Threats,Attacks, and Vulnerabilities Flashcards
You have noticed some unusual network traffic outbound from a certain host. The host is communicating with a known malicious server over port 443 using an encrypted TLS tunnel. You ran a full system anti-virus scan of the host with an updated anti-virus signature file, but the anti-virus did not find any infection signs. Which of the following has MOST likely occurred?
A. Session Hijacking
B. Password Spraying
C. Zero Day Attack
D. Directory Traversal
C. Zero Day Attack
Which of the following types of attacks are usually used as part of an on-path attack?
A. Spoofing
B. Tailgating
C. Brute Force
D. DDOS
Spoofing
You have just received a phishing email disguised to look like it came from support@diontraining.com asking you to send your username and password because your account has been locked out due to inactivity. Which of the following social engineering principles is being used in this email?
A. Intimidation
B. Trust
C. Urgency
D. Consensus
B. Trust
Several users have contacted the help desk to report that they received an email from a well-known bank stating that their accounts have been compromised and they need to “click here” to reset their banking password. Some of these users are not even customers of this particular bank, though. Which of the following social engineering principles is being utilized as a part of this phishing campaign?
A. Intimidation
B. Familiarity
C. Urgency
D. Consensus
B. Familiarity
The management at Steven’s work is concerned about rogue devices being attached to the network. Which of the following solutions would quickly provide the most accurate information that Steve could use to identify rogue devices on a wired network?
A. A physical Survey
B. Reviewing central admin tool like an endpoint manager
C. A directory scan using port scanner
D. Router and switch based MAC address reporting
D. Router and switch based MAC address reporting
A cybersecurity analyst from BigCorp contacts your company to notify them that several of your computers were seen attempting to create a denial of service condition against their servers. They believe your company has become infected with malware, and those machines were part of a larger botnet. Which of the following BEST describes your company’s infected computers?
A. Monster
B. Bugs
C. Zombie
D. Zero Day
C.Zombie
A penetration tester hired by a bank began searching for the bank’s IP ranges by performing lookups on the bank’s DNS servers, reading news articles online about the bank, monitoring what times the bank’s employees came into and left work, searching job postings (with a special focus on the bank’s information technology jobs), and even searching the corporate office of the bank’s dumpster. Based on this description, what portion of the penetration test is being conducted?
A. Vulnerability Assessment
B. Active Information Gathering
C. Passive Information Gathering
D. Information Reporting
C. Passive Information Gathering
A cybersecurity analyst is reviewing the logs of a Citrix NetScaler Gateway running on a FreeBSD 8.4 server and saw the following output:
A. Password Spraying
B. Directory Traversal
C. SQL Injection
D. XML Injection
B. Directory Traversal
OBJ-1.3: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various users’ passwords by attempting a compromised password against multiple user accounts.
A cybersecurity analyst is preparing to run a vulnerability scan on a dedicated Apache server that will be moved into a DMZ. Which of the following vulnerability scans is most likely to provide valuable information to the analyst?
A. Network Vulnerability Scan
B. Web Application Vulnerability Scan
C. Port Scan
D. Database Vulnerability Scan
B. Web Application Vulnerability Scan
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)
A. SYN Flood
B. Ping Flood
C. Smurf Attack
D. DDoS
A.Syn Flood
(Sample Simulation – On the real exam for this type of question, you might receive a list of attack vectors and targets. Based on these, you would select the type of attack that occurred.) (1) An attacker has been collecting credit card details by calling victims and using false pretexts to trick them. (2) An attacker sends out to 100,000 random email addresses. In the email the attacker sent, it claims that “Your Bank of America account is locked out. Please click here to reset your password.” What types of attacks have occurred in (1) and (2)?
A. (1)Vishing and (2)Phishing
B. (1)Pharming and (2)Phishing
C. (1)Spearphishing and (2)Pharming
D. (1)Hoax and (2)Spearphishing
A. (1)Vishing and (2)Phishing
Which of the following is exploited by an SQL injection to give the attacker access to a database?
A. Web Application
B. Database Server
C. OS
D. Firewall
A. Web Application
A computer is infected with malware that has infected the Windows kernel to hide. Which type of malware MOST likely infected this computer?
A. Rootkit
B. Botnet
C. Trojan
D. Ransomeware
A.Rootkit
You suspect that your server has been the victim of a web-based attack. Which of the following ports would most likely be seen in the logs to indicate the attack’s target?
A.3389
B.389
C.21
D.443
D.443
Which of the following best describes the type of attack shown?
A. Smurf
B. Man in the Middle
C. Xmas Tree Attack
D. Ping of Death
A. Smurf
OBJ-1.4: A smurf attack uses a single ping with a spoofed source address sent to the broadcast address of a network. This causes every device within the network to receive a single ping, which appears to come from the device with the spoofed source address. Each network device then responds to the spoofed address, causing the victim (whose address was spoofed) to be overwhelmed with the responses to the initial ping.
What kind of attack is an example of IP spoofing?
A. Cross Site Scripting
B. ARP Poisoning
C. On Path Attack
D. SQL Injection
C. On Path Attack
A salesperson’s laptop has become unresponsive after attempting to open a PDF in their email. A cybersecurity analyst reviews the IDS and anti-virus software for any alerts or unusual behavior but finds nothing suspicious. Which of the following threats would BEST classify this scenario?
A. Zero Day Malware
B. PII Exfiltration
C. RAT
D. Ping of Death
A. Zero Day Malware
An organization is conducting a cybersecurity training exercise. What team is Jason assigned to if he has been asked to monitor and manage the defenders’ and attackers’ technical environment during the exercise?
A. Red Team
B. Purple Team
C. Blue Team
D. White Team
D. White Team
Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long text strings and then began using the sudo command to carry out actions. What type of attack has just taken place?
A. Session Hijacking
B. Phishing
C. Privilege Escalation
D. Social Engineering
C. Privilege Escalation
In 2014, Apple’s implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of?
A. Insufficient Logging and Monitoring
B. Insecure Object Reference
C. Improper Error Handling
D. Use of Insecure Functions
C. Improper Error Handling
Dion Training is hiring a penetration testing firm to conduct an assessment of its corporate network. As part of the contract, the company has specified that it will not provide any network details to the penetration testing firm. Instead, the company wants to see how much information about the network can be found by the penetration testers using open-source research and scanning the corporate network. What type of assessment is this considered?
A. Known environment testing
B. Semi trusted environment testing
C. Unknown environment testing
D. Partially Known environment testing
C. Unknown environment testing
You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program?
A. Impersonation
B. SQL Injection
C. Password Spraying
D. Integer Overflow Attack
D. Integer Overflow Attack
You just received a notification that your company’s email servers have been blocklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails?
A. Network flows for the DMZ containing the email servers
B. The full email header from one of the spam messages
C. Firewall logs showing the SMTP connection
D. The SMTP audit log from his company’s email server
B. The full email header from one of the spam messages
Your intrusion detection system has produced an alert based on its review of a series of network packets. After analysis, it is determined that the network packets did not contain any malicious activity. How should you classify this alert?
A. True Negative
B. True Positive
C. False Positive
D. False Negative
C. False Positive
Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on?
A. White Team
B. Blue Team
C. Red team
D. Yellow Team
B. Blue Team
Which type of system would classify traffic as malicious or benign based on explicitly defined examples of malicious and benign traffic?
A. Deep Learning
B. Generative Adversiarial Network
C. Machine Learning
D. AI
C. Machine Learning
What is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of an adversarial TTP within a network or system called?
A. Informative Assurance
B. Penetration Testing
C. Incident Response
D. Threat Hunting
D. Threat Hunting
You are investigating a suspected compromise. You have noticed several files that you don’t recognize. How can you quickly and effectively check if the files have been infected with malware?
A. Submit the files
B. Dissemble the files
C. Run the Strings
D. Scan the files
A. Submit the files
While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source?
A. 172.16.1.100
B. 192.168.1.10
C. 10.15.1.100
D. 192.168.1.100
D. 192.168.1.100
A cybersecurity analyst notices that an attacker is trying to crack the WPS pin associated with a wireless printer. The device logs show that the attacker tried 00000000, 00000001, 00000002 and continued to increment by 1 number each time until they found the correct PIN of 13252342. Which of the following type of password cracking was being performed by the attacker?
A. Hybrid
B. Dictionary
C. Rainbow Table
D. Brute-Force
D. Brute-Force
A security analyst conducts a Nmap scan of a server and found that port 25 is open. What risk might this server be exposed to?
A. Web Portal Data Leak
B. Open file/print sharing
C. Open mail relay
D. Clear text authentication
C. Open mail relay
A user has reported that their workstation is running very slowly. A technician begins to investigate the issue and notices a lot of unknown processes running in the background. The technician determines that the user has recently downloaded a new application from the internet and may have become infected with malware. Which of the following types of infections does the workstation MOST likely have?
A. Trojan
B. Keyloggar
C. Rootkit
D. Ransomware
A. Trojan
A security analyst is conducting a log review of the company’s web server and found two suspicious entries. Based on source code analysis, which type of vulnerability is this web server vulnerable to?
A. Directory Traversal
B. LDAP Injection
C. Command Injection
D. SQL Injection
D. SQL Injection
OBJ-1.3: Based on the log entries, it appears the attack was successful in conducting a SQL injection. Notice the escape character (‘) used in the log. A connection to the MySQL database is being used in the script, which could be exploited since no input validation is being performed. Command injection is an attack in which the goal is to execute arbitrary commands on the host operating system via a vulnerable application. SQL injection is a specific type of command injection. LDAP injection is a code injection technique used to exploit web applications that could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. Directory traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory.
A cybersecurity analyst is working at a college that wants to increase its network’s security by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements?
A. Combination of Server-based
B. Active Scanning engine
C. Combination of cloud-based
D. Passive scanning engine
B. Active Scanning engine
You have been asked to determine if Dion Training’s web server is vulnerable to a recently discovered attack on an older version of SSH. Which technique should you use to determine the current version of SSH running on their web server?
A. Passive Scan
B. Protocol Analysis
C. Vulnerability Scan
D. Banner Grabbing
D. Banner Grabbing
Which attack method is MOST likely to be used by a malicious employee or insider trying to obtain another user’s passwords?
A. Phishing
B. On Path Attack
C. Shoulder Surfing
D. Tailgating
C. Shoulder Surfing
Lamont is in the process of debugging a software program. As he examines the code, he discovers that it is miswritten. Due to the error, the code does not validate a variable’s size before allowing the information to be written into memory. Based on Lamont’s discovery, what type of attack might occur?
A. SQL Injection
B. Cross Site Scripting
C. Buffer Overflow
D. Malicious Logic
C. Buffer Overflow
Which of the following is a common attack model of an APT attack?
A. Involves sophisticated DDoS Attack
B. Relies on worm to spread laterally
C. Hold an organization data hostage using encryption
D. Quietly gathers information from compromised systems
D. Quietly gathers information from compromised systems
Which of the following is a best practice that should be followed when scheduling vulnerability scans of an organization’s data center?
A. Schedule Scans to run during low activity
B. Schedule Scans to run during peak time
C. Schedule Scans to run same time everyday
D. Schedule Scans to be conducted evenly throughout the day
A. Schedule Scans to run during low activity
You are reviewing the IDS logs and notice the following log entry: What type of attack is being performed?
A Cross-Site Scripting
B. XML Injection
C. SQL Injection
D. Header Manipulation
C. SQL Injection
OBJ-1.3: SQL injection is a code injection technique that is used to attack data-driven applications. SQL injections are conducted by inserting malicious SQL statements into an entry field for execution. For example, an attacker may try to dump the contents of the database by using this technique. A common SQL injection technique is to insert an always true statement, such as 1 == 1, or in this example, 7 == 7. Header manipulation is the insertion of malicious data, which has not been validated, into an HTTP response header. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. The injection of unintended XML content and/or structures into an XML message can alter the application’s intended logic. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user.
After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company’s network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company’s information security team. How would you best classify this threat?
A. Insider Threat
B. APT(Advance Persistent Test)
C. Spear Phishing
D. Privilege Escalation
B. APT(Advance Persistent Test)
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)Which of the following types of attacks occurs when an attacker calls up people over the phone and attempts to trick them into providing their credit card information?
A. Spear Phishing
B. Hoax
C. Pharming
D. Phishing
E. Vhishing
E. Vhishing
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URL, http://test.diontraining.com/../../../../etc/shadow. What type of attack has likely occurred?
A. Buffer Injection
B. SQL Injection
C. Directory Traversal
D. XML Injection
C. Directory Traversal
You are conducting threat hunting on your organization’s network. Every workstation on the network uses the same configuration baseline and contains a 500 GB HDD, 4 GB of RAM, and the Windows 10 Enterprise operating system. You know from previous experience that most of the workstations only use 40 GB of space on the hard drives since most users save their files on the file server instead of the local workstation. You discovered one workstation that has over 250 GB of data stored on it. Which of the following is a likely hypothesis of what is happening, and how would you verify it?
A. The host might be used as a command
B. The host might be the victim of remote access trojan
C. The host might use a staging area for data exfiltration
D. The host might be offline and conducted backup locally.
C. The host might use a staging area for data exfiltration
(Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.) Which of the following types of attacks occurs when an attacker sends unsolicited messages over Facebook messenger?
A. Spear Phishing
B. Hoax
C. Pharming
D. Spimming
E. Spamming
D. Spimming