Topic 1.0

Question 1

Define phishing

Answer 1

Phishing is a cybercrime in which a target or targets are contacted (typically by email) by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

Question 2

Define smishing

Answer 2

Smishing—or SMS phishing—is a social engineering tactic cyber criminals use to trick people into divulging sensitive information over text messages.

Question 3

Define Social Engineering

Answer 3

Social engineering refers to means of either eliciting information from someone or getting them to perform some action for the threat actor.

Question 4

Social Engineering Principles:

Familiarity/Liking

Answer 4

Some people have the sort of natural charisma that allows them to persuade others to do as they request. One of the basic tools of a social engineer is simply to be affable and likable, and to present the requests they make as completely reasonable and unobjectionable. This approach is relatively low-risk as even if the request is refused, it is less likely to cause suspicion and the social engineer may be able to move on to a different target without being detected.

Question 5

Social Engineering Principles

Consensus/Social Proof

Answer 5

The principal of consensus or social proof refers to the fact that without an explicit instruction to behave in a certain way, many people will act just as they think others would act.

Question 6

The helpdesk takes a call in which the caller states that she cannot connect to the e-commerce website to check order status. She would also like a user name and password. The user gives a valid customer company name but it’s not listed as a contact in the customer database. The user does not know the correct company code or customer ID. Is this likely to be a social engineering attempt or is it a false alarm?

Answer 6

This is likely to be a social engineering attempt. The helpdesk should not give out any information for the account without confirming the caller’s identity.

Question 7

They purchasing manager is browsing a list of products on the vendors website with the window open, claiming that anti-maware has been detected in several thousand files on his computer that are infected with viruses. Instructions in the official looking window indicate the user should click a link to install software that will remove these infections. What type of social engineering attempt is this or is it a false alarm?

Answer 7

This is a social, entering attempt, utilizing a watering hole attack and/or malvertising.

Question 8

Your CEO calls to request market research data immediately be forwarded to her personal email address. You recognize her voice, but a proper request form has not been filled out and use of third-party email is prohibited. She states that normally she would fill out the form and should not be an exception, but she urgently needs the data to prepare for a round table at a conference she is attending. What type of social engineering techniques could this use, or is it a false alarm?

Answer 8

If social engineering, this is spear phishing (the attack uses specific detail) over a voice channel (vishing). It is possible that it uses deep fake technology for voice mimicry. The use of a sophisticated attack for a relatively low-value data asset seems unlikely, however. A fairly safe approach would be to contact the CEO back on a known mobile number.

Question 9

Your company manages marketing data and private information for many high-profile clients. You are hosting an open day for prospective employees. With the possibility of social engineering attacks in mind, what precautions should employees take when the guests are being shown around the office?

Answer 9

Employees should specifically be wary of shoulder surfing attempts to observe passwords and the like.

Question 10

A customer responds to an email advertisement that appears to link to my store.com. The customer logs into the website with their username and password. The website has the same homepage the customer is familiar with, but it is actually a page set up by an attacker to gain credentials. The attacker can then login to my store.com with the user’s credentials, and shop using the saved credit card on file. Which type of attack has occurred in this scenario?

A. Denial of Service (DoS)
B. DNS client cache poisoning
C. Pharming
D. Pollution

Answer 10

C. Pharming

A Pharming attack occurs when the attacker compromises the process of Domain Name System (DNS) resolution to replace the valid IP address for a trusted website. The attacker can then receive all of the packets directed to the site designed to fool the user into thinking it is genuine.

Question 11

A system administrator has just entered their credentials to enter a secure server room. As the administrator is entering the door, someone is walking up to the door with their hands full of equipment and appears to be struggling to move items around while searching for their credentials. The system administrator quickly begins to assist by getting the items out of the person’s hands, and they walk into the room together. The person is not an employee, but someone attempting to gain unauthorized access to the server room. What type of social engineering has occurred?

A. Familiarity/liking
B. Consensus/social proof
C. Authority and intimidation
D. Identity fraud

Answer 11

B. Consensus/social proof

Consensus/social proof revolves around the belief that without an explicit instruction to behave in a certain way, people will follow social norms. It is typically polite to assist someone with their hands full.

Question 12

An employee is having coffee at an outdoor coffee shop and it’s not taking precautions against someone watching their screen while working on a company project. A person a few tables over watches the employee enter their credentials and then takes photos of the work they are completing with their smart phone. Which form of social engineering is being used in the situation?

A. Vishing
B. Lunchtime attack
C. Shoulder surfing
D. Man-in-the-middle attack

Answer 12

C. Shoulder surfing

Shoulder surfing is doing a password by watching the user type it. Although Tucker was not looking over the employee shoulder, the login credentials were obtained through observation.

Question 13

Which of the following depict ways a malicious attacker can gain access to a target’s network? (Select all that apply.)

A. Ethical hacking
B. Phishing
C. Shoulder surfing
D. Mantrap

Answer 13

B and C: Phishing, Shoulder surfing

Question 14

Social Engineering Principals

Authority and Intimidation

Answer 14

Many people find it difficult to refuse a request by someone they perceive as superior in rank or expertise. Social engineers can try to explain this behavior to intimidate their target by pretending to be a senior executive. An attack might be launched by impersonating, someone who would often be deferred to such as a police officer, judge, or doctor. Another technique is used using spurious, technical arguments and jargon. Social engineering can explain the fact that few people are willing to admit ignorance. Compared to using a familiarity/liking sort of approach, this sort of adversarial tactic might be riskier to the attacker as there is a greater chance of arousing suspicion and the target reporting the attack attempt.

Question 15

Social Engineering Principals

Scarcity and Urgency

Answer 15

Often also deployed by salespeople, creating a false sense of scarcity or urgency can disturb people’s ordinary decision-making process. The social engineer can try to pressure his or her target by demanding a quick response. For example, the social engineer might try to get the target to sign up for a “limited time” or “invitation-only” trial and request a username and password for the service (hoping that the target will offer up a password he or she has used for other accounts). Fake antivirus products generate a sense of urgency by trying to trick users into thinking that their computer is already infected with malware.

Question 16

Define vishing

Answer 16

Vishing is a form of phishing conducted via voice services, typically VOIP.

Question 17

What is spam (not the delicious lunch meat)

Answer 17

Spam is unwanted email

Question 18

What is Spim?

Answer 18

Spim is spam via instant messaging.

Question 19

What is pretexting?

Answer 19

Pretexting is a tactic attackers use and involves creating scenarios that increase the success rate of a future social engineering attack will be successful.

In many cases, pretexting may involve interacting with people either in person or via a fraudulent email address as they launch the first phase of a future attempt to infiltrate a network or steal data using email.

Question 20

What is prepending?

Answer 20

In Cybersecurity, prepending refers to when an attacker prepends, or attaches, a trustworthy value like “RE:” or “MAILSAFE: PASSED” to a message in order to make the message appear more trustworthy.

Question 21

Influence campaign:

Hybrid warfare

Answer 21

Hybrid warfare is a type of warfare that uses conventional and unconventional means. To fit into the category of hybrid warfare, a campaign might use tactics like espionage, hacking, and spreading disinformation or fake news.

Question 22

Influence Campaigns

Answer 22

In Cybersecurity, an influence campaign refers to a large-scale campaign launched by a threat actor, or group of threat actors, with a lot of power (like a hacktivist group, nation-state actor, or terrorist group) that seeks to shift public opinion.

It can be assumed that this shift is generally in bad faith or might seek to push a false narrative.

Question 23

Social Engineering Principals

Answer 23

• Authority
• Intimidation
• Consensus
• Scarcity
• Familiarity
• Trust
• Urgency

Question 24

While waiting in the lobby of your building for a guest, you notice a man in a red shirt standing close to a locked door with a large box in his hands. He waits for someone else to come along and open the locked door and then proceeds to follow her inside. What type of social engineering attack have you just witnessed?

A. Impersonation
B. Phishing
C. Boxing
D. Tailgating

Answer 24

D. Tailgating (or piggybacking) is the simple tactic of following closely behind a person who has just used their own access card, key, or PIN to gain physical access to a room or a building. The large box clearly impedes the person in the red shirt’s ability to open the door, so they let someone else do it for them and follow them in.

Question 25

A colleague asks you for advice on why he can’t log into his gmail account. Looking at his browser, you see he has typed in gmal.com in the address bar. The screen looks very similar to the Gmail login screen. Your colleague has just fallen victim to what type of attack?

A. Jamming
B. Rainbow table
C. Whale phishing
D. Typosquatting

Answer 25

D. Typosquatting capitalizes in common typing errors, such as gmal instead of gmail. The attacker registers a domain very similar to the real domain and attempts to collect credentials or other sensitive information from unsuspecting users.

Question 26

A user in your organization contacts you to see if there’s any update to the “account compromise” that happened last week. When you ask him to explain what he means, and the user tells you he received a phone call earlier in the week from your department and was asked to verify his user ID and password. The user says he gave the caller his user ID and password. The user has fallen victim to what type of attack?

A. Spear phishing
B. Vishing
C. Phishing
D. Replication

Answer 26

B. Vishing is a social engineering attack that uses voice communication technology to obtain information the attacker is seeking. Most often the attacker will call the victim and pretend to be someone else in an attempt to extract information from the victim.

Question 27

Coming into your office, you overhear a conversation between two security guards. One guard is telling the other she caught several people digging through the trash behind the e building early this morning. The security guard says the people claimed to be looking for aluminum cans, but only had a bag of papers—no cans. What type of attack has this security guard witnessed?

A. Spear phishing
B. Pharming
C. Dumpster diving
D. Rolling refuse

Answer 27

C. Dumpster diving is the process of going through a target’s trash in the hopes of finding valuable information such as user lists, directories, organizational charts, network maps, passwords, and so on.

Question 28

Which of the following are specifically used to spread influence, alter perceptions, and sway people toward a position favored by those spreading it?

A. Identity fraud, invoice scams, credential harvesting
B. Hoaxes, eliciting information, urgency
C. Influence campaigns, social media, hybrid warfare
D. Authority, intimidation, consensus

Answer 28

C. Influence campaigns are used to alter perceptions and change people’s minds on a topic. They are even more powerful when used in conjunction with social media to spread influence through influencer propagation. Nation-states often use hybrid warfare to sway people toward a position favored by those spreading it.

Question 29

Which of the following is a social engineering attack in which an attacker attempts to obtain sensitive information from a user by masquerading as a trusted entity in an email?

A. Phishing
B. Pharming
C. Spam
D. Vishing

Answer 29

A. This is the definition of a phishing attack. The key elements of the question are email and the unsolicited nature of its sending (spam).

Question 30

Which of the following is/are psychological tools used by social engineers to create false trust within a target?

A. Impersonation
B. Urgency or scarcity
C. Authority
D. All of the above

Answer 30

D. Social engineers use a wide range of psychological tricks to fool users into trusting them, including faking authority, impersonation, creating a sense of scarcity or urgency, and claiming familiarity.

Question 31

Once an organization’s security policies have been established, what is the single most effective method of countering potential social engineering attacks?

A. An active security awareness program
B. A separate physical access control mechanism for each department in the organization
C. Frequent testing of both the organization’s physical security procedures and employee telephone practices
D. Implementing access control cards and wearing of security identification badges

Answer 31

A. Because any employee may be the target of a social engineering attack, the best thing you can do to protect your organization from these attacks is to implement an active security awareness program to ensure that all employees are cognizant of the threat and what they can do to address it.

Question 32

You notice a new custodian in the office, working much earlier than normal, emptying trash cans, and moving slowly past people working. You ask him where the normal guy is, and in broken English he says, “Out sick,” indicating a cough. What is happening?

A. Watering hole attack
B. Impersonation
C. Prepending
D. Identity fraud

Answer 32

B. This is likely an impersonation attack, using the cover of the janitor. Because of the unusual circumstances, it would be wise to report to a manager for investigation.

Question 33

Your boss thanks you for pictures you sent him from the recent company picnic. You ask him what he is talking about, and he says he got an email from you with pictures from the picnic. Knowing you have not sent him that email, what type of attack do you suspect is happening?

A. Phishing
B. Spear phishing
C. Reconnaissance
D. Impersonation

Answer 33

B. This is spear phishing which is a targeted phishing attack against a specific person.

Question 34

You are a member of the IT team for an online service portal. A security analysis is going to be performed on your web applications and you want to make sure that there are no alerts due to things that can be changed without reconfiguring the web apps themselves. What action has the least risk of breaking any service?

A. Enabling stronger encryption
B. Switching to more secure protocols
C. Closing unused open ports and services
D. Securing root accounts

Answer 34

C. Closing unused open ports and services

Closing unused ports and services should not cause any disruption in service workflow. Securing root account passwords may break access or scripts that depend on this account. Changing protocols or encryption types may also break network access depending on the type of client connecting to these services.

Question 35

You are a member of the security team establishing the protocols and policies for a financial institution. You have ensured that employees are using password management software that creates complex passwords and that they are changed on a regular basis. You also ensure that multifactor authentication is in place within your organization using text verification. What type of attack are you still most vulnerable to when it comes to compromised credentials?

A. Spraying
B. Spyware
C. Card cloning
D. Malicious flash drives

Answer 35

C. Card cloning

Card cloning of phone SIM cards enables threat actors to receive text verification codes that might be sent when using a secure login over the web or VPN. Flash drives with malicious executables including spyware are not particularly vulnerable in this scenario. Using good password policies helps to defend against password spraying where common passwords are checked against numerous accounts.

Question 36

You are a member of the security team for a mining operation. Your IoT devices monitor and manage automated processes. You are concerned about unauthorized access being used in an effort to create availability loss. What are the two most likely vectors for an advanced persistent threat?

A. Removable media
B. Social media
C. Email
D. Supply chain

Answer 36

A and C.

APTs require ongoing access with lateral movement across multiple systems. The vector of initial attack is often based on installing malicious code on a system so that it can be managed remotely. This vector is most often achieved through email or removable media. Social media is used to create influence campaigns against individuals in an organization and the supply chain vector would require corrupting software code anywhere before a customer receives it.

Question 37

You are a member of the security forensics team reviewing an attack on your organization. In the latest attack your storage server stopped responding to request by a virtualization service to create new containers on the fastest available disk. What type of application attack has your organization most likely suffered?

A. API attack
B. Driver manipulation
C. Request forgery
D. XML injection

Answer 37

A. API attack

In this attack the virtualization service makes requests of the storage server using the Application Programming Interface (API). A DDoS attack against this API could overwhelm its resources so that it could not serve its valid client, the virtualization service. No XML content was modified to make this happen, the drivers were not manipulated, and no backend servers were given forged requests.

Question 38

You are a member of the security forensics team reviewing an attack on your organization. In the latest attack users could not login using their RFID badges at security. There was a huge backlog waiting to get in and security had to check IDs manually. It was determined that a person slipped past security at this time and gained access to an unattended system. What type of network attack has your organization most likely suffered?

A. Wireless DoS
B. Distributed Denial of Service (DDoS)
C. Malicious code execution
D. DNS domain reputation

Answer 38

A. Wireless DoS

By jamming the Radio Frequency ID (RFID) badges worn by employees the attacker created an opportunity for physical access that bypassed normal security procedures. The attack was not necessarily distributed to attack from multiple devices, malicious code was not necessarily injected into the RFID reader, and the DNS was not affected.

Question 39

What type of malware usually delivers itself via a Trojan and is used for controlling a system over a network as if it was being controlled locally?

A. Crypto-malware
B. Worm
C. Keylogger
D. RAT

Answer 39

D. RAT

A remote access Trojan (RAT) is a type of malware that can control a system over a network connection as if it were being controlled locally. Usually a RAT is deployed on a victim system as it’s name suggests. Once the RAT has been deployed, the system is under complete control of the attacker.

A worm is a type of malware that will infect a computer, replicate itself, and spread to other devices on a network. It does this with no human interaction or host program. A keylogger is a type of malware or program that logs a user’s keystrokes. These logs can then be analyzed for important information such as banking or personal details. Crypto-malware is a form of spyware that restricts access to the infected computer and asks for a ransom to be paid by the user to have the restriction removed.

Question 40

You are a member of the security team for a financial institution. You are educating your team on some of the common types of social engineering techniques that might be used by threat actors against the company.

You have educated your company’s users to watch for grammatical mistakes and email addresses coming from domains that are not owned by legitimate companies.

What two types of social engineering will these techniques be most effective against?

A. Prepending
B. Credential harvesting
C. Social media influence campaigns
D. Identity fraud

Answer 40

B and D.

Credential harvesting and identity fraud often involve emails sent directly to users from invalid domains and will typically contain grammatical and typographical errors. User training about these issues can head off such challenges before users will begin the process of divulging credentials or personal information. Users encounter social media influence campaigns while in the context of a platform they already trust and so cannot be warded off using the aforementioned techniques. Training users to not download or install programs from untrusted sources helps avoid malware based on prepending malicious execution code at the beginning of known valid programs.

Question 41

You are a member of the security team for a municipal electric utility. You have discovered that false negatives are relatively easy to create in your threat hunting penetration testing.

What actions could you perform in order to best reduce the number of false negatives in your organization?

A. Reconfigure systems to use more web applications rather than local applications
B. Perform a configuration review
C. Require credentialed access
D. Enable non-credentialed access

Answer 41

B and C

A false positive is a security alert that does not point to an actual threat, whereas a false negative occurs when an event from a threat actor is not detected or reported. False negatives can occur when anonymous (non-credentialed) access is allowed to resources so that ACL restrictions are not triggered. They may also occur when it has not been discovered that the security posture of systems is not up to date and needs reconfiguration. Web applications are at least as vulnerable to false negatives as local applications.

Question 42

You are on the security team for a large corporation. You are developing a security penetration testing exercise in order to discover weaknesses in your enterprise infrastructure.

You have decided to create a team that will be challenging the plans, policies, and procedures of the company and performing penetration tests, ethical hacking, and social engineering.

What type of security exercise team would best suit your needs?

A. White team
B. Red team
C. Purple team
D. Blue team

Answer 42

B. Red team

In security exercises red teams focus on offensive security by scanning, hacking, exploiting, and penetrating a company’s resources without any ultimately negative effect on a company. Blue team exercises focus on defensive security and identifying protections, forensic tools and threat hunters, incident response plans and damage control systems. Purple teams are functional efforts to creat synergy between red and blue teams. White teams define rules of engagement and measure metrics for security tests in order to clearly define the post engagement assessments.

Question 43

You are the member of a security team for a federal government agency. You would like to share cyber threat indicators and defensive measures with others using Automated Indicator Sharing (AIS).

When configuring your software to participate in this sharing you receive an error indicating you cannot perform predictive analysis because the exchange of information is not configured correctly.

What is the most likely source of this error?

A. STIX
B. Your threat maps
C. TAXII
D. Your code repository

Answer 43

A. STIX

Structured Threat Information eXchange (STIX) is the standard language of AIS whereas Trusted Automated eXchange of Indicator Information (TAXII) is the standardized platform for communicating this data. Once this TAXII data is in place organizations can view threat maps showing where common attacks have occurred and perform predictive analysis on likely future threats. The file/code repository is used to store inert copies of the live files that are used in threat analysis.

Question 44

You are a member of the security forensics team reviewing an attack on your organization.

In the latest attack a threat actor was let into the backend server supporting a public facing web application.

What type of application attack has you organization most likely suffered?

A. SSL stripping
B. Directory Traversal
C. Server side request forgery
D. Resource exhaustion

Answer 44

C. Server side request forgery

Server-Side Request Forgeries let an attacker send custom requests from the back-end server of a vulnerable web application. When SSRF vulnerabilities occur the web request can be manipulated directly by an attacker. This does not involve becoming a man in the middle to strip SSL encryption, exhausting resources on the server so new vulnerabilities are exposed, or traversing known directories in a poorly secured server.

Question 45

You are an IT administrator for a large financial institution. You wish to ensure threats are discovered as soon as possible. You install a Security Information and event manager (SIEM) system to aid in this process.

What aspect of this system will best help you discover theft of data by users illegally copying corporate files?

A. Packet capture
B. Log collectors
C. Sentiment analysis
D. User behavior analysis

Answer 45

D. User behavior analysis

SIEM software may perform many functions including User Behavior Analysis (UBA) which tracks normal behavior to build a baseline and then compare data from various sources such as network packet captures or logs that have been collected from any device on the network. Sentiment analysis is a process used to detect the emotion behind text in order to gauge the positive or negative feelings found in social data such as email or postings online.

Question 46

You are the member of the security forensics team reviewing an attack on your organization.

In the latest attack, software you purchased for asset management has been revealed to be a distribution point for a known command and control software.

What type of attack has your organization likely suffered?

A. Cryptographic
B. Supply-chain
C. Physical
D. Cloud-based

Answer 46

B. Supply-chain

This supply chain attack involved infecting the software that was distributed to the company, either directly at the source of through false downloads or vulnerable patching. This attack did not deal with a physical breach of your environment, trying to find a hash collision to subvert cryptographic encryption, or a cloud based attack.

Question 47

An intruder has accessed a room by following another person who used their PIN to open the door. Which type of attack as occurred?

A. Shoulder surfing
B. Dumpster diving
C. Tailgating
D. Phishing

Answer 47

C. Tailgating

Tailgating is a type of social engineering attack performed when someone attempts to access a secure area by following someone who has access to the area.

Question 48

You are a member of the security team for a future online social media platform. You have decided to outsource many elements of the software as much as possible.

Due to the nature of your software what third-party related security risk should be your top priority?

A. Outsourced code development
B. Control and access to stored data
C. Integration with on premise systems
D. Vendor management

Answer 48

B. Control and access to stored data

Because social media contains contents associated with a specific person, the access to the stored data should be your paramount concern. The development of the code base for the platform, the vendors used for hardware and software, and the integration between remote or cloud based systems and your own are all important concerns as well.

Question 49

A Department of Defense (DoD) security team identifies a data breach in progress, based on some anomalous log entries, and takes steps to remedy the breach and harden their systems. When they resolve the breach, they want to publish the cyber threat intelligence (CTI) securely, using standardized language for other government agencies to use. The team will transmit threat data feed via which protocol?

A. Structured Threat Information eXpression (STIX)
B. Automated Indicator Sharing (AIS)
C. Trusted Automated eXchange of Indicator Information (TAXII)
D. A code repository protocol

Answer 49

C. TAXII

The TAXII protocol provides a means of transmitting CTI data between servers and clients. Subscribers to the CTI service obtain updates to the data to load into analysis tools over TAXII.

Question 50

What is STIX?

Answer 50

Structured Threat Information eXchange.

STIX provides appropriate syntax for transmission of cyber threat intelligence (CTI) over the Trusted Automated eXchange of Indicator Information (TAXII) protocol