s the only differentiation between these two items: tailgaters have badges, piggybackers do not. If it makes it any easier, just keep in mind a lot of tailgaters at a football game should have a badge on them—to prove they are of legal drinking age.
C is incorrect because this attack has nothing to do with identity theft. Identity theft occurs when an attacker uses personal…
PE12.12 Tim is part of a pen test team and is attempting to gain access to a secured area of the campus. He stands outside a badged entry gate and pretends to be engaged in a contentious cell phone conversation. An organization employee walks past and badges the gate open. Tim asks the employee to hold the gate while flashing a fake ID badge and continuing his phone conversation. He then follows the employee through the gate. Which of the following best defines this effort?
A.Shoulder surfing
B.Piggybacking
C.Tailgating
D.Drafting
C. This type of question is so annoying I added it twice, back to back, in this chapter—almost as if I was nearly certain you’ll see it on your exam. Tailgating involves following someone through an open door or gate just like piggybacking does; however, in tailgating, a fake identification badge of some sort is used. As an aside, if your exam question does not include both terms—tailgating and piggybacking—but the effort is the same (an attacker following a badged employee through a gate or door), you won’t have to choose between them. Usually, in this case, tailgating will be used more frequently than piggybacking.
A is incorrect because shoulder surfing isn’t about following someone anywhere; instead, it’s about positioning…
PE12.13 Which of the following may be effective countermeasures against social engineering? (Choose all that apply.)
A.Security policies
B.Operational guidelines
C.Appropriately configured IDS
D.User education and training
E.Strong firewall configuration
A, B, D. ECC identifies several countermeasures against social engineering, but in the real world none of them, by themselves or grouped, is really the key. The problem with most countermeasures against social engineering is they’re almost totally out of your control. Sure you can draft strong policy requiring users to comply with security measures, implement guidelines on everything imaginable to reduce risks and streamline efficiency, and hold educational briefings and training sessions for each and every user in your organization, but when it comes down to it, it’s the user who has to do the right thing. All countermeasures for social engineering have…
PE12.14 Which of the following are indicators of a phishing e-mail? (Choose all that apply.)
A.It does not reference you by name.
B.It contains misspelled words or grammatical errors.
C.It contains spoofed links.
D.It comes from an unverified source.
A, B, C, D. One of the objectives EC-Council has kept around in its many CEH versions is, and I quote, to “understand phishing attacks.” Part of the official curriculum to study for the exam covers detecting phishing e-mail in depth, and all of these answers are indicators an e-mail might not be legitimate. First, most companies now sending e-mail to customers will reference you by name and sometimes by account number. An e-mail starting with “Dear Customer” or something to that effect may be an indicator something is amiss. Misspellings and grammatical errors from a business are usually dead giveaways because companies do their best to proofread items before they are released. There are, occasionally, some slipups (Internet search some of these; they’re truly funny), but those are definitely the exception and not the rule. Spoofed links can be found by hovering a mouse over them (or by looking at their properties). The link text may read www.yourbank.com, but the hyperlink properties will be sending you to some IP address you don’t want to go to.
As an aside, while these are all great answers to a question on an exam, don’t let them dictate your day-to-day Internet life outside of your exam. A perfectly written, grammatically correct e-mail containing real links and originating from someone you trust could still be part of a phishing campaign. Never click a link in an e-mail without knowing exactly what it is and where it’s taking you—no matter who you think the message is…
PE12.15 You are discussing physical security measures and are covering background checks on employees and policies regarding key management and storage. Which type of physical security measures are being discussed? A.Physical B.Technical C.Operational D.Practical
C. Physical security has three major facets: physical measures, technical measures, and operational measures. Operational measures (sometimes referred to as procedural controls) are the policies and procedures you put into place to assist with security. Background checks on employees and any kind of written policy for operational behaviors are prime examples.
A is incorrect because physical measures can be seen or touched. Examples include guards (although you’d probably want to be careful touching one of them), fences, and locked doors.
B is incorrect because technical measures include authentication systems (biometrics anyone…