Chapter 1 Test
37. One of your users cannot recall the password for their laptop. You want to recover that password for them. You intend to use a tool/technique that is popular with hackers, and it consists of searching tables of precomputed hashes to recover the password. What best describes this? A. Rainbow table B. Backdoor C. Social engineering D. Dictionary attack
A. A rainbow table is a table of precomputed hashes, used to retrieve passwords. Option B is incorrect. A backdoor is used to gain access to a system, not recover passwords. Options C and D are incorrect. While both of these can be used to gain access to passwords, they are not tables of precomputed hashes.
88. Which of the following best describes software that will provide the attacker with remote access to the victim's machine, but that is wrapped with a legitimate program in an attempt to trick the victim into installing it? A. RAT B. Backdoor C. Trojan horse D. Macro virus
A. A remote access Trojan (RAT) is malware that gives the attacker remote access to the victim machine. Option B is incorrect. While a backdoor will give access, it is usually something in the system put there by programmers, not introduced by malware. Option C is incorrect. A RAT is a type of Trojan horse, but Trojan horse is more general than what is described in the scenario. Option D is incorrect. A macro virus is a virus embedded in a document.
28. Your company has hired a penetration testing firm to test the network. For the test, you have given the company details on operating systems you use, applications you run, and network devices. What best describes this type of test? A. White-box test B. External test C. Black-box test D. Threat test
A. A white-box test involves providing extensive information, as described in this scenario. Option B is incorrect. A white-box test could be internal or external. Option C is incorrect. This is the opposite of a black-box test. Option D is incorrect. Threat test is not a term used in penetration testing.
75. You are investigating a recent breach at Acme Company. You discover that the attacker used an old account of someone no longer at the company. The account was still active. Which of the following best describes what caused this vulnerability to exist? A. Improperly configured accounts B. Untrained users C. Using default configuration D. Failure to patch systems
A. Accounts should be configured to expire. If this had occurred, then the account would no longer be active. Option B is incorrect. While properly trained users are important, that is not what caused this issue. Options C and D are incorrect. These are unrelated to an old account still being active.
34. Maria is a salesperson with your company. After a recent sales trip, she discovers that many of her logins have been compromised. You carefully scan her laptop and cannot find any sign of any malware. You do notice that she had recently connected to a public WiFi at a coffee shop, and it is only since that connection that she noticed her logins had been compromised. What would most likely explain what has occurred? A. She connected to a rogue AP. B. She downloaded a Trojan horse. C. She downloaded spyware. D. She is the victim of a buffer overflow attack.
A. Although many things could explain what she is experiencing, the scenario most closely matches connecting to a rogue access point where her login credentials were stolen. Options B and C are incorrect. Both involve malware, and the scenario states no sign of malware was found. Option D is incorrect. This does not match the symptoms of a buffer overflow attack.
47. John is concerned about disgruntled employees stealing company documents and exfiltrating them from the network. He is looking for a solution that will detect likely exfiltration and block it. What type of system is John looking for? A. IPS B. SIEM C. Honeypot D. Firewall
A. Any of these systems could help with detecting malicious activity by an insider, but the intrusion prevention system will block such activity, if detected. Option B is incorrect. SIEMs simply aggregate logs. Option C is incorrect. A honeypot can be useful in trapping a malicious actor but not in stopping data exfiltration. Option D is incorrect. Firewalls can block traffic, but normally data exfiltration looks like normal traffic and is hard for a firewall to block.
38. You have noticed that when in a crowded area, you sometimes get a stream of unwanted text messages. The messages end when you leave the area. What describes this attack? A. Bluejacking B. Bluesnarfing C. Evil twin D. Rogue access point
A. Bluejacking involves sending unsolicited messages to Bluetooth devices when they are in range. Option B is incorrect. Bluesnarfing involves getting data from the Bluetooth device. Options C and D are incorrect. Evil twin uses a rogue access point whose name is similar or identical to that of a legitimate access point.
53. Frank has discovered that someone was able to get information from his smartphone using a Bluetooth connection. The attacker was able to get his contact list and some emails he had received. What is this type of attack called? A. Bluesnarfing B. Session hijacking C. Backdoor attack D. CSRF
A. Bluesnarfing uses Bluetooth to extract data from a Bluetooth device. Option B is incorrect. Session hijacking is taking over an authenticated session. Option C is incorrect. Backdoors are built-in methods to circumvent authentication. Option D is incorrect. Cross-site request forgery sends fake requests to a website that purport to be from a trusted, authenticated user.
16. Jared discovers that attackers have breached his WiFi network. They have gained access via the wireless access point (WAP) administrative panel, and have logged on with the credentials the WAP shipped with. What best describes this issue? A. Default configuration B. Race conditions C. Failure to patch D. Weak encryption
A. Credentials the WAP shipped with are an example of default configuration. Option B is incorrect. Race conditions involve multithreaded applications accessing shared variables. Option C is incorrect. Patches won't change the default password. Option D is incorrect. Encryption does not affect logging into the administrative screen.
19. Coleen is the web security administrator for an online auction website. A small number of users are complaining that when they visit the website and log in, they are told the service is down and to try again later. Coleen checks and she can visit the site without any problem, even from computers outside the network. She also checks the web server log and there is no record of those users ever connecting. Which of the following might best explain this? A. Typosquatting B. SQL injection C. Cross-site scripting D. Cross-site request forgery
A. From the description it appears that they are not logging into the real web server but rather a fake server. That indicates typosquatting: have a URL that is named very similarly to a real site so that when users mistype the real site's URL they will go to the fake site. Options B, C, and D are all incorrect. These are all methods of attacking a website, but in this case, the actual website was not attacked. Instead, some users are visiting a fake site
64. Acme Company uses its own internal certificate server for all internal encryption. However, their certificate authority only publishes a CRL once per week. Does this pose a danger, and if so what? A. Yes, this means a revoked certificate could be used for up to seven days. B. No, this is standard for all certificate authorities. C. Yes, this means it would be easy to fake a certificate. D. No, since this is being used only internally.
A. If a certificate is revoked, it can be used until the new certificate revocation list is published. Options B, C, and D are all incorrect. They do not accurately describe the scenario given.
95. Valerie is responsible for security testing applications in her company. She has discovered that a web application, under certain conditions, can generate a memory leak. What, type of attack would this leave the application vulnerable to? A. DoS B. Backdoor C. SQL injection D. Buffer overflow
A. If an attacker can induce the web application to generate the memory leak, then eventually the web application will consume all memory on the web server and the web server will freeze up. Option B is incorrect. Backdoors are not caused by memory leaks. Option C is incorrect. SQL injection places malformed SQL into text boxes. Option D is incorrect. A buffer overflow attempts to put more data in a variable than it can hold.
93. An attacker is trying to get malformed queries sent to the backend database to circumvent the web page's security. What type of attack depends on the attacker entering text into text boxes on a web page that is not normal text, but rather odd-looking commands that are designed to be inserted into database queries? A. SQL injection B. Clickjacking C. Cross-site scripting D. Bluejacking
A. SQL injection places malformed SQL into text boxes. Option B is incorrect. Clickjacking attempts to trick the user into clicking on something other than what he or she intended. Option C is incorrect. Cross-site scripting puts scripts into text fields that will be viewed by other users. Option D is incorrect. Bluejacking is a Bluetooth attack.
27. While investigating a malware outbreak on your company network, you discover something very odd. There is a file that has the same name as a Windows system DLL, and even has the same API interface, but handles input very differently, in a manner to help compromise the system, and it appears that applications have been attaching to this file, rather than the real system DLL. What best describes this? A. Shimming B. Trojan horse C. Backdoor D. Refactoring
A. Shimming is when the attacker places some malware between an application and some other file, and intercepts the communication to that file (usually to a library or system API). Option B is incorrect. A Trojan horse might be used to get the shim onto the system, but that is not described in this scenario. Option C is incorrect. A backdoor is a means to circumvent system authorization and get direct access to the system. Option D is incorrect. Refactoring is the process of changing names of variables, functions, etc. in a program.
84. You are investigating a breach of a large technical company. You discover that there have been several different attacks over a period of a year. The attacks were sustained, each lasting several weeks of continuous attack. The attacks were somewhat sophisticated and originated from a variety of IP addresses, but all the IP addresses are within your country. Which threat actor would you most suspect of being involved in this attack? A. Nation-state B. Hacktivist C. Script kiddie D. A lone highly skilled hacker
A. The fact that the IP addresses are within your country might make you discard the nation-state attacker, but it is common for nation-state attackers to use compromised IP addresses in the target country from which to attack. The other symptoms—a sophisticated attack, over time—are hallmarks of nation-state attackers. Option B is incorrect. Nothing in the scenario indicates an ideological motive. Option C is incorrect. In fact, this attack is the antithesis of the simple attack of a script kiddie. Option D is incorrect. A lone attacker, no matter how skilled, would have difficulty maintaining sustained attacks over a year.
61. You are performing a penetration test of your company's network. As part of the test, you will be given a login with minimal access and will attempt to gain administrative access with this account. What is this called? A. Privilege escalation B. Session hijacking C. Root grabbing D. Climbing
A. The term for attempting to gain any privileges beyond what you have is privilege escalation. Option B is incorrect. Session hijacking is taking over an authenticated session. Options C and D are incorrect. These are not terms used in the industry.
83. What type of attack uses a second wireless access point (WAP) that broadcasts the same SSID as a legitimate access point, in an attempt to get users to connect to the attacker's WAP? A. Evil twin B. IP spoofing C. Trojan horse D. MAC spoofing
A. The terms evil twin and rogue access point both refer to fake access points that broadcast what appear to be legitimate SSIDs. Options B, C, and D are incorrect. They do not adequately explain this attack.
41. Louis is investigating a malware incident on one of the computers on his network. He has discovered unknown software that seems to be opening a port, allowing someone to remotely connect to the computer. This software seems to have been installed at the same time as a small shareware application. Which of the following best describes this malware? A. RAT B. Backdoor C. Logic bomb D. Rootkit
A. This is a remote-access Trojan (RAT), malware that opens access for someone to remotely access the system. Option B is incorrect. A backdoor does provide access but it is usually in the system due to programmers putting it there, not due to malware on the system. Option C is incorrect. A logic bomb executes its misdeeds when some logical condition is met. Option D is incorrect. A rootkit provides root or administrative access to the system.
24. What type of attack is based on entering fake entries into a target networks domain name server? A. DNS poisoning B. ARP poisoning C. Bluesnarfing D. Bluejacking
A. This is an exact description of DNS poisoning or domain hijacking. Option B is incorrect. ARP poisoning involves altering the MAC-IP tables in a switch. Options C and D are incorrect. These are both Bluetooth attacks.
55. John has discovered that an attacker is trying to get network passwords by using software that attempts a number of passwords from a list of common passwords. What type of attack is this? A. Dictionary B. Rainbow table C. Brute force D. Session hijacking
A. This is an example of a dictionary attack. The attacker uses a list of words that are believed to be likely passwords. Option B is incorrect. A rainbow table is a precomputed table of hashes. Option C is incorrect. Brute force tries every possible random combination. If attacker has the original plaintext and ciphertext for a message, they can determine the key space used through brute force attempts targeting the keyspace. Option D is incorrect. Session hijacking is when the attacker takes over an authenticated session.
50. What type of attack involves users clicking on something different on a website than what they intended to click on? A. Clickjacking B. Bluesnarfing C. Bluejacking D. Evil twin
A. This is the classic description of clickjacking. Options B and C are incorrect. These are Bluetooth attacks. Option D is incorrect. Nothing in this scenario requires or describes an evil twin.
68. Teresa is a security officer at ACME Inc. She has discovered an attack where the attacker sent multiple broadcast messages to the network routers, spoofing an IP address of one of the network servers. This caused the network to send a flood of packets to that server and it is no longer responding. What is this attack called? A. Smurf attack B. DDoS attack C. TCP hijacking attack D. TCP SYN flood attack
A. This is the definition of a Smurf attack. Option B is incorrect. The scenario does not state if this attack is coming from multiple sources, thus being distributed (i.e., distributed denial of service). Option C is incorrect. A hijacking attack attempts to take over an authenticated session. Option D is incorrect. The signature of a SYN flood is multiple half-open connections.
70. Gerald is a network administrator for a small financial services company. Users are reporting odd behavior that appears to be caused by a virus on their machines. After isolating the machines that he believes are infected, Gerald analyzes them. He finds that all the infected machines received an email purporting to be from accounting, with an Excel spreadsheet, and the users opened the spreadsheet. What is the most likely issue on these machines? A. A macro virus B. A boot sector virus C. A Trojan horse D. A RAT
A. This is the definition of a macro virus. Option B is incorrect. A boot sector virus infects the boot sector of the hard drive. Option C is incorrect. A Trojan horse is malware that is tied to a legitimate program. In this scenario, the malware is actually embedded in an Office document. The two are similar, but not the same. Option D is incorrect. A remote access Trojan (RAT) is a Trojan horse that gives the attacker remote access to the machine.
85. Which of the following best describes a zero-day vulnerability? A. A vulnerability that has been known to the vendor for zero days B. A vulnerability that has not yet been breached C. A vulnerability that can be quickly exploited (i.e., in zero days) D. A vulnerability that will give the attacker brief access (i.e., zero days)
A. This is the definition of a zero-day attack. Options B, C, and D are incorrect. These do not adequately describe a zero-day attack.
39. Someone has been rummaging through your company's trash bins seeking to find documents, diagrams, or other sensitive information that has been thrown out. What is this called? A. Dumpster diving B. Trash diving C. Social engineering D. Trash engineering
A. This is the term for rummaging through the waste/trash. Options B and D are incorrect. These terms, though grammatically correct, are simply not the terms used in the industry. Option C is incorrect. Nothing in this scenario describes social engineering.
15. You have been asked to test your company network for security issues. The specific test you are conducting involves primarily using automated and semiautomated tools to look for known vulnerabilities with the various systems on your network. Which of the following best describes this type of test? A. Vulnerability scan B. Penetration test C. Security audit D. Security test
A. Vulnerability scan uses automated tools such as Nessus and Microsoft Baseline Security Analyzer to find known vulnerabilities. Option B is incorrect. Penetration tests seek to actually exploit the vulnerabilities and break into systems. Option C is incorrect. Security audits usually focus on checking policies, incident reports, and other documents. Option D is incorrect. Security test is a generic term for any sort of test.
60. John is running an IDS on his network. Users sometimes report that the IDS flags legitimate traffic as an attack. What describes this? A. False positive B. False negative C. False trigger D. False flag
A. When an IDS or antivirus mistakes legitimate traffic for an attack, this is called a false positive. Option B is incorrect. A false negative is when the IDS mistakes an attack for legitimate traffic. It is the opposite of a false positive. Options C and D are both incorrect. While these may be grammatically correct, these are not the terms used in the industry.
9. A sales manager at your company is complaining about slow performance on his computer. When you thoroughly investigate the issue, you find spyware on his computer. He insists that the only thing he has downloaded recently was a freeware stock trading application. What would best explain this situation? A. Logic bomb B. Trojan horse C. Rootkit D. Macro virus
B. A Trojan horse wraps a malicious program to a legitimate program. When the user downloads and installs the legitimate program, they get the malware. Option A is incorrect. A logic bomb is malware that does its misdeeds when some condition is met. Option C is incorrect. A rootkit is malware that gets administrative, or root access. Option D is incorrect. A macro virus is a virus that is embedded in a document as a macro.
3. You are a security administrator for a medium-sized bank. You have discovered a piece of software on your bank's database server that is not supposed to be there. It appears that the software will begin deleting database files if a specific employee is terminated. What best describes this? A. Worm B. Logic bomb C. Trojan horse D. Rootkit
B. A logic bomb is malware that performs its malicious activity when some condition is met. Option A is incorrect because a worm is malware that self-propagates. Option C is incorrect because a Trojan horse is malware attached to a legitimate program. Option D is incorrect because a rootkit is malware that gets root or administrative privileges.
40. You have noticed that when in a crowded area, data from your cell phone is stolen. Later investigation shows a Bluetooth connection to your phone, one that you cannot explain. What describes this attack? A. Bluejacking B. Bluesnarfing C. Evil twin D. RAT
B. Bluesnarfing involves accessing data from a Bluetooth device when it is in range. Option A is incorrect. Bluejacking involves sending unsolicited messages to Bluetooth devices when they are in range. Option C is incorrect. Evil twin uses a rogue access point whose name is similar or identical to that of a legitimate access point. Option D is incorrect. A RAT is a remote-access Trojan. Nothing in this scenario points to a RAT being the cause of the stolen data.
51. What type of attack exploits the trust that a website has for an authenticated user to attack that website by spoofing requests from the trusted user? A. Cross-site scripting B. Cross-site request forgery C. Bluejacking D. Evil twin
B. Cross-site request forgery sends fake requests to a website that purport to be from a trusted, authenticated user. Option A is incorrect. Cross-site scripting exploits the trust the user has for the website and embeds scripts into that website. Option C is incorrect. Bluejacking is a Bluetooth attack. Option D is incorrect. Nothing in this scenario requires or describes an evil twin.
89. Which of the following is an attack that seeks to attack a website, based on the website's trust of an authenticated user? A. XSS B. CSRF C. Buffer overflow D. RAT
B. Cross-site request forgery sends forged requests to a website, supposedly from a trusted user. Option A is incorrect. Cross-site scripting is the injection of scripts into a website to exploit the users. Option C is incorrect. A buffer overflow tries to put more data in a variable than the variable can hold. Option D is incorrect. A remote-access Trojan (RAT) is malware that gives the attacker access to the system.
5. Juanita is a network administrator for a small accounting firm. The users on her network are complaining of slow connectivity. When she examines the firewall logs, she observes a large number of half-open connections. What best describes this attack? A. DDoS B. SYN flood C. Buffer overflow D. ARP poisoning
B. Half-open connections are the hallmark of a SYN flood. Option A is incorrect. We know from the question that this is a denial of service, but nothing indicates that it is (or is not) a distributed denial of service. Option C is incorrect. Buffer overflow involves putting too much data into a variable or array. Option D is incorrect. ARP poisoning is altering the ARP table in a switch; it is not related to website hacking.
29. Frank is a network administrator for a small college. He discovers that several machines on his network are infected with malware. That malware is sending a flood of packets to a target external to the network. What best describes this attack? A. SYN flood B. DDoS C. Botnet D. Backdoor
B. His machines are part of a distributed denial-of-service attack. Option A is incorrect. This scenario describes a generic DDoS, not a specific one like SYN flood. Option C is incorrect. These machines could be part of a botnet, or just have a trigger that causes them to launch the attack at a specific time. The real key in this scenario is the DDoS attack. Option D is incorrect. A backdoor gives an attacker access to the target system.
92. You are responsible for technical support at your company. Users are all complaining of very slow Internet connectivity. When you examine the firewall, you find a large number of incoming connections that are not completed, all packets coming from a single IP address. What best describes this attack? A. DDoS B. SYN flood C. Buffer overflow D. ARP poisoning
B. Large, half-open connections are the hallmark of a SYN flood. Option A is incorrect. These are all coming from a single IP address, so they cannot be a distributed denial-of-service attack. Option C is incorrect. A buffer overflow seeks to put more data in a variable than it is designed to hold. Option D is incorrect. ARP poisoning poisons the address resolution table of a switch.
72. What is the term used to describe a virus that can infect both program files and boot sectors? A. Polymorphic B. Multipartite C. Stealth D. Multiple encrypting
B. Multipartite viruses combine boot sector with file infection. Option A is incorrect. Polymorphic viruses periodically change their signature or even their code. Option C is incorrect. Stealth viruses use one or more techniques to make them harder to find. Option D is incorrect. This is not an industry term for any sort of virus.
97. Acme Company is using smart cards that use near-field communication (NFC) rather than needing to be swiped. This is meant to make physical access to secure areas more secure. What vulnerability might this also create? A. Tailgating B. Eavesdropping C. IP spoofing D. Race conditions
B. Near-field communication (NFC) is susceptible to an attacker eavesdropping on the signal. Option A is incorrect. Tailgating is a physical attack and not affected by NFC technology. Options C and D are incorrect. These are both unrelated to NFC technology.
22. John is conducting a penetration test of a client's network. He is currently gathering information from sources such as archive.org, netcraft.com, social media, and information websites. What best describes this stage? A. Active reconnaissance B. Passive reconnaissance C. Initial exploitation D. Pivot
B. Passive reconnaissance is any reconnaissance that is done without actually connecting to the target. Option A is incorrect. Active reconnaissance involves communicating with the target network, such as doing a port scan. Option C is incorrect. The initial exploitation is not information gathering; it is actually breaking into the target network. Option D is incorrect. A pivot is when you have breached one system and use that to move to another system.
79. Frank has just taken over as CIO of a mid-sized insurance company. One of the first things he does is order a thorough inventory of all network equipment. He discovers two routers that are not documented. He is concerned that if they are not documented, they might not be securely configured, tested, and safe. What best describes this situation? A. Poor user training B. System sprawl C. Failure to patch systems D. Default configuration
B. System sprawl occurs when a system grows and there are devices on the system that are not documented. Options A, C, and D are all incorrect. While these are all serious security issues, they are unrelated to the scenario presented.
98. John is responsible for physical security at a large manufacturing plant. Employees all use a smart card in order to open the front door and enter the facility. Which of the following is a common way attackers would circumvent this system? A. Phishing B. Tailgating C. Spoofing the smart card D. RFID spoofing
B. Tailgating involves simply following a legitimate user through the door once he or she has opened it. Option A is incorrect. This is unrelated to physical security. Option C is incorrect. It is possible to generate a fake smartcard, but that is a very uncommon attack. Option D is incorrect. Again, this is possible but is very uncommon.
1. John is analyzing strange behavior on computers in his network. He believes there is malware on the machines. The symptoms include strange behavior that persists, even if he boots the machine to a Linux Live CD. What is the most likely cause? A. Ransomware B. Boot sector virus C. Rootkit D. Key logger
B. The correct answer is a boot sector virus, which is one that will affect the boot sector of the hard drive. Thus, what operating system you boot to is irrelevant. Option A is incorrect. There is no element of ransom in the description of this attack. Option C is incorrect. A rootkit can sometimes also affect the boot sector, but in this case the boot sector virus is the most accurate description. Option D is incorrect. Nothing in this description indicates key logging.
6. Frank is deeply concerned about attacks to his company's e-commerce server. He is particularly worried about cross-site scripting and SQL injection. Which of the following would best defend against these two specific attacks? A. Encrypted web traffic B. Filtering user input C. A firewall D. An IDS
B. The primary and best way to defend against the attacks mentioned is filtering user input. Option A is incorrect. Encrypting the web traffic will not have any effect on these two attacks. Option C is incorrect. A web application firewall (WAF) might mitigate these attacks, but it would be secondary to filtering user input. Option D is incorrect. An IDS will simply detect the attack—it won't stop it.
21. Which of the following best describes a collection of computers that have been compromised and are being controlled from one central point? A. Zombienet B. Botnet C. Nullnet D. Attacknet
B. The term for this is botnet, usually spelled as one word. Options A, C, and D are all incorrect. Although these terms might sound the same, they are simply not the terms used in the industry.
49. Users are complaining that they cannot connect to the wireless network. You discover that the WAPs are being subjected to a wireless attack designed to block their WiFi signals. Which of the following is the best label for this attack? A. IV attack B. Jamming C. WPS attack D. Botnet
B. This is a classic description of jamming. Option A is incorrect. IV attacks are obscure cryptographic attacks on stream ciphers. Option C is incorrect. WiFi protected setup (WPS) uses a PIN to connect to the wireless access point (WAP). The WPS attack attempts to intercept that PIN in transmission, connect to the WAP, and then steal the WPA2 password. Option D is incorrect. A botnet is a group of machines that are being used, without their consent, as part of an attack.
63. An attacker is trying to get access to your network. He is sending users on your network a link to a freeware stock-monitoring program. However, that stock-monitoring program has attached to it software that will give the attacker access to any machine that it is installed on. What type of attack is this? A. Rootkit B. Trojan horse C. Spyware D. Boot sector virus
B. This is a classic example of a Trojan horse. Option A is incorrect. A rootkit gives root or administrative access. Option C is incorrect. Spyware is malware that records user activities. Option D is incorrect. A boot sector virus is a virus that infects the boot sector of the hard drive.
54. Juanita is a network administrator for Acme Company. Some users complain that they keep getting dropped from the network. When Juanita checks the logs for the wireless access point (WAP), she finds that a deauthentication packet has been sent to the WAP from the users' IP addresses. What seems to be happening here? A. Problem with users' WiFi configuration B. Disassociation attack C. Session hijacking D. Backdoor attack
B. This is a classic example of a disassociation attack. The attacker tricks users into disassociating from the device. Option A is incorrect. Misconfiguration won't cause authenticated users to de-authenticate. Option C is incorrect. Session hijacking involves taking over an authenticated session. Option D is incorrect. Backdoors are built-in methods to circumvent authentication.
56. You are a network security administrator for a bank. You discover that an attacker has exploited a flaw in OpenSSL and forced some connections to move to a weak cipher suite version of TLS, which the attacker could breach. What type of attack was this? A. Disassociation attack B. Downgrade attack C. Session hijacking D. Brute force
B. This is a classic example of a downgrade attack. Option A is incorrect. In a disassociation attack, the attacker attempts to force the victim into disassociating from a resource. Option C is incorrect. Session hijacking is when the attacker takes over an authenticated session. Option D is incorrect. Brute force attempts every possible random combination to get the password or encryption key.
12. Mike is a network administrator with a small financial services company. He has received a popup window that states his files are now encrypted and he must pay .5 bitcoins to get them decrypted. He tries to check the files in question, but their extensions have changed, and he cannot open them. What best describes this situation? A. Mike's machine has a rootkit. B. Mike's machine has ransomware. C. Mike's machine has a logic bomb. D. Mike's machine has been the target of whaling.
B. This is a classic example of ransomware. Option A is incorrect. A rootkit provides access to administrator/root privileges. Option C is incorrect. A logic bomb executes its malicious activity when some condition is met. Option D is incorrect. This scenario does not describe whaling.
66. Which of the following best describes malware that will execute some malicious activity when a particular condition is met (i.e., if condition is met, then execute)? A. Boot sector virus B. Logic bomb C. Buffer overflow D. Sparse infector virus
B. This is the definition of a logic bomb. Option A is incorrect. A boot sector virus infects the boot sector of the hard drive. Option C is incorrect. A buffer overflow occurs when the attacker attempts to put more data in a variable than it can hold. Option D is incorrect. A sparse infector virus performs its malicious activity intermittently to make it harder to detect.
14. What type of attack is based on sending more data to a target variable than the data can actually hold? A. Bluesnarfing B. Buffer overflow C. Bluejacking D. DDoS
B. This is the description of a buffer overflow. Option A is incorrect. Bluesnarfing is a Bluetooth attack. Option C is incorrect. Bluejacking is a Bluetooth attack. Option D is incorrect. This is not a distributed denial of service.
87. What best describes an attack that attaches some malware to a legitimate program so that when the user installs the legitimate program, they inadvertently install the malware? A. Backdoor B. Trojan horse C. RAT D. Polymorphic virus
B. This is, in fact, the definition of a Trojan horse. Options A, C, and D are incorrect. These are all possible attacks, but do not match what is described in the question scenario.
10. Your company outsourced development of an accounting application to a local programming firm. After three months of using the product, one of your accountants accidently discovers a way to log in and bypass all security and authentication. What best describes this? A. Logic bomb B. Trojan horse C. Backdoor D. Rootkit
C. A backdoor is a method for bypassing normal security and directly accessing the system. Option A is incorrect. A logic bomb is malware that performs its misdeeds when some condition is met. Option B is incorrect. A Trojan horse wraps a malicious program to a legitimate program. When the user downloads and installs the legitimate program, they get the malware. Option D is incorrect. A rootkit is malware that gets root or administrative privileges.
25. Frank has been asked to conduct a penetration test of a small bookkeeping firm. For the test, he has only been given the company name, the domain name for their website, and the IP address of their gateway router. What best describes this type of test? A. White-box test B. External test C. Black-box test D. Threat test
C. A black-box test involves absolutely minimal information. Option A is incorrect. A white-box test involves very complete information being given to the tester. Option B is incorrect. This scenario is probably done from outside the network, but external test is not the correct terminology. Option D is incorrect. Threat test is not a term used in penetration testing.
65. When a program has variables, especially arrays, and does not check the boundary values before inputting data, what attack is the program vulnerable to? A. XSS B. CRSF C. Buffer overflow D. Logic bomb
C. A buffer overflow is possible when boundaries are not checked and the attacker tries to put in more data than the variable can hold. Option A is incorrect. Cross-site scripting is a web page attack. Option B is incorrect. Cross-site request forgery is a web page attack. Option D is incorrect. A logic bomb is malware that performs its misdeed when some condition is met.
18. You are responsible for incident response at a mid-sized bank. You have discovered that someone was able to successfully breach your network and steal data from your database server. All servers are configured to forward logs to a central logging server. However, when you examine that central log, there are no entries after 2:13 a.m. two days ago. You check the servers, and they are sending logs to the right server, but they are not getting there. Which of the following would be most likely to explain this? A. Your log server has a backdoor. B. Your log server has been hit with a buffer overflow attack. C. Your switches have been hit with ARP poisoning. D. Your IDS is malfunctioning and blocking log transmissions.
C. ARP poisoning is used to change the ARP tables routing data to a different MAC address, which would explain why there were no entries. Option A is incorrect. A backdoor would not explain that the log entries were sent, but not received. Option B is incorrect. A buffer overflow would not explain that the log entries were sent but not received. Option D is incorrect. An IDS would not stop log entries even if it was malfunctioning.
58. Farès is the network security administrator for a company that creates advanced routers and switches. He has discovered that his company's networks have been subjected to a series of advanced attacks over a period of time. What best describes this attack? A. DDoS B. Brute force C. APT D. Disassociation attack
C. An advanced persistent threat (APT) involves sophisticated (i.e., advanced) attacks over a period of time (i.e., persistent) Option A is incorrect. A distributed denial of service could be a part of an APT, but in and of itself is unlikely to be an APT. Option B is incorrect. Brute force attempts every possible random combination to get the password or encryption key. Option D is incorrect. In a disassociation attack, the attacker attempts to force the victim into disassociating from a resource.
80. What is the primary difference between an intrusive and a nonintrusive vulnerability scan? A. An intrusive scan is a penetration test. B. A nonintrusive scan is just a document check. C. An intrusive scan could potentially disrupt operations. D. A nonintrusive scan won't find most vulnerabilities.
C. An intrusive scan could possibly cause some disruption of operations. For this reason, it should be conducted outside normal business hours. Option A is incorrect. A penetration test actually attempts to breach the network by exploiting vulnerabilities. Option B is incorrect. An audit is primarily a document check. Option D is incorrect. Both intrusive and nonintrusive vulnerability scans can be effective at finding vulnerabilities.
74. Which of the following is commonly used in a distributed denial of service (DDoS) attack? A. Phishing B. Adware C. Botnet D. Trojan
C. Botnets are often used to launch DDoS attacks, with the attack coming from all the computers in the botnet simultaneously. Option A is incorrect. Phishing attacks attempt to get the user to give up information, click on a link, or open an attachment. Option B is incorrect. Adware consists of unwanted pop-up ads. Option D is incorrect. A Trojan horse attaches malware to a legitimate program.
73. Your company has hired an outside security firm to perform various tests of your network. During the vulnerability scan you will provide that company with logins for various systems (i.e., database server, application server, web server, etc.) to aid in their scan. What best describes this? A. A white-box test B. A gray-box test C. A privileged scan D. An authenticated user scan
C. By giving the tester logins, you are allowing him to conduct a privileged scan (i.e., a scan with some privileges). Options A and B are incorrect. These describe the level of knowledge the tester is given of the network. A privilege scan cannot be a black-box test, but it could be either white-box or gray-box. Option D is incorrect. While this is grammatically correct, it is not the term used in the industry.
8. What type of attack depends on the attacker entering JavaScript into a text area that is intended for users to enter text that will be viewed by other users? A. SQL injection B. Clickjacking C. Cross-site scripting D. Bluejacking
C. Cross-site scripting involves entering a script into text areas that other users will view. Option A is incorrect. SQL injection is not about entering scripts, but rather SQL commands. Option B is incorrect. Clickjacking is about tricking users into clicking on the wrong thing. Option D is incorrect. Bluejacking is a Bluetooth attack.
7. You are responsible for network security at Acme Company. Users have been reporting that personal data is being stolen when using the wireless network. They all insist they only connect to the corporate wireless access point (WAP). However, logs for the WAP show that these users have not connected to it. Which of the following could best explain this situation? A. Session hijacking B. Clickjacking C. Rogue access point D. Bluejacking
C. If users have been connecting but the WAP does not show them connecting, then they have been connecting to a rogue access point. This could be the cause of an architecture and design weakness such as a network without segmentation and control of devices connecting to the network. Option A is incorrect. Session hijacking involves taking over an already authenticated session. Most session hijacking attacks involve impersonation. The attacker attempts to gain access to another user's session by posing as that user. Option B is incorrect. Clickjacking involves causing visitors to a website to click on the wrong item. Option D is incorrect. Bluejacking is a Bluetooth attack.
46. Your wireless network has been breached. It appears the attacker modified a portion of data used with the stream cipher and utilized this to expose wirelessly encrypted data. What is this attack called? A. Evil twin B. Rogue WAP C. IV attack D. WPS Attack
C. Initialization vectors are used with stream ciphers. An IV attack attempts to exploit a flaw to use the IV to expose encrypted data. Options A and B are incorrect. Nothing in this scenario requires or describes a rogue access point/evil twin. Option D is incorrect. WiFi protected setup (WPS) uses a PIN to connect to the wireless access point (WAP). The WPS attack attempts to intercept that PIN in transmission, connect to the WAP, and then steal the WPA2 password.
69. Which type of virus is able to alter its own code to avoid being detected by antivirus software? A. Boot sector B. Hoax C. Polymorphic D. Stealth
C. Polymorphic viruses periodically change their signature or even their code. Option A is incorrect. A boot sector virus infects the boot sector of the hard drive. Option B is incorrect. This is not a hoax—it is an actual virus. Option D is incorrect. The category of stealth virus is very broad and might include polymorphic as well as armored and sparse infectors, but the scenario is more specific, pointing to polymorphic.
33. You work for a large retail company that processes credit card purchases. You have been asked to test your company network for security issues. The specific test you are conducting involves primarily checking policies, documentation, and past incident reports. Which of the following best describes this type of test? A. Vulnerability scan B. Penetration test C. Security audit D. Security test
C. Security audits typically focus on checking policies, documents, and so forth. Option A is incorrect. Vulnerability scans use automated and semiautomated processes to check for known vulnerabilities. Option B is incorrect. Penetration tests attempt to actually exploit vulnerabilities and breach systems. Option D is incorrect. Security test is too general a term.
17. Joanne is concerned about social engineering. She is particularly concerned that this technique could be used by an attacker to obtain information about the network, including possibly even passwords. What countermeasure would be most effective in combating social engineering? A. SPI firewall B. An IPS C. User training D. Strong policies
C. Social engineering can only be countered by user training and education. Options A and B are incorrect. No technology can prevent social engineering. Option D is incorrect. Strong policies can only help if users are well trained in the policies.
23. One of the salespeople in your company reports that his computer is behaving sluggishly. You check but don't see any obvious malware. However, in his temp folder you find JPEGs that look like screenshots of his desktop. Which of the following is the most likely cause? A. He is stealing data from the company. B. There is a backdoor on his computer. C. There is spyware on his computer. D. He needs to update his Windows.
C. Some spyware takes screen captures of the system, and it is common for such spyware to hide them in the temp folder. Option A is incorrect. There is no evidence of any corporate data, just screenshots from the salesperson's own machine. And if he was stealing data, he would not draw attention to his computer by reporting a problem. Option B is incorrect. Nothing in this scenario indicates a backdoor. Option D is incorrect. Updates won't affect this.
90. John is analyzing what he believes is a malware outbreak on his network. Many users report their machines are behaving strangely. The anomalous behavior seems to occur sporadically and John cannot find a pattern. What is the most likely cause? A. APT B. Boot sector virus C. Sparse infector virus D. Key logger
C. Sparse infector viruses perform their malicious activity sporadically. Option A is incorrect. This does not describe an advanced persistent threat. Option B is incorrect. A boot sector virus infects the boot sector of the hard drive. Option D is incorrect. A keylogger is spyware that records keystrokes.
2. Ahmed is a sales manager with a major insurance company. He has received an email that is encouraging him to click on a link and fill out a survey. He is suspicious of the email, but it does mention a major insurance association, and that makes him think it might be legitimate. Which of the following best describes this attack? A. Phishing B. Social engineering C. Spear phishing D. Trojan horse
C. The correct answer is spear phishing. Spear phishing is targeted to a specific group, in this case insurance professionals. Attackers can find individuals from public sources to target. This is known as open source intelligence. Option A is incorrect because that is too broad a category. Option B is incorrect because, though social engineering is a part of every phishing attack, this is more than just social engineering. Option D is incorrect because this is not a Trojan horse. In fact, malware is not even part of the attack.
71. Fred is on the incident response team for a major insurance company. His specialty is malware analysis. He is studying a file that is suspected of being a virus that infected the company network last month. The file seems to intermittently have bursts of malicious activity, interspersed with periods of being dormant. What best describes this malware? A. A macro virus B. A logic bomb C. A sparse infector virus D. A polymorphic virus
C. The intermittent burst of malicious activity is the definition of a sparse infector virus. Option A is incorrect. A macro virus is embedded in a document as a macro. Option B is incorrect. A logic bomb executes its misdeeds when a specific condition is met. Option D is incorrect. A polymorphic virus changes its signature, or even its code, periodically.
11. Teresa is the security manager for a mid-sized insurance company. She receives a call from law enforcement, telling her that some computers on her network participated in a massive denial-of-service (DoS) attack. Teresa is certain that none of the employees at her company would be involved in a cybercrime. What would best explain this scenario? A. It is a result of social engineering. B. The machines all have backdoors. C. The machines are bots. D. The machines are infected with crypto-viruses.
C. The machines in her network are being used as bots, and the users are not aware that they are part of a DDoS attack. Option A is incorrect. Social engineering is when someone tries to manipulate you into giving information. Techniques involved in social engineering attacks include consensus, scarcity, and familiarity. Option B is incorrect. There is a slight chance that all computers could have a backdoor, but that is very unlikely, and attackers normally don't manually log into each machine to do a distributed denial of service (DDoS)—it would be automated, as through a bot. Option D is incorrect. Crypto-viruses are not related to DDoS attacks.
4. You are responsible for incident response at Acme bank. The Acme bank website has been attacked. The attacker used the login screen, but rather than enter login credentials, he or she entered some odd text: ' or '1' = '1. What is the best description for this attack? A. Cross-site scripting B. Cross-site request forgery C. SQL injection D. ARP poisoning
C. The text shown is the classic example of a basic SQL injection to log in to a site. Option A is incorrect. Cross-site scripting would have JavaScript in the text field. Option B is incorrect. Cross-site request forgery would not involve any text being entered in the web page. Option D is incorrect. ARP poisoning is altering the ARP table in a switch; it is not related to website hacking.
94. Tyrell is responsible for selecting cryptographic products for his company. The company wants to encrypt the drives of all laptops. The product they have selected uses 128-bit AES encryption for full disk encryption, and users select a password to decrypt the drive. What, if any, would be the major weakness in this system? A. None; this is a good system. B. The 128-bit AES key is too short. C. The passwords users select are the weak link. D. The AES algorithm is the problem; they should use DES.
C. The user-selected password is always a weak link in hard drive encryption. Option A is incorrect. Yes, it is good system, but there is a weakness. Option B is incorrect. 128-bit AES is more than adequate for corporate purposes. Option D is incorrect. DES is outdated, and AES should be used.
62. Mary has discovered that a web application used by her company does not always handle multithreading properly, particularly when multiple threads access the same variable. This could allow an attacker who discovered this vulnerability to exploit it and crash the server. What type of error has Mary discovered? A. Buffer overflow B. Logic bomb C. Race conditions D. Improper error handling
C. This is a classic definition of a race condition: when multiple threads in an application are using the same variable and the situation is not properly handled. Option A is incorrect. A buffer overflow is attempting to put more data in a buffer than it is designed to hold. Option B is incorrect. A logic bomb is malware that performs its misdeed when some logical condition is met. Option D is incorrect. As the name suggests, improper error handling is the lack of adequate or appropriate error handling mechanisms within software.
76. Juan is responsible for incident response at a large financial institution. He discovers that the company WiFi has been breached. The attacker used the same login credentials that ship with the wireless access point (WAP). The attacker was able to use those credentials to access the WAP administrative console and make changes. Which of the following best describes what caused this vulnerability to exist? A. Improperly configured accounts B. Untrained users C. Using default configuration D. Failure to patch systems
C. This is a classic example of the problem with default configurations. Option A is incorrect. Configuring the accounts is not the issue; changing default passwords and settings is. Option B is incorrect. Yes, training users is important, but that's not the issue in this scenario. Option D is incorrect. Patching systems is important, but that won't change default settings.
52. John is a network administrator for Acme Company. He has discovered that someone has registered a domain name that is spelled just one letter different than his company's domain. The website with the misspelled URL is a phishing site. What best describes this attack? A. Session hijacking B. Cross-site request forgery C. Typosquatting D. Clickjacking
C. This is a classic example of typosquatting. The website is off by only one or two letters, hoping that when users to the real website mistype the URL they will go to the fake website. Option A is incorrect. Session hijacking is taking over an authenticated session. Option B is incorrect. Cross-site request forgery sends fake requests to a website that purport to be from a trusted, authenticated user. Option D is incorrect. Clickjacking attempts to trick users into clicking on something other than what they intended.
86. You have discovered that there are entries in your network's domain name server that point legitimate domains to unknown and potentially harmful IP addresses. What best describes this type of attack? A. A backdoor B. An APT C. DNS poisoning D. A Trojan horse
C. This is the definition of DNS poisoning. Option A is incorrect. A backdoor provides access to the system by circumventing normal authentication. Option B is incorrect. An APT is an advanced persistent threat. Option D is incorrect. A Trojan horse ties a malicious program to a legitimate program.
82. When investigating breaches and attempting to attribute them to specific threat actors, which of the following is not one of the indicators of an APT? A. Long-term access to the target B. Sophisticated attacks C. The attack comes from a foreign IP address. D. The attack is sustained over time.
C. While you might suppose that a nation-state attacker (the usual attacker behind an advanced persistent threat) would attack from a foreign IP address, they often use a compromised address in the target country as a base for attacks. Options A, B, and D are all incorrect. These are actually signs of an advanced persistent threat.
32. You are concerned about a wide range of attacks that could affect your company's web server. You have recently read about an attack wherein the attacker sends more data to the target than the target is expecting. If done properly, this could cause the target to crash. What would best prevent this type of attack? A. An SPI firewall B. An active IDS/IPS C. Checking buffer boundaries D. Checking user input
C. You are concerned about buffer overflows, and thus checking buffer boundaries is the best defense. Options A and B are incorrect. While these technological solutions can always be a benefit for security, they are unlikely to address buffer overflow attacks effectively. Option D is incorrect. Checking user input helps defend against SQL injection and crosssite scripting.
57. When an attacker tries to find an input value that will produce the same hash as a password, what type of attack is this? A. Rainbow table B. Brute force C. Session hijacking D. Collision attack
D. A collision is when two different inputs produce the same hash. Option A is incorrect. A rainbow table is a table of precomputed hashes. Option B is incorrect. Brute force attempts every possible random combination to get the password or encryption key. Option C is incorrect. Session hijacking is when the attacker takes over an authenticated session.
26. You work for a security company that performs penetration testing for clients. You are conducting a test of an e-commerce company. You discover that after compromising the web server, you can use the web server to launch a second attack into the company's internal network. What best describes this? A. Internal attack B. White-box testing C. Black-box testing D. A pivot
D. A pivot occurs when you exploit one machine and use that as a basis to attack other systems. Option A is incorrect. Pivots can be done from internal or external tests. Options B and C are incorrect. These describe how much information the tester is given in advance, not how the tester performs the test.
67. Gerald is a network administrator for Acme Company. Users are reporting odd behavior on their computers. He believes this may be due to malware, but the behavior is different on different computers. What might best explain this? A. It is not malware, but hardware failure. B. It is a boot sector virus. C. It is a macro virus. D. It is a polymorphic virus.
D. A polymorphic virus changes from time to time, and that would explain the different behavior on different computers. Option A is incorrect. The scenario is about malware. Option B is incorrect. A boot sector virus infects the boot sector of the hard drive. Option C is incorrect. A macro virus is embedded into a document as a macro.
36. You are a security administrator for a bank. You are very interested in detecting any breaches or even attempted breaches of your network, including those from internal personnel. But you don't want false positives to disrupt work. Which of the following devices would be the best choice in this scenario? A. IPS B. WAF C. SIEM D. IDS
D. An intrusion detection system will simply report issues, and not block the traffic. Option A is incorrect. An intrusion prevention system will stop suspected traffic, and in the event of a false positive, will shut down legitimate traffic. Option B is incorrect. A web application firewall (WAF), as the name suggests, primarily protects a web server against external attacks. Option C is incorrect. SIEMs aggregate logs for analysis.
77. Elizabeth is investigating a network breach at her company. She discovers a program that was able to execute code within the address space of another process by using the target process to load a specific library. What best describes this attack? A. Logic bomb B. Session hijacking C. Buffer overflow D. DLL injection
D. In a DLL injection, the malware attempts to inject code into the process of some library. This is a rather advanced attack. Option A is incorrect. A logic bomb executes its misdeed when some condition is met. Option B is incorrect. Session hijacking is taking over an authenticated session. Option C is incorrect. Buffer overflows are done by sending more data to a variable than it can hold.
30. John is a salesman for an automobile company. He recently downloaded a program from an unknown website, and now his client files have their file extensions changed, and he cannot open them. He has received a popup window that states his files are now encrypted and he must pay .5 bitcoins to get them decrypted. What has happened? A. His machine has a rootkit. B. His machine has a logic bomb. C. His machine has a boot sector virus. D. His machine has ransomware.
D. Ransomware
81. Daryl is investigating a recent breach of his company's web server. The attacker used sophisticated techniques and then defaced the website, leaving messages that were denouncing the company's public policies. He and his team are trying to determine the type of actor who most likely committed the breach. Based on the information provided, who was the most likely threat actor? A. A script B. A nation-state C. Organized crime D. Hacktivists
D. The fact that the website is defaced in a manner related to the company's public policies is the definition of hacktivism. Options A, B, and C are incorrect. None of these account for the statements adverse to the company's policies, which is why hacktivism is the real cause.
13. Terrance is examining logs for the company e-commerce web server. He discovers a number of redirects that cannot be explained. After carefully examining the website, he finds some attacker performed a watering hole attack by placing JavaScript in the website and is redirecting users to a phishing website. Which of the following techniques would be best at preventing this in the future? A. An SPI firewall B. An active IDS/IPS C. Checking buffer boundaries D. Checking user input
D. The primary method for stopping both cross-site scripting and SQL injection is to check or filter user input. Option A is incorrect. A web application firewall might help, but a basic SPI firewall won't prevent this. Option B is incorrect. Most IDSs/IPSs won't detect cross-site scripting, and even if one will, option A is still the best way to prevent cross-site scripting. Option C is incorrect. This is not a buffer overflow, and checking buffer boundaries won't help.
20. Mahmoud is responsible for managing security at a large university. He has just performed a threat analysis for the network, and based on past incidents and studies of similar networks, he has determined that the most prevalent threat to his network is low-skilled attackers who wish to breach the system, simply to prove they can or for some low-level crime, such as changing a grade. Which term best describes this type of attacker? A. Hacktivist B. Amateur C. Insider D. Script kiddie
D. The term for low-skilled hackers is script kiddie. Option A is incorrect. Nothing indicates this is being done for ideological reasons. Option B is incorrect. "Amateur" may be an appropriate description, but the correct term is script kiddie. Option C is incorrect. Nothing in this scenario indicates an insider threat.
42. This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and privileges than what is required for the tasks the user needs to perform. What best describes this scenario? A. Excessive rights B. Excessive access C. Excessive permissions D. Excessive privileges
D. The term used in the industry is excessive privileges, and it is the opposite of good security practice, which states that each user should have least privileges (i.e., just enough privileges to do his or her job). Options A through C are incorrect. While these are grammatically correct, they are not the terms used in the industry.
48. Some users on your network use Acme Bank for their personal banking. Those users have all recently been the victim of an attack, wherein they visited a fake Acme Bank website and their logins were compromised. They all visited the bank website from your network, and all of them insist they typed in the correct URL. What is the most likely explanation for this situation? A. Trojan horse B. IP spoofing C. Clickjacking D. DNS poisoning
D. This appears to be a situation where your network's DNS server is compromised and sending people to a fake site. Option A is incorrect. A Trojan horse is malware tied to a legitimate program. Option B is incorrect. IP spoofing would be using a fake IP address, but that is not described in this scenario. In fact, the users are not even typing in IP addresses—they are typing in URLs. Option C is incorrect. Clickjacking involves tricking users into clicking something other than what they intended.
35. You are the manager for network operations at your company. One of the accountants sees you in the hall and thanks you for your team keeping his antivirus software up to date. When you ask him what he means, he mentions that one of your staff, named Mike, called him and remotely connected to update the antivirus. You don't have an employee named Mike. What has occurred? A. IP spoofing B. MAC spoofing C. Man-in-the-middle attack D. Social engineering
D. This is a classic example of an attacker using social engineering on the accountant, in order to gain access to his system. Options A and B are incorrect. This scenario does not describe either IP or MAC spoofing. Option C is incorrect. A man-in-the-middle attack would require an attacker to get in between a source and destination for some sort of electronic communication. That is not described in this scenario.
91. Farès is the CISO of a bank. He has received an email that is encouraging him to click on a link and fill out a survey. Being security conscious, he normally does not click on links. However, this email calls him by name and claims to be a follow-up to a recent conference he attended. Which of the following best describes this attack? A. Clickjacking B. Social engineering C. Spear phishing D. Whaling
D. This is a classic example of whaling, phishing that targets a specific individual. Option A is incorrect. Clickjacking is an attack that tries to trick users into clicking on something other than what they believe they are clicking on. Option B is incorrect. While all phishing uses some social engineering, whaling is the most accurate description of this attack. Option C is incorrect. Spear phishing targets a group, not a single individual.
96. When a multithreaded application does not properly handle various threads accessing a common value, what flaw is this? A. Memory leak B. Buffer overflow C. Integer overflow D. Race condition
D. This is the definition of a race condition. Option A is incorrect. Memory leaks occur when memory is allocated, but not deallocated. Option B is incorrect. A buffer overflow is when more data is put into a variable than it can hold. Option C is incorrect. An integer overflow occurs when an attempt is made to put an integer that is too large into a variable, such as trying to put a 64-bit integer into a 32-bit variable.
78. Zackary is a malware investigator with a cybersecurity firm. He is investigating malware that is able to compromise a target program by finding null references in the target program and dereferencing them, causing an exception to be generated. What best describes this type of attack? A. DLL injection B. Buffer overflow C. Memory leak D. Pointer dereference
D. This is the definition of pointer dereferencing. It is a somewhat obscure and sophisticated attack on a target program. Option A is incorrect. In a DLL injection, the malware tries to inject code into the memory process space of a library. Option B is incorrect. In a buffer overflow, the attacker sends more data to a variable than it can hold. Option C is incorrect. A memory leak occurs when memory is allocated in some programming function but not deallocated. Each time the function is called, more system memory is used up.
99. Which of the following is the term for an attack wherein malware inserts itself as a library, such as a DLL, between an application and the real system library the application is attempting to communicate with? A. Application spoofing B. Jamming C. Evil twin D. Shimming
D. This is the definition of shimming. Option A is incorrect. Application spoofing is not a term used in the industry. Options B and C are incorrect. These are both wireless attacks.
100. You are responsible for incident response at Acme Corporation. You have discovered that someone has been able to circumvent the Windows authentication process for a specific network application. It appears that the attacker took the stored hash of the password and sent it directly to the backend authentication service, bypassing the application. What type of attack is this? A. Hash spoofing B. Evil twin C. Shimming D. Pass the hash
D. This scenario is the definition of passing the hash. Option A is incorrect. A real hash was provided; it was not spoofed. Option B is incorrect. Evil twin is a wireless attack. Option C is incorrect. Shimming is inserting malicious code between an application and a library.
31. When phishing attacks are so focused that they target a specific individual, they are called what? A. Spear phishing B. Targeted phishing C. Phishing D. Whaling
D. Whaling is targeting a specific individual. Option A is incorrect. Spear phishing targets a small group. Option B is incorrect. Targeted phishing is not a term used in the industry. Option C is incorrect. Phishing is the generic term for a wide range of related attacks.
59. You are responsible for incident response at Acme Company. One of your jobs is to attempt to attribute attacks to a specific type of attacker. Which of the following would not be one of the attributes you consider in attributing the attack? A. Level of sophistication B. Resources/funding C. Intent/motivation D. Amount of data stolen
D. Whether the attacker is an organized criminal, hacktivist, nation-state attacker, or script kiddie, the amount of data stolen could be large or small. Options A, B, and C are all incorrect. These are exactly the attributes of an attack you do examine to determine the most likely attacker.
45. Farès has discovered that attackers have breached his wireless network. They seem to have used a brute-force attack on the WiFi-protected setup PIN to exploit the WAP and recover the WPA2 password. What is this attack called? A. Evil twin B. Rogue WAP C. IV attack D. WPS Attack
D. WiFi protected setup (WPS) uses a PIN to connect to the wireless access point (WAP). The WPS attack attempts to intercept that PIN in transmission, connect to the WAP, and then steal the WPA2 password. Options A and B are incorrect. Nothing in this scenario requires or describes a rogue access point/evil twin. Option C is incorrect. An IV attack is an obscure cryptographic attack.
44. There are some computers on your network that use Windows XP. They have to stay on Windows XP due to a specific application they are running. That application won't run on newer operating systems. What security concerns does this situation give you? A. No special concerns; this is normal. B. The machines cannot be patched; XP is no longer supported. C. The machines cannot coordinate with an SIEM since XP won't support that. D. The machines are more vulnerable to DoS attacks.
Option B is correct. When using products the vendor no longer supports, also known as end-of-life, one major concern is that there won't be patches available for any issues or vulnerabilities. Option A is incorrect; this is certainly not normal. Option C is incorrect. SIEMs aggregate logs and are operating system agnostic. Option D is incorrect. An older system is not necessarily more susceptible to denial-ofservice (DoS) attacks.
43. Jared is responsible for network security at his company. He has discovered behavior on one computer that certainly appears to be a virus. He has even identified a file he thinks might be the virus. However, using three separate antivirus programs, he finds that none can detect the file. Which of the following is most likely to be occurring? A. The computer has a RAT. B. The computer has a zero-day exploit. C. The computer has a logic bomb. D. The computer has a rootkit.
Option B is correct; zero-day exploits are new, and they are not in the virus definitions for the antivirus programs. This makes them difficult to detect, except by their behavior. Options A, C, and D are incorrect. These are all forms of malware, but should be picked up by at least one of the antivirus programs.
