Threats, Attacks, and Vulnerabilities (2)

Question 1

When phishing attacks are so focused that they target a specific individual, they are called what?

Spear phishing

Phishing

Whaling

Answer 1

Whaling

Whaling is targeting a specific individual

Question 2

You are concerned about a wide range of attacks that could affect your company’s web server. You have recently read about an attack wherein the attacker sends more data to the target than the target is expecting. If done properly, this could cause the target to crash. What would best prevent this type of attack?

An SPI firewall

An active IDS/IPS

Checking buffer boundaries

Answer 2

Checking buffer boundaries

You are concerned about buffer overflows, and thus checking buffer boundaries is the best defense

Question 3

You work for a large retail company that processes credit card purchases. You have been asked to test your company network for security issues. The specific test you are conducting involves primarily checking policies, documentation, and past incident reports. Which of the following best describes this type of test?

Vulnerability scan

Penetration test

Security audit

Answer 3

Security audit

Security audits typically focus on checking policies, documents, and so forth

Question 4

Maria is a salesperson with your company. After a recent sales trip, she discovers that many of her logins have been compromised. You carefully scan her laptop and cannot find any sign of any malware. You do notice that she had recently connected to a public WiFi at a coffee shop, and it is only since that connection that she noticed her logins had been compromised. What would most likely explain what has occurred?

She connected to a rogue AP.

She downloaded spyware.

She is the victim of a buffer overflow attack.

Answer 4

She connected to a rogue AP.

Although many things could explain what she is experiencing, the scenario most closely matches connecting to a rogue access point where her login credentials were stolen

Question 5

You are the manager for network operations at your company. One of the accountants sees you in the hall and thanks you for your team keeping his antivirus software up to date. When you ask him what he means, he mentions that one of your staff, named Mike, called him and remotely connected to update the antivirus. You don’t have an employee named Mike. What has occurred?

IP spoofing

Man-in-the-middle attack

Social engineering

Answer 5

Social engineering

This is a classic example of an attacker using social engineering on the accountant, in order to gain access to his system

Question 6

You are a security administrator for a bank. You are very interested in detecting any breaches or even attempted breaches of your network, including those from internal personnel. But you don’t want false positives to disrupt work. Which of the following devices would be the best choice in this scenario?

IPS

WAF

IDS

Answer 6

IDS

An intrusion detection system will simply report issues, and not block the traffic

Question 7

One of your users cannot recall the password for their laptop. You want to recover that password for them. You intend to use a tool/technique that is popular with hackers, and it consists of searching tables of precomputed hashes to recover the password. What best describes this?

Rainbow table

Backdoor

Social engineering

Answer 7

Rainbow table

A rainbow table is a table of precomputed hashes, used to retrieve passwords

Question 8

You have noticed that when in a crowded area, you sometimes get a stream of unwanted text messages. The messages end when you leave the area. What describes this attack?

Bluejacking

Bluesnarfing

Evil twin

Answer 8

Bluejacking

Bluejacking involves sending unsolicited messages to Bluetooth devices when they are in range

Question 9

Someone has been rummaging through your company’s trash bins seeking to find documents, diagrams, or other sensitive information that has been thrown out. What is this called?

Dumpster diving

Trash diving

Social engineering

Answer 9

Dumpster diving

This is the term for rummaging through the waste/trash

Question 10

You have noticed that when in a crowded area, data from your cell phone is stolen. Later investigation shows a Bluetooth connection to your phone, one that you cannot explain. What describes this attack?

Bluejacking

Bluesnarfing

Evil twin

Answer 10

Bluesnarfing

Bluesnarfing involves accessing data from a Bluetooth device when it is in range

Question 11

Louis is investigating a malware incident on one of the computers on his network. He has discovered unknown software that seems to be opening a port, allowing someone to remotely connect to the computer. This software seems to have been installed at the same time as a small shareware application. Which of the following best describes this malware?

RAT

Backdoor

Logic bomb

Answer 11

RAT

This is a remote-access Trojan (RAT), malware that opens access for someone to remotely access the system

Question 12

This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and privileges than what is required for the tasks the user needs to perform. What best describes this scenario?

Excessive rights

Excessive permissions

Excessive privileges

Answer 12

Excessive privileges

The term used in the industry is excessive privileges, and it is the opposite of good security practice, which states that each user should have least privileges (i.e., just enough privileges to do his or her job)

Question 13

Jared is responsible for network security at his company. He has discovered behavior on one computer that certainly appears to be a virus. He has even identified a file he thinks might be the virus. However, using three separate antivirus programs, he finds that none can detect the file. Which of the following is most likely to be occurring?

The computer has a RAT.

The computer has a zero-day exploit.

The computer has a logic bomb.

Answer 13

The computer has a zero-day exploit.

zero-day exploits are new, and they are not in the virus definitions for the antivirus programs. This makes them difficult to detect, except by their behavior

Question 14

There are some computers on your network that use Windows XP. They have to stay on Windows XP due to a specific application they are running. That application won’t run on newer operating systems. What security concerns does this situation give you?

No special concerns; this is normal.

The machines cannot be patched; XP is no longer supported.

The machines cannot coordinate with an SIEM since XP won’t support that.

Answer 14

The machines cannot be patched; XP is no longer supported.

When using products the vendor no longer supports, also known as end-of-life, one major concern is that there won’t be patches available for any issues or vulnerabilities

Question 15

Farès has discovered that attackers have breached his wireless network. They seem to have used a brute-force attack on the WiFi-protected setup PIN to exploit the WAP and recover the WPA2 password. What is this attack called?

Evil twin

Rogue WAP

WPS Attack

Answer 15

WPS Attack

WiFi protected setup (WPS) uses a PIN to connect to the wireless access point (WAP). The WPS attack attempts to intercept that PIN in transmission, connect to the WAP, and then steal the WPA2 password

Question 16

Your wireless network has been breached. It appears the attacker modified a portion of data used with the stream cipher and utilized this to expose wirelessly encrypted data. What is this attack called?

Evil twin

Rogue WAP

IV attack

Answer 16

IV attack

Initialization vectors are used with stream ciphers. An IV attack attempts to exploit a flaw to use the IV to expose encrypted data

Question 17

John is concerned about disgruntled employees stealing company documents and exfiltrating them from the network. He is looking for a solution that will detect likely exfiltration and block it. What type of system is John looking for?

IPS

SIEM

Honeypot

Answer 17

IPS

Any of these systems could help with detecting malicious activity by an insider, but the intrusion prevention system will block such activity, if detected

Question 18

Some users on your network use Acme Bank for their personal banking. Those users have all recently been the victim of an attack, wherein they visited a fake Acme Bank website and their logins were compromised. They all visited the bank website from your network, and all of them insist they typed in the correct URL. What is the most likely explanation for this situation?

Trojan horse

Clickjacking

DNS poisoning

Answer 18

DNS poisoning

This appears to be a situation where your network’s DNS server is compromised and sending people to a fake site

Question 19

Users are complaining that they cannot connect to the wireless network. You discover that the WAPs are being subjected to a wireless attack designed to block their WiFi signals. Which of the following is the best label for this attack?

IV attack

Jamming

Botnet

Answer 19

Jamming

This is a classic description of jamming

Question 20

What type of attack involves users clicking on something different on a website than what they intended to click on?

Clickjacking

Bluejacking

Evil twin

Answer 20

Clickjacking

This is the classic description of clickjacking

Question 21

What type of attack exploits the trust that a website has for an authenticated user to attack that website by spoofing requests from the trusted user?

Cross-site scripting

Cross-site request forgery

Bluejacking

Answer 21

Cross-site request forgery

Cross-site request forgery sends fake requests to a website that purport to be from a trusted, authenticated user

Question 22

John is a network administrator for Acme Company. He has discovered that someone has registered a domain name that is spelled just one letter different than his company’s domain. The website with the misspelled URL is a phishing site. What best describes this attack?

Session hijacking

Cross-site request forgery

Typosquatting

Answer 22

Typosquatting

This is a classic example of typosquatting. The website is off by only one or two letters, hoping that when users to the real website mistype the URL they will go to the fake website

Question 23

Frank has discovered that someone was able to get information from his smartphone using a Bluetooth connection. The attacker was able to get his contact list and some emails he had received. What is this type of attack called?

Bluesnarfing

Session hijacking

Backdoor attack

Answer 23

Bluesnarfing

Bluesnarfing uses Bluetooth to extract data from a Bluetooth device

Question 24

Juanita is a network administrator for Acme Company. Some users complain that they keep getting dropped from the network. When Juanita checks the logs for the wireless access point (WAP), she finds that a deauthentication packet has been sent to the WAP from the users’ IP addresses. What seems to be happening here?

Problem with users’ WiFi configuration

Disassociation attack

Session hijacking

Answer 24

Disassociation attack

This is a classic example of a disassociation attack. The attacker tricks users into disassociating from the device

Question 25

John has discovered that an attacker is trying to get network passwords by using software that attempts a number of passwords from a list of common passwords. What type of attack is this?

Dictionary

Rainbow table

Brute force

Answer 25

Dictionary

This is an example of a dictionary attack. The attacker uses a list of words that are believed to be likely passwords

Question 26

You are a network security administrator for a bank. You discover that an attacker has exploited a flaw in OpenSSL and forced some connections to move to a weak cipher suite version of TLS, which the attacker could breach. What type of attack was this?

Disassociation attack

Downgrade attack

Session hijacking

Answer 26

Downgrade attack

This is a classic example of a downgrade attack

Question 27

When an attacker tries to find an input value that will produce the same hash as a password, what type of attack is this?

Rainbow table

Brute force

Collision attack

Answer 27

Collision attack

A collision is when two different inputs produce the same hash

Question 28

Farès is the network security administrator for a company that creates advanced routers and switches. He has discovered that his company’s networks have been subjected to a series of advanced attacks over a period of time. What best describes this attack?

DDoS

Brute force

APT

Answer 28

APT

An advanced persistent threat (APT) involves sophisticated (i.e., advanced) attacks over a period of time (i.e., persistent)

Question 29

You are responsible for incident response at Acme Company. One of your jobs is to attempt to attribute attacks to a specific type of attacker. Which of the following would not be one of the attributes you consider in attributing the attack?

Resources/funding

Intent/motivation

Amount of data stolen

Answer 29

Amount of data stolen

Whether the attacker is an organized criminal, hacktivist, nation-state attacker, or script kiddie, the amount of data stolen could be large or small

Question 30

John is running an IDS on his network. Users sometimes report that the IDS flags legitimate traffic as an attack. What describes this?

False positive

False negative

False trigger

Answer 30

False positive

When an IDS or antivirus mistakes legitimate traffic for an attack, this is called a false positive