Threats, Attacks, and Vulnerabilities (1)

Question 1

You have been contacted by your company’s CEO after she received a personalized but suspicious e-mail message from the company’s bank asking for detailed personal and financial information. After reviewing the message, you determine that it did not originate from the legitimate bank. Which of the following security issues does this scenario describe?

Dumpster diving

Phishing

Whaling

Answer 1

Whaling

Whaling is a type of phishing attack that is targeted at a specific high-level user. The victim is usually a high-profile member of the organization who has much more critical information to lose than the average user. The messages used in the attack are usually crafted and personalized toward the specific victim user

Question 2

During your user awareness training, which of the following actions would you advise users to take as the best security practice to help prevent malware installation from phishing messages?

Forward suspicious messages to other users

Do not click links in suspicious messages

Check e-mail headers

Answer 2

Do not click links in suspicious messages

To help prevent malware from being installed, make your users aware that a best security practice is to never click links in a suspicious message. The link can take the user to a malicious website that could automatically install malware on their computer through their web browser

Question 3

Negative company financial information was carelessly thrown in the trash bin without being shredded, and a malicious insider retrieved it and posted it on the Internet, driving the stock price down. The CEO wants to know what happened—what was the attack?

Smishing

Dumpster diving

Prepending

Answer 3

Dumpster diving

Dumpster diving occurs when discarded documents (not necessarily confidential) that were improperly destroyed (or not destroyed at all) are reconstructed and read (or simply read as is)

Question 4

Max, a security administrator, just received a phone call to change the password for a user in the HR department. The user did not provide verification of their identity and insisted that they needed the password changed immediately to complete a critical task. What principle of effective social engineering is being used?

Consensus

Intimidation

Urgency

Answer 4

Urgency

Max is being subjected to a social engineering attack that relies on the principle of urgency—he is being rushed, with the attacker hoping that the “criticality” of the task forces Max to bypass best security practices

Question 5

Which of the following best describes a birthday attack? (Choose two.)

A password attack that uses precomputed hashes in its word list

Two unique pieces of plaintext can have the same hash value under certain circumstances

In a room with 23 people, the odds of any two having the same birthdate is 50 percent

A password attack that attempts every single possible combination of characters and password lengths to discover a password

Answer 5

Two unique pieces of plaintext can have the same hash value under certain circumstances

In a room with 23 people, the odds of any two having the same birthdate is 50 percent

The birthday attack looks for an input that provides the same hashed value, regardless of what the original input was. Remembering a birthday attack is easy if you understand the underlying principle that in a room with 23 people, the odds of any two having the same birthdate is 50 percent, and the odds increase commensurate with the number of people in a room

Question 6

You suspect that your server has been compromised because it has been running slowly and is unresponsive. Using a network analyzer, you also notice that large amounts of network data are being sent out from the server. Which of the following is the most likely cause?

The server has a rootkit installed.

The server is infected with spyware.

The server is part of a botnet.

Answer 6

The server is part of a botnet.

If your system has been infected with a worm or virus and has become part of a botnet, at certain times, it may take part in distributed denial-of-service attacks on another system on the Internet and may exhibit slow responsiveness and a large amount of network data being sent out of the system

Question 7

Antivirus software may not be able to identify which of the following?

Trojans

Logic bombs

Polymorphic viruses

Answer 7

Logic bombs

Logic bombs are simply scripts that are designed to automatically execute at a particular time or under particular circumstances. While logic bombs typically perform malicious actions, they are not malicious code outright, and often are not detected by antivirus programs, especially if they reside within a trusted application

Question 8

While testing exception handling with a web application, you encounter an error that displays a full URL path to critical data files for the application. Which one of the following types of vulnerabilities would this application be susceptible to?

Buffer overflow

Session hijacking

Directory traversal

Answer 8

Directory traversal

Directory traversal is a vulnerability that allows an attacker who knows the details of an application server’s directory tree to manually traverse the directory using input commands in the URL location bar or input forms in the application. Error messages should never display the full paths of files to prevent hackers from discovering the directory structure

Question 9

Your web application currently checks authentication credentials from a user’s web browser cookies before allowing a transaction to take place. However, you have had several complaints of identity theft and unauthorized purchases from users of your site. Which of the following is the mostly likely cause?

Cross-site scripting

Session hijacking

Header manipulation

Answer 9

Session hijacking

Session hijacking occurs when a malicious hacker is able to access a user’s session cookie and then use the session information to make unauthorized requests as the user

Question 10

During testing of a web application, you discover that due to poor input validation, you can easily crash the server by entering values in the input forms much greater than the system can handle. What type of vulnerability is this?

Session hijacking

Buffer overflow

Privilege escalation

Answer 10

Buffer overflow

Buffer overflows are caused primarily by poor input validation that allows illegal data to be entered into the application, causing processing limits to be exceeded

Question 11

Your web server is being flooded by a denial-of-service attack. Using a network analyzer, you see that IP broadcast replies are being sent back to the address of your server from multiple addresses. Which type of network attack is this?

On-path

Back door

Smurf

Answer 11

Smurf

A smurf attack uses a spoof attack combined with a DDoS attack to exploit the use of IP broadcast addressing and ICMP. By spoofing the address of the web server in an IP broadcast, the attacker causes all the replies from other systems on the network to the broadcast to be sent back to the web server, causing a denial of service

Question 12

During a denial-of-service attack, a network administrator blocks the source IP address with the firewall, but the attack continues. What is the most likely cause of the problem?

The denial-of-service worm has already infected the firewall locally.

The attack is coming from multiple distributed hosts.

A firewall can’t block denial-of-service attacks.

Answer 12

The attack is coming from multiple distributed hosts.

A distributed denial-of-service (DDoS) attack comes from multiple geographically distributed hosts, making it difficult for the network administrator to block it

Question 13

A few systems have been infected with malware; log analysis indicates the users all visited the same legitimate website to order office supplies. What is the most likely attack the users have fallen victim to?

Replay

Watering hole

ARP poisoning

Answer 13

Watering hole

The users most likely fell victim to a watering hole attack. The third-party supplier could be hosting malware with your organization as the target

Question 14

Which of the following types of wireless attacks utilizes a weakness in WEP key generation and encryption to decrypt WEP encrypted data?

IV attack

War driving

PSK attack

Answer 14

IV attack

The IV (initialization vector) attack uses the weakness in the 24-bit generated IV that is paired with the WEP encryption key. The IV can be discovered over time on busy networks that use repeated IV values, which can then be used by the hacker to decrypt the cipher stream without knowing the WEP key

Question 15

Threat actors are generally categorized by which of the following? (Choose all that apply.)

Intent

Resources

Internal/external

Nationality

Answer 15

Intent

Resources

Internal/external

Threat actors are generally categorized using the following attributes: level of sophistication, resources/funding, intent/motivation, and whether they are internal or external in nature

Question 16

A company insider decides to steal data and sell it to a competitor that is offering a large amount of cash. Which of the following terms describes the insider?

Threat

Threat actor

Vulnerability

Answer 16

Threat actor

In this scenario, the employee is a threat actor, because she is initiating a threat against an asset

Question 17

Threat hunting can be partially automated through the use of which tool?

Security information and event manager (SIEM)

Anti-malware scanner

Security orchestration, automation, and response (SOAR)

Answer 17

Security orchestration, automation, and response (SOAR)

A security orchestration, automation, and response (SOAR) platform executes many of the activities that a human would alternatively undertake, such as threat hunting, responding to attacks, and assigning a criticality level to them