Threats, Attacks, and Vulnerabilities (3)

Question 1

You are performing a penetration test of your company’s network. As part of the test, you will be given a login with minimal access and will attempt to gain administrative access with this account. What is this called?

Privilege escalation

Session hijacking

Root grabbing

Answer 1

Privilege escalation

The term for attempting to gain any privileges beyond what you have is privilege escalation

Question 2

Mary has discovered that a web application used by her company does not always handle multithreading properly, particularly when multiple threads access the same variable. This could allow an attacker who discovered this vulnerability to exploit it and crash the server. What type of error has Mary discovered?

Buffer overflow

Logic bomb

Race conditions

Answer 2

Race conditions

This is a classic definition of a race condition: when multiple threads in an application are using the same variable and the situation is not properly handled

Question 3

An attacker is trying to get access to your network. He is sending users on your network a link to a freeware stock-monitoring program. However, that stock-monitoring program has attached to it software that will give the attacker access to any machine that it is installed on. What type of attack is this?

Rootkit

Trojan horse

Spyware

Answer 3

Trojan horse

This is a classic example of a Trojan horse

Question 4

Acme Company uses its own internal certificate server for all internal encryption. However, their certificate authority only publishes a CRL once per week. Does this pose a danger, and if so what?

Yes, this means a revoked certificate could be used for up to seven days.

No, this is standard for all certificate authorities.

Yes, this means it would be easy to fake a certificate.

Answer 4

Yes, this means a revoked certificate could be used for up to seven days.

If a certificate is revoked, it can be used until the new certificate revocation list is published

Question 5

When a program has variables, especially arrays, and does not check the boundary values before inputting data, what attack is the program vulnerable to?

XSS

CRSF

Buffer overflow

Answer 5

Buffer overflow

A buffer overflow is possible when boundaries are not checked and the attacker tries to put in more data than the variable can hold

Question 6

Which of the following best describes malware that will execute some malicious activity when a particular condition is met (i.e., if condition is met, then execute)?

Boot sector virus

Logic bomb

Buffer overflow

Answer 6

Logic bomb

This is the definition of a logic bomb

Question 7

Gerald is a network administrator for Acme Company. Users are reporting odd behavior on their computers. He believes this may be due to malware, but the behavior is different on different computers. What might best explain this?

It is a boot sector virus.

It is a macro virus.

It is a polymorphic virus.

Answer 7

It is a polymorphic virus.

A polymorphic virus changes from time to time, and that would explain the different behavior on different computers

Question 8

eresa is a security officer at ACME Inc. She has discovered an attack where the attacker sent multiple broadcast messages to the network routers, spoofing an IP address of one of the network servers. This caused the network to send a flood of packets to that server and it is no longer responding. What is this attack called?

Smurf attack

DDoS attack

TCP hijacking attack

Answer 8

Smurf attack

This is the definition of a Smurf attack

Question 9

Which type of virus is able to alter its own code to avoid being detected by antivirus software?

Boot sector

Hoax

Polymorphic

Answer 9

Polymorphic

Polymorphic viruses periodically change their signature or even their code

Question 10

Gerald is a network administrator for a small financial services company. Users are reporting odd behavior that appears to be caused by a virus on their machines. After isolating the machines that he believes are infected, Gerald analyzes them. He finds that all the infected machines received an email purporting to be from accounting, with an Excel spreadsheet, and the users opened the spreadsheet. What is the most likely issue on these machines?

A macro virus

A boot sector virus

A Trojan horse

Answer 10

A macro virus

This is the definition of a macro virus

Question 11

Fred is on the incident response team for a major insurance company. His specialty is malware analysis. He is studying a file that is suspected of being a virus that infected the company network last month. The file seems to intermittently have bursts of malicious activity, interspersed with periods of being dormant. What best describes this malware?

A macro virus

A logic bomb

A sparse infector virus

Answer 11

A sparse infector virus

The intermittent burst of malicious activity is the definition of a sparse infector virus

Question 12

What is the term used to describe a virus that can infect both program files and boot sectors?

Polymorphic

Multipartite

Stealth

Answer 12

Multipartite

Multipartite viruses combine boot sector with file infection

Question 13

our company has hired an outside security firm to perform various tests of your network. During the vulnerability scan you will provide that company with logins for various systems (i.e., database server, application server, web server, etc.) to aid in their scan. What best describes this?

A white-box test

A privileged scan

An authenticated user scan

Answer 13

A privileged scan

By giving the tester logins, you are allowing him to conduct a privileged scan (i.e., a scan with some privileges)

Question 14

Which of the following is commonly used in a distributed denial of service (DDoS) attack?

Phishing

Adware

Botnet

Answer 14

Botnet

Botnets are often used to launch DDoS attacks, with the attack coming from all the computers in the botnet simultaneously

Question 15

You are investigating a recent breach at Acme Company. You discover that the attacker used an old account of someone no longer at the company. The account was still active. Which of the following best describes what caused this vulnerability to exist?

Improperly configured accounts

Untrained users

Using default configuration

Answer 15

Improperly configured accounts

Accounts should be configured to expire. If this had occurred, then the account would no longer be active

Question 16

Juan is responsible for incident response at a large financial institution. He discovers that the company WiFi has been breached. The attacker used the same login credentials that ship with the wireless access point (WAP). The attacker was able to use those credentials to access the WAP administrative console and make changes. Which of the following best describes what caused this vulnerability to exist?

Improperly configured accounts

Untrained users

Using default configuration

Answer 16

Using default configuration

This is a classic example of the problem with default configurations.

Question 17

Elizabeth is investigating a network breach at her company. She discovers a program that was able to execute code within the address space of another process by using the target process to load a specific library. What best describes this attack?

Logic bomb

Buffer overflow

DLL injection

Answer 17

DLL injection

In a DLL injection, the malware attempts to inject code into the process of some library. This is a rather advanced attack

Question 18

Zackary is a malware investigator with a cybersecurity firm. He is investigating malware that is able to compromise a target program by finding null references in the target program and dereferencing them, causing an exception to be generated. What best describes this type of attack?

Buffer overflow

Memory leak

Pointer dereference

Answer 18

Pointer dereference

This is the definition of pointer dereferencing. It is a somewhat obscure and sophisticated attack on a target program

Question 19

Frank has just taken over as CIO of a mid-sized insurance company. One of the first things he does is order a thorough inventory of all network equipment. He discovers two routers that are not documented. He is concerned that if they are not documented, they might not be securely configured, tested, and safe. What best describes this situation?

Poor user training

System sprawl

Failure to patch systems

Answer 19

System sprawl

System sprawl occurs when a system grows and there are devices on the system that are not documented

Question 20

What is the primary difference between an intrusive and a nonintrusive vulnerability scan?

An intrusive scan is a penetration test.

A nonintrusive scan is just a document check.

An intrusive scan could potentially disrupt operations.

Answer 20

An intrusive scan could potentially disrupt operations.

An intrusive scan could possibly cause some disruption of operations. For this reason, it should be conducted outside normal business hours

Question 21

Daryl is investigating a recent breach of his company’s web server. The attacker used sophisticated techniques and then defaced the website, leaving messages that were denouncing the company’s public policies. He and his team are trying to determine the type of actor who most likely committed the breach. Based on the information provided, who was the most likely threat actor?

A nation-state

Organized crime

Hacktivists

Answer 21

Hacktivists

The fact that the website is defaced in a manner related to the company’s public policies is the definition of hacktivism

Question 22

When investigating breaches and attempting to attribute them to specific threat actors, which of the following is not one of the indicators of an APT?

Long-term access to the target

Sophisticated attacks

The attack comes from a foreign IP address.

Answer 22

The attack comes from a foreign IP address.

While you might suppose that a nation-state attacker (the usual attacker behind an advanced persistent threat) would attack from a foreign IP address, they often use a compromised address in the target country as a base for attacks

Question 23

What type of attack uses a second wireless access point (WAP) that broadcasts the same SSID as a legitimate access point, in an attempt to get users to connect to the attacker’s WAP?

Evil twin

IP spoofing

Trojan horse

Answer 23

Evil twin

The terms evil twin and rogue access point both refer to fake access points that broadcast what appear to be legitimate SSIDs

Question 24

You are investigating a breach of a large technical company. You discover that there have been several different attacks over a period of a year. The attacks were sustained, each lasting several weeks of continuous attack. The attacks were somewhat sophisticated and originated from a variety of IP addresses, but all the IP addresses are within your country. Which threat actor would you most suspect of being involved in this attack?

Nation-state

Hacktivist

Script kiddie

Answer 24

Nation-state

The fact that the IP addresses are within your country might make you discard the nation-state attacker, but it is common for nation-state attackers to use compromised IP addresses in the target country from which to attack. The other symptoms—a sophisticated attack, over time—are hallmarks of nation-state attackers

Question 25

Which of the following best describes a zero-day vulnerability?

A vulnerability that has been known to the vendor for zero days

A vulnerability that has not yet been breached

A vulnerability that can be quickly exploited (i.e., in zero days)

Answer 25

A vulnerability that has been known to the vendor for zero days

This is the definition of a zero-day attack

Question 26

You have discovered that there are entries in your network’s domain name server that point legitimate domains to unknown and potentially harmful IP addresses. What best describes this type of attack?

A backdoor

An APT

DNS poisoning

Answer 26

DNS poisoning

This is the definition of DNS poisoning

Question 27

What best describes an attack that attaches some malware to a legitimate program so that when the user installs the legitimate program, they inadvertently install the malware?

Backdoor

Trojan horse

RAT

Answer 27

Trojan horse

This is, in fact, the definition of a Trojan horse

Question 28

Which of the following best describes software that will provide the attacker with remote access to the victim’s machine, but that is wrapped with a legitimate program in an attempt to trick the victim into installing it?

RAT

Backdoor

Trojan horse

Answer 28

RAT

A remote access Trojan (RAT) is malware that gives the attacker remote access to the victim machine

Question 29

Which of the following is an attack that seeks to attack a website, based on the website’s trust of an authenticated user?

XSS

CSRF

Buffer overflow

Answer 29

CSRF

Cross-site request forgery sends forged requests to a website, supposedly from a trusted user

Question 30

John is analyzing what he believes is a malware outbreak on his network. Many users report their machines are behaving strangely. The anomalous behavior seems to occur sporadically and John cannot find a pattern. What is the most likely cause?

APT

Boot sector virus

Sparse infector virus

Answer 30

Sparse infector virus

Sparse infector viruses perform their malicious activity sporadically