Practice Exam 13 Flashcards
PE13.1 Incident response (IR) is an important part of organizational security. In what step of the incident-handling process would IR team members disable or delete user accounts and change firewall rules?
A. Detection and analysis
B. Classification and prioritization
C. Containment
D. Forensic investigation
C
C. In a refrain you’ve heard over and over again throughout this book, sometimes real life and EC-Council don’t see eye to eye. However, when it comes to IR, ECC kind of gets it right. Almost. Lots of organizations define the incident-handling response in different ways, with different phases for actions taken. Generally speaking, though, all incident handling falls into four sets of actions: identify, contain, eradicate, and recover. Most organizations will define a preparation phase beforehand and a lessons learned phase at the end for a full incident process. ECC defines eight phases:
•PreparationDefining rules, processes, and toolsets and then testing them (usually with some regularly scheduled exercises, at a minimum) occur in this phase.
•Detection and analysisThis is where alerting functions (toolsets, IDS, IPS, users notifying of strange events, and so on) and initial research into the event take place.
•Classification and prioritizationDecision making on whether to elevate as an incident and at what level to elevate is made here (ramping up an IR event for a false alarm serves no one). Levels of categorization vary from organization to organization, but usually assign response time frames to levels.
• Notification Alerting appropriate teams and organizations to assist in the event occurs here.
•ContainmentSteps to contain the incident occur here. These may include steps to revoke or suspend user accounts and blocking system or even subnet access via a firewall or other method.
•Forensic investigationIn this stage, if possible, live memory and disk captures are pulled for evaluation and analysis. This does not have to wait until the conclusion of the event, but, depending on the assets involved and the nature of the incident, forensics may have to wait.
•Eradication and recoveryThis phase encompasses all the steps taken to remove the incident cause (malware, malicious code, backdoors, rootkits, viruses, and so on) and to return the assets involved to baseline standards before putting them back into production.
•Post-incidentThis is where reporting, follow-up analysis, and lessons learned are put together. Evaluation from this step is fed into the preparation phase for the next event.
Questions on incident response and incident handling can be pretty vague. For the most part, common sense should guide you on anything truly weird, but most questions will be like this one—fairly easy to figure out on your own. One last note here: the four phases listed at the beginning of this answer description will more than likely be what you’ll see on the exam, so when in doubt, I would stick with them.
B, C, and D are incorrect because the actions listed in the question do not occur in these incident-handling phases.
PE13.2 A software company puts an application through stringent testing and, on the date of release, is confident the software is free of known vulnerabilities. An organization named BigBiz purchases the software at a premium cost, with a guarantee of service, maintenance, and liability. Which risk management method is in use by the BigBiz organization?
A. Accept
B. Transfer
C. Avoid
D. Mitigate
B
B. Depending on who you talk to, there are as many as seven different methods in risk management. Of primary concern for you and EC-Council, however, are these four: accept, avoid, transfer, and mitigate. In this example, the organization has paid a cost to the software developer, trusting them that they’ve tested the software and that they will assume responsibility and liability for it. In effect, the organization has transferred the risk to the software company for this application. Transferring risk is all about finding a different entity to take responsibility for managing the risk, as well as accepting the liability of an exploitation or loss resulting from the risk.
A is incorrect because this does not describe acceptance. Acceptance of a risk means the organization is aware a risk is present but due to a variety of reasons (such as cost of mitigation or the unlikeliness the risk can ever be exploited) decides to do nothing about it. Basically, the owner decides they will just deal with the fallout if the risk is ever realized.
C is incorrect because this does not describe risk avoidance. In risk avoidance, the organization recognizes the risk and eliminates anything and everything that has to do with it. If a particular service, application, or technology is useful to an organization but the cost and effort to deal with the risks involved in its use are too high, the organization can simply choose to not use the service or application altogether.
D is incorrect because this does not describe mitigation. Risk mitigation is exactly what it sounds like: the organization needs the technology or service despite the risk involved, so it takes all steps necessary to lower the chance the risk will ever be exploited. Purchasing and using antivirus and practicing strong patch management are examples.
PE13.3 Which of the following provide automated pen test–like results for an organization? (Choose all that apply.)
A. Metasploit B. Nessus C. Core Impact D. CANVAS E. SAINT F. GFI LanGuard
A,C,D A, C, D. Automated tool suites for pen testing can be viewed as a means to save time and money by the client’s management, but (in my opinion and in the real world, at least) these tools don’t do either. They do not provide the same quality results as a test performed by security professionals, and they are extremely expensive. Automated tools can provide a lot of genuinely good information but are also susceptible to false positives and false negatives and don’t necessarily care what your agreed-upon scope says is your stopping point. Metasploit has a free, open source version and an insanely expensive “Pro” version for developing and executing exploit code against a remote target machine—still worlds cheaper than Core Impact, but expensive nonetheless. Metasploit offers an autopwn module that can automate the exploitation phase of a penetration test. Core Impact is probably the best-known, all-inclusive automated testing framework. Per its website (https://www.coresecurity.com/core-impact), Core Impact “takes security testing to the next level by safely replicating a broad range of threats to the organization’s sensitive data and mission-critical infrastructure—providing extensive visibility into the cause, effect, and prevention of data breaches.” Core Impact tests everything from web applications and individual systems to network devices and wireless. Per the Immunity Security website (www.immunitysec.com), CANVAS “makes available hundreds of exploits, an automated exploitation system, and a comprehensive, reliable exploit development framework to penetration testers and security professionals.” Additionally, the company claims CANVAS’s Reference Implementation (CRI) is “the industry’s first open platform for IDS and IPS testing.” For you real-world purists out there and for those who don’t have any experience with any of this just quite yet, it’s important to note that no automated testing suite provides anything close to the results you’d gain from a real pen test. Core Impact provides a one-step automated pen test result feature (and probably offers the best result and report features), Metasploit offers autopwn, and CANVAS has a similar “run everything” mode; however, all lack the ability to provide results that a true pen test would provide. In the truest sense of “automated pen testing,” you simply can’t do it in the real world (for your exam, stick with the three listed here).
B, E, and F are incorrect for the same reason: they are all vulnerability assessment tool suites, not automated pen test frameworks. Nessus is probably the most recognizable of the three, but SAINT and GFI LanGuard are both still listed as top vulnerability assessment applications.
PE13.4 Which of the following best describes an assessment against a network segment that tests for existing vulnerabilities but does not attempt to exploit any of them?
A. Penetration test
B. Partial penetration test
C. Vulnerability assessment
D. Security audit
C
C. A vulnerability assessment is exactly what it sounds like: the search for and identification of potentially exploitable vulnerabilities on a system or network. These vulnerabilities can be poor security configurations, missing patches, or any number of other weaknesses a bad guy might exploit. The two keys to a vulnerability assessment are that the vulnerabilities are identified, not exploited, and the report is simply a snapshot in time. The organization will need to determine how often it wants to run a vulnerability assessment. Lastly, it’s important to note that there are some vulnerabilities that simply can’t be confirmed without exploiting them. For example, the act of infecting SQL statements to expose a SQL injection vulnerability may very well constitute an exploit action, but it’s the only way to prove it exists. For your exam, though, stick with no exploitation during this assessment and move on with your life.
A is incorrect because team members on a pen test not only discover vulnerabilities but also actively exploit them (within the scope of their prearranged agreement, of course).
B is incorrect because this is not a valid term associated with assessment types and is included as a distractor.
D is incorrect because a security audit is designed to test the organization’s security policy itself. It should go without saying the organization must have a security policy in place to begin with before a security audit can take place.
PE13.5 You are a member of a pen test team conducting tests. Your team has all necessary scope, terms of engagement, and nondisclosure and service level agreements in place. You gain access to an employee’s system and during further testing discover child pornography on a hidden drive folder. Which of the following is the best course of action for the ethical hacker?
A.Continue testing without notification to anyone, but ensure the information is included in the final out-brief report.
B.Continue testing without interruption, but completely remove all hidden files and the folder containing the pornography.
C.Stop testing and notify law enforcement authorities immediately.
D.Stop testing and remove all evidence of intrusion into the machine.
C
C. If you’ve ever taken any philosophy classes in high school or college, you’ve undoubtedly read some of the ethical dilemmas presented to challenge black-and-white thinking on a matter. For example, theft is undoubtedly bad and is recognized as a crime in virtually every law system on the planet, but what if it’s the only way to save a child’s life? In ethical hacking, there are fine lines on actions to take when you discover something, and sometimes hard edges where there is no choice in the matter. Possession of child porn is a crime, so this case would seem relatively easy to discern. To be fair, and to make the assumption you’ll need to on questions like this on the exam, your course of action is straightforward and simple: notify the authorities and let them handle it. In the real world, things might be a little more difficult. How do you really know what you’re looking at? Are you positive that what you see is illegal in nature (regardless of what it is—pornography, documentation, letters, and so on)? If you’re not and you falsely accuse someone, what kind of liability do you face? What about your team? It’s not an easy question to answer when you’re in the heat of battle, and you’ll have to largely depend on good, solid pen test agreements up front. Let the client know what actions will be taken when suspected illegal material is discovered, and agree upon actions both sides will take. Otherwise you, and your client, could be in for very difficult times.
A is incorrect because the discovery of child porn automatically necessitates ceasing test activities and contacting the authorities. Waiting until the out-brief is not the appropriate course of action and can get you in hot water.
B is incorrect because this is not only unethical behavior and outside the scope and test agreement bounds, but it’s against the law. You’ve tampered with evidence and obstructed justice, at a minimum.
D is incorrect because removing evidence of your actions is not the correct action to take and is unethical in the least (and can actually be considered illegal, depending on the circumstances).
PE13.6 In which phase of a pen test is scanning performed?
A. Pre-attack
B. Attack
C. Post-attack
D. Reconnaissance
A
A. I know you’re sick of CEH definitions, terms, and phases of attacks, but this is another one you’ll just need to commit to memory. Per EC-Council, there are three phases of a pen test: pre-attack, attack, and post-attack. The pre-attack phase is where you’d find scanning and other reconnaissance activities (gathering competitive intelligence, website crawling, and so on).
B is incorrect because scanning is completed in the pre-attack phase. The attack phase holds four areas of work: penetrate the perimeter, acquire targets, execute attack, and escalate privileges.
C is incorrect because scanning is completed long before the post-attack phase. Actions accomplished in post-attack include removing all uploaded files and tools, restoring (if needed) to the original state, analyzing results, and preparing reports for the customer.
D is incorrect because reconnaissance is not a phase of pen testing.
PE13.7 Which of the following describes risk that remains after all security controls have been implemented to the best of one’s ability?
A.Residual
B.Inherent
C.Deferred
D.Remaining
A. Risk management has a lot of terminology to remember, and identifying risk before and after security control implementation is what this question is all about. The inherent risk of the system is that which is in place if you implement no security controls whatsoever: in other words, there are risks inherent to every system, application, technology, and service. After you recognize these inherent risks and implement security controls, you may have some residual risks remaining. In other words, residual risk is what is left in the system after you implement security controls.
B is incorrect because inherent risk is what was on the system before you started implementing security controls.
C and D are incorrect because these terms are included merely as distractors.
PE13.8 Which of the following statements are true regarding OSSTMM? (Choose all that apply.)
A.OSSTMM is a nonprofit, international research initiative dedicated to defining standards in security testing and business integrity testing.
B.OSSTMM recognizes ten types of controls, which are divided into two classes.
C.ISECOM maintains the OSSTMM.
D.OSSTMM defines three types of compliance.
B, C, D. The Open Source Security Testing Methodology Manual (OSSTMM) provides a methodology for a thorough security test (also known as an OSSTMM audit). It’s maintained by ISECOM (Institute for Security and Open Methodologies; www.isecom.org/) and is a peer-reviewed manual of security testing and analysis that results in fact-based actions that can be taken by an organization to improve security. OSSTMM recognizes ten types of controls, split into two different classes:
•Class A: InteractiveAuthentication, indemnification, resilience, subjugation, and continuity
•Class B: ProcessNonrepudiation, confidentiality, privacy, integrity, and alarm
An OSSTMM audit tests for three different types of compliance: legislative, contractual, and standards-based compliance.
A is incorrect because this is actually the description of ISECOM—the group responsible for the creation and maintenance of OSSTMM.
PE13.9 Which of the following is an open source project produced by OISSG (Open Information Systems Security Group) intended to provide security testing assistance? A.OSSTMM B.OWASP C.COBIT D.ISSAF
D. The following is from OISSG’s site: “The Information Systems Security Assessment Framework (ISSAF) is produced by the Open Information Systems Security Group, and is intended to comprehensively report on the implementation of existing controls to support IEC/ISO 27001:2005(BS7799), Sarbanes Oxley SOX404, CoBIT, SAS70 and COSO, thus adding value to the operational aspects of IT related business transformation programmes. It is designed from the ground up to evolve into a comprehensive body of knowledge for organizations seeking independence and neutrality in their security assessment efforts.”
A is incorrect because OSSTMM is a peer-reviewed manual of security testing and analysis maintained by ISECOM that results in fact-based actions that can be taken by an organization to improve security.
B is incorrect because OWASP (Open Web Application Security Project)…
PE13.10 NIST SP 800-30 defines steps for conducting a risk assessment. Which of the following statements is true regarding the process?
A.Threats are identified before vulnerabilities.
B.Determining the magnitude of impact is the first step.
C.Likelihood is determined after the risk assessment is complete.
D.Risk assessment is not a recurring process.
A. NIST SP 800-30: Guide for Conducting Risk Assessments (http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf)
B is incorrect because you can’t possibly determine the magnitude of anything until you define what it is.
C is incorrect because the likelihood of risk exploitation is a key part of the risk assessment effort and equation.
PE13.11 In which phase of a pen test will the team penetrate the perimeter and acquire targets?
A.Pre-attack
B.Attack
C.Post-attack
D.None of the above
B. EC-Council splits a pen test into three phases: pre-attack, attack, and post-attack. In the attack phase, the team will attempt to penetrate the network perimeter, acquire targets, execute attacks, and elevate privileges. Getting past the perimeter might take into account things such as verifying ACLs by crafting packets as well as checking the use of any covert tunnels inside the organization. Attacks such as XSS, buffer overflows, and SQL injections will be used on web-facing applications and sites. After specific targets are acquired, password cracking, privilege escalation, and a host of other attacks will be carried out.
A is incorrect because these actions do not occur in the pre-attack phase. Per EC-Council, pre-attack includes planning, reconnaissance, scanning, and gathering competitive intelligence.
C is incorrect because these actions do not occur in the post-attack phase. Per EC-Council,…
PE13.12 An organization participates in a real-world exercise designed to test all facets of its security systems. An independent group is hired to assist the organization’s security groups, assisting in the defense of assets against the attacks from the attacking group. Which of the following statements is true?
A.The group assisting in the defense of the systems is referred to as a blue team.
B.The group assisting in the defense of the systems is referred to as a red team.
C.The group assisting in the defense of the systems is known as a white-hat group.
D.The team attacking the systems must provide all details of any planned attack with the defense group before launching to ensure security measures are tested appropriately.
A. Many organizations run full “war game” scenarios, which include defense and attack groups, to test security measures. Generally speaking, the group doing the attacking is known as a red team, while the group assisting with the defense is known as a blue team. The red team is the offense-minded group, simulating the bad guys in the world, actively attacking and exploiting everything they can find in the environment. In a traditional war game scenario, the red team is attacking “black-box” style, given little to no information to start things off. A blue team, on the other hand, is defensive in nature. The members of the blue team are not out attacking things; rather, they’re focused on shoring up defenses and making things safe. Unlike red teams, blue teams are responsible for defense against the bad guys, so they usually operate with full knowledge of the internal environment.
Blue teams are almost always independent in terms of the target, but their goal is to assist the defenders and to do so with whatever information is available. The difference between blue and red in this scenario is in the cooperative versus adversarial nature: red is there to be the bad guys, do what they would do, look for the impacts they would want to have, and to test the organization’s defense/response, whereas blue is there to help.
B, C, and D are incorrect because these are not true statements. The attacking group is known as a red team. I suppose an argument could be made that members of the blue team are all, in effect, white hats, but there is no such term as a “white-hat group.” And if you’re really testing the true security of a system, alerting the defensive teams of everything you plan to do and when you plan on doing it makes little sense.
PE13.13 Which of the following best describes the difference between a professional pen test team member and a hacker?
A.Ethical hackers are paid for their time.
B.Ethical hackers never exploit vulnerabilities; they only point out their existence.
C.Ethical hackers do not use the same tools and actions as hackers.
D.Ethical hackers hold a predefined scope and agreement from the system owner.
D. This one is a blast from the book’s past and will pop up a couple of times on your exam. The only true difference between a professional pen test team member (an ethical hacker) and the hackers of the world is the existence of the formally approved, agreed-upon scope and contract before any attacks begin.
A is incorrect because, although professional ethical hackers are paid for their efforts during the pen test, this is not necessarily a delineation between the two (ethical and non-ethical). Some hackers may be paid for a variety of illicit activities. For one example, maybe a company wants to cause harm to a competitor, so it hires a hacker to perform attacks.
B and C are incorrect for the same reason. If a pen test team member never exploited an opportunity and refused to use the same tools and techniques that the hackers of the world have at their collective fingertips, what would be the point of an assessment? A pen test is designed to show true security weaknesses and flaws, and the only way to do that is to attack it just as a hacker would.
PE13.14 Sally is part of a penetration test team and is starting a test. The client has provided a network drop on one of their subnets for Sally to launch her attacks from. However, they did not provide any authentication information, network diagrams, or other notable data concerning the systems. Which type of test is Sally performing?
A.External, white box
B.External, black box
C.Internal, white box
D.Internal, black box
D. Sally was provided a network drop inside the organization’s network, so we know it’s an internal test. Additionally, no information of any sort was provided—from what we can gather, she knows nothing of the inner workings, logins, network design, and so on. Therefore, this is a black-box test—an internal black-box test.
A and B are incorrect because this is an internal test,…
PE13.15 Your pen test team is discussing services with a potential client. The client indicates they do not see the value in penetration testing. Which of the following is the correct response from your team?
A.Run a few tests and display the results to the client to prove the value of penetration testing.
B.Provide detailed results from other customers you’ve tested, displaying the value of planned testing and security deficiency discovery.
C.Provide information and statistics regarding pen testing and security vulnerabilities from reliable sources.
D.Perform the penetration test anyway in case they change their mind.
C. Ethical behavior will definitely find its way to your exam, and this cheesy question is an example. Your potential client may or may not be convinced when presented with the undeniable proof of pen test value from industry leaders (and possibly the U.S. government), but as the saying goes, “You can lead a horse to water, but you can’t make him drink.” An ethical hacker does not proceed without authorization, and doing so not only calls your integrity into question but also makes you a criminal. Documentation for an ethical test team will include scope (of what you can touch, how far you can go with testing, and how much time you’ll spend doing it), terms of engagement, nondisclosure, liability statements, and other specifics.
