Threats,Attacks, and Vulnerabilities Flashcards
1
Q
You have noticed some unusual network traffic outbound from a certain host. The host is communicating with a known malicious server over port 443 using an encrypted TLS tunnel. You ran a full system anti-virus scan of the host with an updated anti-virus signature file, but the anti-virus did not find any infection signs. Which of the following has MOST likely occurred?
A. Session Hijacking
B. Password Spraying
C. Zero Day Attack
D. Directory Traversal
A
C. Zero Day Attack
2
Q
Which of the following types of attacks are usually used as part of an on-path attack?
A. Spoofing
B. Tailgating
C. Brute Force
D. DDOS
A
Spoofing
3
Q
You have just received a phishing email disguised to look like it came from support@diontraining.com asking you to send your username and password because your account has been locked out due to inactivity. Which of the following social engineering principles is being used in this email?
A. Intimidation
B. Trust
C. Urgency
D. Consensus
A
B. Trust
4
Q
Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to “click here” to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following social engineering principles is being utilized as a part of this phishing campaign?
A. Intimidation
B. Familiarity
C. Urgency
D. Consensus
A
B. Familiarity
5
Q
The management at Steven’s work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network?
A. A physical Survey
B. Reviewing central admin tool like an endpoint manager
C. A directory scan using port scanner
D. Router and switch based MAC address reporting
A
D. Router and switch based MAC address reporting
6
Q
A cybersecurity analyst from BigCorp contacts your company to notify them that several of your computers were seen attempting to create a denial of service condition against their servers. They believe your company has become infected with malware, and those machines were part of a larger botnet. Which of the following BEST describes your company’s infected computers?
A. Monster
B. Bugs
C. Zombie
D. Zero Day
A
C.Zombie
7
Q
A penetration tester hired by a bank began searching for the bank’s IP ranges by performing lookups on the bank’s DNS servers, reading news articles online about the bank, monitoring what times the bank’s employees came into and left work, searching job postings (with a special focus on the bank’s information technology jobs), and even searching the corporate office of the bank’s dumpster. Based on this description, what portion of the penetration test is being conducted?
A. Vulnerability Assessment
B. Active Information Gathering
C. Passive Information Gathering
D. Information Reporting
A
C. Passive Information Gathering
8
Q
A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output:
A. Password Spraying
B. Directory Traversal
C. SQL Injection
D. XML Injection
A
B. Directory Traversal
OBJ-1.3: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various users’ passwords by attempting a compromised password against multiple user accounts.
9
Q
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst?
A. Network Vulnerability Scan
B. Web Application Vulnerability Scan
C. Port Scan
D. Database Vulnerability Scan
A
B. Web Application Vulnerability Scan
10
Q
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)
A. SYN Flood
B. Ping Flood
C. Smurf Attack
D. DDoS
A
A.Syn Flood
11
Q
(Sample Simulation – On the real exam for this type of question, you might receive a list of attack vectors and targets. Based on these, you would select the type of attack that occurred.) (1) An attacker has been collecting credit card details by calling victims and using false pretexts to trick them. (2) An attacker sends out to 100,000 random email addresses. In the email the attacker sent, it claims that “Your Bank of America account is locked out. Please click here to reset your password.” What types of attacks have occurred in (1) and (2)?
A. (1)Vishing and (2)Phishing
B. (1)Pharming and (2)Phishing
C. (1)Spearphishing and (2)Pharming
D. (1)Hoax and (2)Spearphishing
A
A. (1)Vishing and (2)Phishing
12
Q
Which of the following is exploited by an SQL injection to give the attacker access to a database?
A. Web Application
B. Database Server
C. OS
D. Firewall
A
A. Web Application
13
Q
A computer is infected with malware that has infected the Windows kernel to hide. Which type of malware MOST likely infected this computer?
A. Rootkit
B. Botnet
C. Trojan
D. Ransomeware
A
A.Rootkit
14
Q
You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack’s target?
A.3389
B.389
C.21
D.443
A
D.443
15
Q
Which of the following best describes the type of attack shown?
A. Smurf
B. Man in the Middle
C. Xmas Tree Attack
D. Ping of Death
A
A. Smurf
OBJ-1.4: A smurf attack uses a single ping with a spoofed source address sent to the broadcast address of a network. This causes every device within the network to receive a single ping, which appears to come from the device with the spoofed source address. Each network device then responds to the spoofed address, causing the victim (whose address was spoofed) to be overwhelmed with the responses to the initial ping.
16
Q
What kind of attack is an example of IP spoofing?
A. Cross Site Scripting
B. ARP Poisoning
C. On Path Attack
D. SQL Injection
A
C. On Path Attack
17
Q
A salesperson’s laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario?
A. Zero Day Malware
B. PII Exfiltration
C. RAT
D. Ping of Death
A
A. Zero Day Malware
18
Q
An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders’ and attackers’ technical environment during the exercise?
A. Red Team
B. Purple Team
C. Blue Team
D. White Team
A
D. White Team
19
Q
Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place?
A. Session Hijacking
B. Phishing
C. Privilege Escalation
D. Social Engineering
A
C. Privilege Escalation
20
Q
In 2014, Apple’s implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of?
A. Insufficient Logging and Monitoring
B. Insecure Object Reference
C. Improper Error Handling
D. Use of Insecure Functions
A
C. Improper Error Handling
21
Q
Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered?
A. Known environment testing
B. Semi trusted environment testing
C. Unknown environment testing
D. Partially Known environment testing
A
C. Unknown environment testing
22
Q
You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program?
A. Impersonation
B. SQL Injection
C. Password Spraying
D. Integer Overflow Attack
A
D. Integer Overflow Attack
23
Q
You just received a notification that your company’s email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails?
A. Network flows for the DMZ containing the email servers
B. The full email header from one of the spam messages
C. Firewall logs showing the SMTP connection
D. The SMTP audit log from his company’s email server
A
B. The full email header from one of the spam messages
24
Q
Your intrusion detection system has produced an alert based on its review of a series of network packets. After analysis, it is determined that the network packets did not contain any malicious activity. How should you classify this alert?
A. True Negative
B. True Positive
C. False Positive
D. False Negative
A
C. False Positive
25
Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on?
A. White Team
B. Blue Team
C. Red team
D. Yellow Team
B. Blue Team
26
Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic?
A. Deep Learning
B. Generative Adversiarial Network
C. Machine Learning
D. AI
C. Machine Learning
27
What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of an adversarial TTP within a network or system called?
A. Informative Assurance
B. Penetration Testing
C. Incident Response
D. Threat Hunting
D. Threat Hunting
28
You are investigating a suspected compromise. You have noticed several files that you don't recognize. How can you quickly and effectively check if the files have been infected with malware?
A. Submit the files
B. Dissemble the files
C. Run the Strings
D. Scan the files
A. Submit the files
29
While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source?
A. 172.16.1.100
B. 192.168.1.10
C. 10.15.1.100
D. 192.168.1.100
D. 192.168.1.100
30
A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002 and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?
A. Hybrid
B. Dictionary
C. Rainbow Table
D. Brute-Force
D. Brute-Force
31
A security analyst conducts a Nmap scan of a server and found that port 25 is open. What risk might this server be exposed to?
A. Web Portal Data Leak
B. Open file/print sharing
C. Open mail relay
D. Clear text authentication
C. Open mail relay
32
A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?
A. Trojan
B. Keyloggar
C. Rootkit
D. Ransomware
A. Trojan
33
A security analyst is conducting a log review of the company's web server and found two suspicious entries. Based on source code analysis, which type of vulnerability is this web server vulnerable to?
A. Directory Traversal
B. LDAP Injection
C. Command Injection
D. SQL Injection
D. SQL Injection
OBJ-1.3: Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (') used in the log. A connection to the MySQL database is being used in the script, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server's root directory.
34
A cybersecurity analyst is working at a college that wants to increase its network's security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?
A. Combination of Server-based
B. Active Scanning engine
C. Combination of cloud-based
D. Passive scanning engine
B. Active Scanning engine
35
You have been asked to determine if Dion Training’s web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server?
A. Passive Scan
B. Protocol Analysis
C. Vulnerability Scan
D. Banner Grabbing
D. Banner Grabbing
36
Which attack method is MOST likely to be used by a malicious employee or insider trying to obtain another user's passwords?
A. Phishing
B. On Path Attack
C. Shoulder Surfing
D. Tailgating
C. Shoulder Surfing
37
Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable's size before allowing the information to be written into memory. Based on Lamont’s discovery, what type of attack might occur?
A. SQL Injection
B. Cross Site Scripting
C. Buffer Overflow
D. Malicious Logic
C. Buffer Overflow
38
Which of the following is a common attack model of an APT attack?
A. Involves sophisticated DDoS Attack
B. Relies on worm to spread laterally
C. Hold an organization data hostage using encryption
D. Quietly gathers information from compromised systems
D. Quietly gathers information from compromised systems
39
Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization's data center?
A. Schedule Scans to run during low activity
B. Schedule Scans to run during peak time
C. Schedule Scans to run same time everyday
D. Schedule Scans to be conducted evenly throughout the day
A. Schedule Scans to run during low activity
40
You are reviewing the IDS logs and notice the following log entry: What type of attack is being performed?
A Cross-Site Scripting
B. XML Injection
C. SQL Injection
D. Header Manipulation
C. SQL Injection
OBJ-1.3: SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common SQL injection technique is to insert an always true statement, such as 1 == 1, or in this example, 7 == 7. Header manipulation is the insertion of malicious data, which has not been validated, into an HTTP response header. XML Injection is an attack technique used to manipulate or compromise an XML application or service's logic. The injection of unintended XML content and/or structures into an XML message can alter the application's intended logic. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.
41
After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company’s network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company’s information security team. How would you best classify this threat?
A. Insider Threat
B. APT(Advance Persistent Test)
C. Spear Phishing
D. Privilege Escalation
B. APT(Advance Persistent Test)
42
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)Which of the following types of attacks occurs when an attacker calls up people over the phone and attempts to trick them into providing their credit card information?
A. Spear Phishing
B. Hoax
C. Pharming
D. Phishing
E. Vhishing
E. Vhishing
43
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred?
A. Buffer Injection
B. SQL Injection
C. Directory Traversal
D. XML Injection
C. Directory Traversal
44
You are conducting threat hunting on your organization's network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know from previous experience that most of the workstations only use 40 GB of space on the hard drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it?
A. The host might be used as a command
B. The host might be the victim of remote access trojan
C. The host might use a staging area for data exfiltration
D. The host might be offline and conducted backup locally.
C. The host might use a staging area for data exfiltration
45
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Which of the following types of attacks occurs when an attacker sends unsolicited messages over Facebook messenger?
A. Spear Phishing
B. Hoax
C. Pharming
D. Spimming
E. Spamming
D. Spimming
46
What type of malware changes its binary pattern in its code on specific dates or times to avoid detection by antimalware software?
A. Polymorphic Virus
B. Trojan
C. Logic Bomb
D. Ransomware
A. Polymorphic Virus
47
You are working as a penetration tester and have discovered a new method of exploiting a vulnerability within the Windows 10 operating system. You conduct some research online and discover that a security patch against this particular vulnerability doesn't exist yet. Which type of threat would this BEST be categorized as?
A. Zero Day
B. Spoofing
C. Brute Force
D. DDoS
A. Zero Day
48
An ethical hacker has been hired to conduct a physical penetration test of a company. During the first day of the test, the ethical hacker dresses up like a plumber and waits in the building's main lobby until an employee goes through the main turnstile. As soon as the employee enters his access number and proceeds to go through the turnstile, the ethical hacker follows them through the access gate. What type of attack did the ethical hacker utilize to access the restricted area of the building?
A. Tailgating
B. Shoulder Surfing
C. Social Engineering
D. Spoofing
A. Tailgating
49
As a cybersecurity analyst conducting vulnerability scans, you have just completed your first scan of an enterprise network comprising over 10,000 workstations. As you examine your findings, you note that you have less than 1 critical finding per 100 workstations. Which of the following statement does BEST explain these results?
A. The scanner was not compatible with devices on network
B. The scanner has an exceptionally strong security posture
C. The scanner failed to connect
D. An uncredited scan of the network was performed
D. An uncredited scan of the network was performed
50
You are conducting threat hunting for an online retailer. Upon analyzing their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as?
A. Beaconing
B. Introduction of new accounts
C. Data Exfiltration
D. Unauthorized Privilege
C. Data Exfiltration
51
A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output: What type of attack was most likely being attempted by the attacker?
A. Impersonation
B. Credential Harvesting
C. Password Spraying
D. Brute Force
D. Brute Force
OBJ-1.2: This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user's password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using several different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraudulent purposes. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack the account for their purposes.
52
A macOS user is browsing the internet in Google Chrome when they see a notification that says, "Windows Enterprise Defender: Your computer is infected with a virus, please click here to remove it!" What type of threat is this user experiencing?
A. Worm
B. Rouge Anti Virus
C. Pharming
D. Phishing
B. Rouge Anti Virus
53
A customer brought in a computer that has been infected with a virus. Since the infection, the computer began redirecting all three of the system's web browsers to a series of malicious websites whenever a valid website is requested. You quarantined the system, disabled the system restore, and then perform the remediation to remove the malware. You have scanned the machine with several anti-virus and anti-malware programs and determined it is now cleaned of all malware. You attempt to test the web browsers again, but a small number of valid websites are still being redirected to a malicious website. Luckily, the updated anti-virus you installed blocked any new malware from infecting the system. Which of the following actions should you perform NEXT to fix the redirection issue with the browsers?
A. Reformate the system and reinstall the OS
B. Install a secondary anti malware solution on the system
C. Verify the host file has not been maliciously modified
D. Perform a system Restore to an earlier date before the infection
C. Verify the host file has not been maliciously modified
54
In which type of attack does the attacker begin with a normal user account and then seek additional access rights?
A. Remote Code Exploitation
B. Privilege Escalation
C. Cross Site Scripting
D. Spear Phishing
B. Privilege Escalation
55
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Which of the following types of attacks occurs when an attacker attempts to obtain personal or private information through domain spoofing or poisoning a DNS server?
A. Vishing
B. Phishing
C. Spear Phishing
D. Pharming
E. Hoax
D. Pharming
56
Which of the following would NOT be useful in defending against a zero-day threat?
A. Segmentation
B. Threat Intelligence
C. Allow Listing
D. Patching
D. Patching
57
While investigating a data breach, you discover that the account credentials used belonged to an employee who was fired several months ago for misusing company IT systems. The IT department never deactivated the employee's account upon their termination. Which of the following categories would this breach be classified as?
A. Insider Threat
B. Advanced Persistence Threat
C. Zero Day
D. Known Threat
A. Insider Threat
58
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)Which of the following types of attacks occurs when an attacker specifically targets the CEO, CFO, CIO, and other board members during their attack?
A. Vishing
B. Smishing
C. Whaling
D. Spear Phishing
E. Phishing
C. Whaling
59
Fail to Pass Systems has just become the latest victim in a large-scale data breach by an APT. Your initial investigation confirms a massive exfiltration of customer data has occurred. Which of the following actions do you recommend to the CEO of Fail to Pass Systems in handling this data breach?
A. Conduct notification to all affected customers within 72 hours of the discovery of the breach
B. Provide a statement to the press that minimize the scope of the breach
C. Conduct "hack-back" of the attacker to retrieve the stolen information
D. Purchse cyber insurance
A. Conduct notification to all affected customers within 72 hours of the discovery of the breach
60
An analyst reviews the logs from the network and notices that there have been multiple attempts from the open wireless network to access the networked HVAC control system. The open wireless network must remain openly available so that visitors can access the internet. How can this type of attack be prevented from occurring in the future?
A. Enable WPA2 security
B. Implement a VLAN to separate the HVAC control system from the open wireless network
C. Install a IDS to protect the HVAC System
D. Enable NAC on the open wireless network
B. Implement a VLAN to separate the HVAC control system from the open wireless network
61
Jason has created a new password cracking tool using some Python code. When he runs the program, the following output is displayed:Based on the output, what type of password cracking method does Jason’s new tool utilize?
A. Hybrid Attack
B. Brute Force Attack
C. Rainbow Attack
D. Dictionary Attack
Hybrid Attack
OBJ-1.2: Based on the passwords found in the example, Jason’s new password cracker is most likely using a hybrid approach. All of the passwords found are dictionary words with some additional characters added to the end. For example, Jason’s password of rover123 is made up of the dictionary word “rover” and the number 123. The cracker likely attempted to use a dictionary word (like rover) and the attempted variations on it using brute force (such as adding 000, 001, 002, …122, 123) to the end of the password until found. Combining the dictionary and brute force methods into a single tool is known as a hybrid password cracking approach.
62
You are trying to find a rogue device on your wired network. Which of the following options would NOT help find the device?
A. Port Scanning
B. MAC Validation
C. Site Survey
D. War Walking
D. War Walking
63
Barbara received a phone call from a colleague asking why she sent him an email with lewd and unusual content. Barbara doesn't remember sending the email to the colleague. What is Barbara MOST likely the victim of?
A. Phishing
B. Spear Phishing
C. Hijacked Email
D. Ransomeware
C. Hijacked Email
64
Which of the following must be combined with a threat to create risk?
A. Exploit
B. Vulnerability
C. Malicious Actor
D. Mitigation
B. Vulnerability
65
An employee contacts the service desk because they cannot open an attachment they receive in their email. The service desk agent conducts a screen-sharing session with the user and investigates the issue. The agent notices that the attached file is named Invoice1043.pdf, and a black pop-up window appears and then disappears quickly when the attachment was double-clicked. Which of the following is most likely causing this issue?
A. The file contains an embedded link to malicious website
B. The attachment is using a double file extension to mask its identity
C. The email is a form a spam and should be deleted
D. The user doesn't have a PDF reader installed on their computer
B. The attachment is using a double file extension to mask its identity
66
Which type of threat actor can accidentally or inadvertently cause a security incident in your organization?
A. Organized Crime
B. APT
C. Hacktivist
D. Insider Threat
D. Insider Threat
67
What role does the red team perform during a tabletop exercise (TTX)?
A. System Admin
B. Network Defender
C. Cybersecurity Analyst
D. Adversary
D. Adversary
68
During your annual cybersecurity awareness training in your company, the instructor states that employees should be careful about what information they post on social media. According to the instructor, if you post too much personal information on social media, such as your name, birthday, hometown, and other personal details, it is much easier for an attacker to conduct which type of attack to break your passwords?
A. Brute Force Attack
B. Birthday Attack
C. Cognitive Password Attack
D. Rainbow Table Attack
C. Cognitive Password Attack
69
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs:
What type of vulnerability does this website have?
A. Insecure direct object reference
B. Race Condition
C. Weak or Default configuration
D. Improper Error Handling
A. Insecure direct object reference
OBJ-1.3: Insecure direct object references (IDOR) are a cybersecurity issue that occurs when a web application developer uses an identifier for direct access to an internal implementation object but provides no additional access control and/or authorization checks. An attacker could change the userid number and directly access any user's profile page in this scenario. A race condition is a software vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events. Those events fail to execute in the order and timing intended by the developer. Weak or default configurations are commonly a result of incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. Improper handling of errors can reveal implementation details that should never be revealed, such as detailed information that can provide hackers important clues on the system's potential flaws.
70
An attacker recently compromised an e-commerce website for a clothing store. Which of the following methods did the attacker use to harvest an account's cached credentials when the user logged into an SSO system?
A. Lateral Movement
B. Pivoting
C. Pass the Hash
D. Golden Ticket
C. Pass the Hash
71
Samantha works in the human resource department in an open floorplan office. She is concerned about the possibility of someone conducting shoulder surfing to read sensitive information from employee files while accessing them on her computer. Which of the following physical security measures should she implement to protect against this threat?
A. Biometric Lock
B. Badge Reader
C. Privacy Screen
D. Hardware token
C. Privacy Screen
72
Dion Training has applied a new Group Policy to all student accounts that will lock out any account in which the student enters their password incorrectly 3 times in a row. Once the account is locked out, the student must wait 15 minutes before they can attempt to log in again. What type of attack is this mitigation strategy trying to prevent?
A. Spoofing
B. Brute Force Attack
C. Privilege Escalation
D. On Path Attack
B. Brute Force Attack
73
A popular game allows for in-app purchases to acquire extra lives in the game. When a player purchases the extra lives, the number of lives is written to a configuration file on the gamer's phone. A hacker loves the game but hates having to buy lives all the time, so they developed an exploit that allows a player to purchase 1 life for $0.99 and then modifies the content of the configuration file to claim 100 lives were purchased before the application reading the number of lives purchased from the file. Which of the following type of vulnerabilities did the hacker exploit?
A. Dereferencing
B. Sensitive Data Exposure
C. Race Condition
D. Broken Authentication
C. Race Condition
74
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect if an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring?
A. Trend
B. Heuristic
C. Behavior
D. Anomaly
C. Behavior
75
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)Which of the following types of attacks occurs when an attacker attempts to gain confidential information or login credentials by sending targeted emails to a specific set of recipients within an organization?
A. Vishing
B. Phishing
C. Hoax
D. Pharming
E. Spear Phishing
Spear Phising
76
Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct?
A. Credential Scan
B. Non Credential Scan
C. Internal Scan
D. External Scan
A. Credential Scan
77
You are performing a web application security test, notice that the site is dynamic, and must be using a back-end database. You decide you want to determine if the site is susceptible to an SQL injection. What is the first character that you should attempt to use in breaking a valid SQL request?
A. Single Quote
B. Double Quote
C. Semicolon
D. Data Mark
A. Single Quote
78
While conducting a penetration test of an organization's web applications, you attempt to insert the following script into the search form on the company's website: Then, you clicked the search button, and a pop-up box appears on your screen showing the following text, "This site is vulnerable to an attack!" Based on this response, what vulnerability have you uncovered in the web application?
A. Cross Site Forgery
B. Cross Site Scripting
C. Distributed DoS
D. Buffer Overflow
B. Cross Site Scripting
OBJ-1.3: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. A buffer overflow is an anomaly that occurs when a program overruns the buffer's boundary and overwrites adjacent memory locations while writing data to a buffer.
79
Tierra works as a cybersecurity analyst for a large multi-national oil and gas company. She responds to an incident at her company in which their public-facing web server has been defaced with the words, “Killers of the Arctic.” She believes this was done in response to her company’s latest oil drilling project in the Arctic Circle. Which threat actor is most likely to blame for the website defacement?
A. Script Kiddie
B. Hacktivist
C. Organized Crime
D. APT
B. Hacktivist
80
Your company's Security Operations Center (SOC) is currently detecting an ongoing DDoS attack against your network's file server. A cybersecurity analyst has identified forty internal workstations on the network conducting the attack against your network's file server. The cybersecurity analyst believes these internal workstations are infected with malware and places them into a quarantined network area. The analyst then submits a service desk ticket to have the workstations scanned and cleaned of the infection. What type of malware was the workstation likely a victim of based on the scenario provided?
A. Spyware
B. Ransomware
C. Botnet
D. Rootkit
C. Botnet
81
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacon’s behavior on the network?
A. The beacon persistence
B. The beacon interval
C. Removal of known Traffic
D. The Beacon Protocol
D. The Beacon Protocol
82
A vulnerability scanner has reported that a vulnerability exists in the system. Upon validating the report, the analyst determines that this reported vulnerability does not exist on the system. What is the proper term for this situation?
A. True Positive
B. True Negative
C. False Negative
D. False Positive
D. False Positive
83
Ted, a file server administrator at Dion Training, has noticed that many sensitive files have been transferred from a corporate workstation to an IP address outside of the local area network. Ted looks up the IP address and determines that it is located in a foreign country. Ted contacts his company’s security analyst, verifying that the workstation’s anti-malware solution is up-to-date and the network’s firewall is properly configured. What type of attack most likely occurred to allow the exfiltration of the files from the workstation?
A. Zero Day
B. Session hijacking
C. Impersonation
D. Mac Spoofing
A. Zero Day
84
A penetration tester is using a known vulnerability to compromise an Apache webserver. After they gain access to the webserver, what is their next step to pivot to a protected system outside of the screened subnet?
A. Privilege Escalation
B. Installing Addition Tools
C. Vulnerability Scanning
D. Patching
A. Privilege Escalation
85
A cybersecurity analyst has received an alert that sensors continuously observe well-known call home messages at their network boundary. Still, the organization's proxy firewall is properly configured to successfully drop the messages before leaving the network. Which of the following is MOST likely the cause of the call home messages being sent?
A. Malware is running on a company workstation or server
B. A malicious insider is trying to exfiltration information to a remote network
C. An infected workstation is attempting to reach a command and control server
D. An attacker is performing reconnaissance of the organization workstation
C. An infected workstation is attempting to reach a command and control server
86
What type of malware is designed to be difficult for malware analysts to reverse engineer?
A. Rootkit
B. Trojan
C. Logic Bomb
D. Armored Virus
D. Armored Virus
87
The Security Operations Center Director for Dion Training received a pop-up message on his workstation that said, “You will regret firing me; just wait until Christmas!” He suspects the message came from a disgruntled former employee who may have set up a piece of software to create this pop-up on his machine. The director is now concerned that other code might be lurking within the network that could negatively affect Christmas. He directs his team of cybersecurity analysts to begin searching the network for this suspicious code. What type of malware should they be searching for?
A. Adwere
B. Worm
C. Trojan
D. Logic Bomb
D. Logic Bomb
88
During a penetration test, you find a hash value related to malware associated with an APT. What best describes what you have found?
A. Indicator of Compromise
B. SQL Injection
C. Botnet
D. XSRF
A. Indicator of Compromise
89
An insurance company has developed a new web application to allow its customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and used MSSQL for its backend database. You have been able to locate an application's search form and introduced the following code in the search input field: When you click submit on the search form, your web browser returns a pop-up window that displays Vulnerable_to_Attack. Which of the following vulnerabilities did you discover in the web application?
A. Command Injection
B. Cross Site Scripting
C. SQL Injection
D. Cross Site request Forgery
B. Cross Site Scripting
OBJ-1.3: This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. Attackers may use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user's interaction or even knowledge. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to a system shell.
90
Which of the following types of attackers are sophisticated and highly organized people or teams typically sponsored by a nation-state?
A. Hacktivist
B. Advanced Persistence Threat
C. Ethical Hacker
D. Script kiddie
B. Advanced Persistence Threat
91
Recently, you discovered an unauthorized device during a search of your corporate network. The device provides nearby wireless hosts to access the corporate network's resources. What type of attack is being utilized?
A. Rouge Access point
B. IV Attack
C. Bluejacking
D. Bluesnarfing
A. Rouge Access point
92
On your lunch break, you walked down to the coffee shop on the corner. You open your laptop and connect to their wireless network. After a few minutes of surfing the Internet, a pop-up is displayed on your screen. You close the pop-up, finish your lunch break, shut down the laptop, and put it back into your backpack. When you get back to the office, you take out the laptop and turn it on, but instead of your normal desktop background, you are greeted by a full-screen image with a padlock and a message stating you have to pay 0.1 BTC to regain access to your personal files. What type of malware has infected your laptop?
A. Trojan
B. Rootkit
C. Ransomware
D. Spyware
C. Ransomware
93
You have just received an email that claims to be from the Federal Bureau of Investigation (FBI). The email claims that your computer was identified as part of a botnet being used to distribute pirated copies of a new movie. The email states that you must click the link below and pay a fine of $1000 within 24 hours, or federal agents will be sent to your home to arrest you for copyright infringement. What social engineering principle is this email relying on using?
A. Consensus
B. Intimidation
C. Familiarly
D. Trust
B. Intimidation
94
A new alert has been distributed throughout the information security community regarding a critical Apache vulnerability. What action could you take to ONLY identify the known vulnerability?
A. Perform a scan for the specific vulnerably
B. Perform a unauthenticated vulnerability scan
C. Perform a web vulnerability scan
D. Perform authenticated scan
A. Perform a scan for the specific vulnerably
95
A recent vulnerability scan found several vulnerabilities on an organization’s public-facing IP addresses. To reduce the risk of a breach, which of the following vulnerabilities should be prioritized for remediation?
A. A website utilizing a self signed SSL certificate
B. A cryptographically weak encryption
C. A buffer overflow that is known to allow remote code execution
D. An HTTP response that reveals an internet IP address
C. A buffer overflow that is known to allow remote code execution
96
Which type of method is used to collect information during the passive reconnaissance?
A. Social Engineering
B. Reviewing Public Repository
C. Network Traffic sniffing
D. API request and response
B. Reviewing Public Repository
97
Your smartphone begins to receive unsolicited messages while eating lunch at the restaurant across the street from your office. What might cause this to occur?
A. Bluejacking
B. Bluesnarfing
C. Packet Sniffing
D. Geotagging
A. Bluejacking
98
What technique is an attacker using if they review data and publicly available information to gather intelligence about the target organization without scanning or other technical information-gathering activities?
A. Patch Management
B. Passive Reconnaissance
C. Active Scanning
D. Vulnerability Scanning
B. Passive Reconnaissance
99
What type of malicious application does not require user intervention or another application to act as a host to replicate?
A. Trojan
B. Virus
C. Macro
D. Worm
D. Worm
100
A cybersecurity analyst just finished conducting an initial vulnerability scan and is reviewing their results. To avoid wasting time on results that are not related to actual vulnerabilities, the analyst wants to remove any false positives before remediating the findings. Which of the following is an indicator that something in their results would be a false positive?
A. A HTTPS entry
B. A scan result
C. Items Classified by the system
D. A finding that shows the scanners compliance
C. Items Classified by the system
101
You have just finished running a vulnerability scan of the network and are reviewing the results. The first result in the report shows the following vulnerability: You log into the MySQL server and verify that you are currently running version 3.5.3. Based on the item shown on the image, what best describes how you should categorize this finding?
A. True Positive
B. True Negative
C. False Positive
D. False Negative
C. False Positive
OBJ-1.7: You should categorize the results as a false positive. Based on the scenario and output, your server is not vulnerable to a remote code execution for the identified vulnerability. You are already running MySQL v3.5.3 that is greater than v3.3.x or above. This indicates that the vulnerability scanner falsely identified your MySQL version as an earlier and more vulnerable version. The system incorrectly identified a vulnerability, but the vulnerability doesn’t exist on your system. Therefore this is a false positive.
102
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Based on the image provided, what type of attack is occurring?
A. Ping Flood
B. SYN Flood
C. DDoS
D. Smurf Attack
A. Ping Flood
103
You are analyzing the following network utilization report because you suspect one of the servers has been compromised. Based on the report above, which of the following servers do you suspect has been compromised and should be investigated further?
A. web01
B. webdev02
C. marketing01
D. dnsvr01
D. dnsvr01
OBJ-1.6: Due to the considerable increase in network utilization on dbsvr01, it should be suspected of compromise and further investigated. The server has a historical average utilization of only 3.15 GB per month, but this month there has been an increase to 24.6 GB of usage. This increase is nearly 8x more than the previous month when all of the other servers stayed relatively constant. This indicates a possible compromise of the database server (dbsvr01) and a data breach or data exfiltration.
104
You are analyzing the SIEM for your company's e-commerce server when you notice the following URL in the logs of your SIEM:
A. XML Injection
B. Session hijacking
C. Buffer Overflow
D. SQL Injection
Based on this line, what type of attack do you expect has been attempted?
A. XML Injection
OBJ-1.3: This is an example of an XML injection. XML injection manipulates or compromises the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter an application's intended logic. XML Injection can cause the insertion of malicious content into resulting messages/documents. In this case, the URL is attempting to modify the server's XML structure. The original XML structure would be: . By using the URL above, this would be modified to the following: . The result would be that a new line was added in the XML document that could be processed by the server. This line would allow 10 of the product at $0.00 to be added to the shopping cart, while 0 of the product at $50.00 is added to the cart. This defeats the integrity of the e-commerce store's add to cart functionality through this XML injection. A SQL injection occurs when data input by a user is interpreted as a SQL command rather than as normal data by the backend database. A buffer overflow is an exploit that attempts to write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location. A session hijacking attack consists of exploiting the web session control mechanism, normally managed for a session token. The real key to answering this question is identifying the XML structured code being entered as part of the URL, shown by the bracketed data.
105
You are working as part of a penetration testing team during an assessment of Dion Training's headquarters. Your boss has requested that you search the company's recycling bins for any information that might be valuable during the reconnaissance phase of your attack. What type of social engineering method are you performing?
A. Impersonation
B. Whaling
C. Dumpster Diving
D. Phishing
C. Dumpster Diving
106
During a vulnerability scan of your network, you identified a vulnerability on an appliance installed by a vendor on your network under an ongoing service contract. You do not have access to the appliance's operating system as the device was installed under a support agreement with the vendor. What is your best course of action to remediate or mitigate this vulnerability?
A. Wait 30 days
B. Try to gain access
C. Mark the known vulnerabilities
D. Contact the vendor to provide an update or to remediate the vulnerability
D. Contact the vendor to provide an update or to remediate the vulnerability
107
Which of the following attacks would most likely be used to create an inadvertent disclosure of information from an organization's database?
A. Buffer Overflow
B. SQL Injection
C. DoS
D. Cross Site Scripting
B. SQL Injection
108
Based on some old SIEM alerts, you have been asked to perform a forensic analysis on a given host. You have noticed that some SSL network connections are occurring over ports other than port 443. The SIEM alerts indicate that copies of svchost.exe and cmd.exe have been found in the host's %TEMP% folder. The logs indicate that RDP connections have previously connected with an IP address that is external to the corporate intranet, as well. What threat might you have uncovered during your analysis?
A. APT
B. DDoS
C. Software vulnerabilities
D. Ransomware
A. APT
109
A cybersecurity analyst at a mid-sized retail chain has been asked to determine how much information can be gathered from the store’s public webserver. The analyst opens up the terminal on his Kali Linux workstation and uses netcat to gather some information.
What type of action did the analyst perform, based on the command and response above?
A. Querying the whois database
B. SQL Injection
C. Banner Grabbing
D. Cross Site Scripting
C. Banner Grabbing
110
(This is a simulated performance-based question.)
You have been asked to help conduct a known environment penetration test. As part of your preparations, you have been given the source code for the organization’s custom web application.
Which type of vulnerability might be able to exploit the code shown in this image?
A. JavaScript Injection
B. SQL Injection
C. Remote Code Execution
D. Buffer Overflow
D. Buffer Overflow
OBJ-1.2: The function DionCode may be subject to a buffer overflow as the user enters something over 20 characters as their input. In defining the char (character) type array, the programmer only allocated 20 characters worth of memory storage. To solve this problem, the programmer should create proper input validation to ensure that the input is less than 20 characters before passing the user_input variable to the strcpy (string copy) function.
111
Jennifer decided that the licensing cost for a piece of video editing software was too expensive. Instead, she decided to download a keygen program to generate a license key and install a pirated version of the editing software. After she runs the keygen, a license key is created, but her system performance becomes very sluggish, and her antimalware suite begins to display numerous alerts. Which type of malware might her computer be infected with?
A. Trojan
B. Worm
C. Adware
D. Logic Bomb
A. Trojan
112
A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output:
What type of attack was most likely being attempted by the attacker?
A. Impersonation
B. Session Hijacking
C. Password Spraying
D. Credential Stuffing
C. Password Spraying
OBJ-1.2: Password spraying refers to the attack method that takes many usernames and loops them with a single password. We can use multiple iterations using many different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraud. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack the account for their purposes. Session hijacking exploits a valid computer session to gain unauthorized access to information or services in a computer system.
113
Raj is working to deploy a new vulnerability scanner for an organization. He wants to verify the information he gets is the most accurate view of the configurations on the organization's traveling salespeople's laptops to determine if any configuration issues could lead to new vulnerabilities. Which of the following technologies would work BEST to collect the configuration information in this situation?
A. Server-Based Scanning
B. Agent-Based Scanning
C. Passive Network Monitoring
D. Non-Credential Scanning
B. Agent-Based Scanning
114
(This is a simulated performance-based question.)
You are working as a help desk technician and received a call from a user who complains about their computer’s performance has slowed down over the last week since they installed a new free video game on the computer. As part of your troubleshooting efforts, you enter the command prompt in Windows and run the following command:
Based on the output provided, what type of malware may have been installed on this user’s computer?
A. Rat
B. Spam
C. Worm
D. Keyloggar
A. Rat
OBJ-1.2: Based on the scenario and the output provided, the best choice is a RAT. A RAT is a Remote Access Trojan, and it is usually installed accidentally by a user when they install free software on their machine that has a RAT embedded into it. The first two output lines show that ports 135 and 445 are open and listening for an inbound connection (typical of a RAT). This is not an example of a worm because the user admitted to installing a free program, and worms can install themselves and continue to send data outbound across the network to continue to spread. There is no indication in the scenario that a keylogger is being used, nor that spam (unsolicited emails) has been received.
