Chapter 6: Network Security
Which of the following are the BEST methods for protecting against rogue devices and identifying rogue devices more easily? (Select two.)
- 802.1x network access control - Port-based access control
Which of the scenarios below might justify using a MAC address spoofing tool when connecting to your company's network? (Select two.)
- A new web server that is for internal-only use has a firewall that only allows a list of six devices to access resources. You need to verify all other MAC addresses are blocked. - You want to test the list of banned MAC addresses on your network.
Over time, changes in the way people use networks have complicated protecting a network against security threats. Which of the following trends has increased the need for security? (Select two.)
- Cloud computing - Social networking
An artificial intelligence research corporation has tasked a cybersecurity analyst with preventing malicious or corrupted data from entering into their proprietary ML model through a data poisoning attack. Which of the following actions should the analyst take? (Select three.)
- Data validation - Anomaly detection - Data diversity
A power plant's operational technology specialist routinely inspects all operational controls. Which of the following are examples of operational technologies (OT)? (Select three.)
- ICSs - PLCs - SCADA systems
A company has recently discovered that its network has become slow and unreliable, with frequent outages and disruptions. An IT staff member suspects that rogue devices on the network could be causing these issues. What are the BEST ways to identify rogue devices on a network? (Select three.)
- Install endpoint security software on all devices connected to the network to monitor and control device access. - Conduct network scans using tools like Nmap to identify active devices on the network. - Use intrusion detection systems (IDS) to monitor network traffic and identify devices that do not belong on the network.
While performing a password audit on a Windows machine in your organization with L0phtCrack, you receive the following results. Based on what you see below, which two accounts should worry you the most? (Select two.)
- Mihai - Administrator
A company's security team recently discovered an unknown device connected to their network, and they suspect it could be a rogue device. The team wants to conduct scans and sweeps to locate and remove any unauthorized devices on the network. Which of the following are common types of scans or sweeps the team can use to locate rogue devices in the network? (Select two.)
- Passive scanning - Active scanning
A company's security analyst wants to identify issues such as unauthorized devices and software or misconfigured hosts on the company network. Which of the following are the most commonly used methods for detecting any rogue devices on a network? (Select two.)
- Ping sweeps - Network scans
A cybersecurity analyst for a small company ensures the company's email security by configuring Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). The analyst needs to explain to other employees how SPF and DKIM work together. Which of the following statements correctly explain the role of SPF and DKIM in securing email communications? (Select two.)
- SPF verifies the source IP address of incoming messages while DKIM verifies the message content. - SPF and DKIM together prevent email spoofing and ensure message authenticity.
Which of the following are uses for the sqlmap utility? (Select two.)
- To detect vulnerable web apps - To determine SQL server parameters, including version, usernames, operating systems, etc.
Which of the following statements are true when describing Heuristic analysis? (Select two.)
- Triggers an alert when any activity falls outside a baseline. - Requires little human interaction.
The information below is from Wireshark. Which kind of attack is occurring?
A DDoS attack
A password spraying attack is MOST like which of the following attack types?
A brute force attack
The DKIM tool can provide security for your company's emails because it contains which of the following?
A digital signature
Which of the following BEST describes a rogue access point attack?
A hacker installing an unauthorized access point within a company.
Which of the following describes a credential stuffing attack?
A hacker tries a list of credentials on multiple sites.
Which of the following BEST describes a relational database?
A storage bank for data that is organized in tables linked by keys and which can be searched in multiple ways through those keys.
Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on a network?
ARP poisoning
What does a router use to protect a network from attacks and to control which types of communications are allowed on a network?
Access control list
On rare occasions, an individual computer contains information that is highly confidential and must remain separated from both internal and external networks. Which of the following segmentation solutions would BEST achieve this goal?
Air gap
Which of the following BEST describes a DoS fragmentation attack?
An attack in which fake UDP or ICMP packets larger than the MTU are sent to exhaust the processing resources.
Which of the following BEST describes a TCP session hijacking attack?
An attacker sniffs between two machines on a connection-based protocol, monitors the traffic to capture the session ID, terminates the target computer's connection, and injects packets to the server.
You have performed a SQL injection attack against a website using Burp Suite and see the following results. What are you looking for?
Any results that show something unexpected being passed back from the server
Which security control layer involves putting in place policies that comply with industry standards, such as OWASP?
Application
Your Intrusion Detection System (IDS) doesn't seem to be listing any new security attacks on your network. Which of the following DDoS attack methods is MOST likely being used?
Application Layer DDoS
You discover that your web server is receiving a large number of HTTP requests, causing it to repeatedly load a web page. Which of the following DDoS attack methods does this fall under?
Application layer DDoS
Which of the following SQL injection attack types uses true/false questions to perform reconnaissance?
Blind injection attack
A customer logs into their bank account and simultaneously checks their email. They see an email containing a link that, when clicked, initiates a transfer of funds from the user's bank account to an attacker's account. What type of vulnerability does this situation describe?
CSRF
You have just discovered that a hacker is trying to penetrate your network using MAC spoofing. Which of the following BEST describes MAC spoofing?
Changing a hacker's network card to match a legitimate address being used on a network.
A security analyst discovers that an attacker is attempting to launch a distributed denial-of-service (DDoS) attack on the company's network. What action should the security analyst take to prevent the DDoS attack from succeeding?
Configure the router to limit the amount of traffic coming from the attacker's IP address
John creates an account and creates a listing for the sale of his home. He uses HTML tags to bold important words. Kris, an attacker, spots John's listing and notices the bolded words. Kris assumes HTML tags are enabled on the user end and uses this vulnerability to insert her own script, which will send her a copy of the cookie information for any user who looks at the ad. Which type of attack method is Kris MOST likely using?
Cross-site scripting
Which of the following tools can you use to prevent data exfiltration by identifying and blocking the transfer of sensitive information?
DLP
A cybersecurity analyst for a large financial services company reviews the company's email security controls and is concerned about the risk of phishing attacks. The analyst decides to implement Domain-based Message Authentication, Reporting and Conformance (DMARC) to better protect the company's email domain. Which of the following BEST describes the correlation between embedded links and DMARC?
DMARC verifies the authenticity of embedded links by checking the sender's domain against the DMARC record.
A security analyst at a financial institution has discovered that sensitive customer data was transferred outside of the organization's network. Which of the following is the MOST likely explanation for the data transfer?
Data exfiltration
Which security control makes a system more difficult to attack?
Deterrent
Which of the following attacks would use the following syntax? http://www.testout.com.br/../../../../ some_dir/ some_file
Directory traversal
As a security consultant for a conglomerate of healthcare services, you suspect that the email client being used by the hospital staff is allowing hackers to send malicious emails to employees. You have used an analyzing tool and found the following string in a from field in the email header of several suspect emails: Friendly Guy You have also found the following in the same header: [email protected] In which of the following fields in the header have you MOST likely found this information?
Display from
A security analyst is monitoring the network traffic of a large organization. The analyst has noticed an unusual spike in network traffic and needs to determine the cause. What is the MOST likely explanation for the unusual spike in network traffic?
Distributed denial-of-service (DDoS) attack
A security analyst performs incident response activities after a recent security incident. They need to analyze a suspicious email attachment and verify the email's authentication to determine the attack's origin. Which tool should the analyst utilize to accomplish these tasks?
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
A security analyst is investigating a series of phishing emails that bypassed the organization's email filtering system. They need to determine the most likely method the attacker used to ensure the recipients received the phishing emails. Which of the following methods is MOST likely used by the attacker?
DomainKeys Identified Mail (DKIM) exploit
A government agency had a breach at one of its locations that resulted in stolen hard drives. The virtual servers on the stolen hard drives had data for only one virtual appliance replicating to the secondary virtual appliance remotely. A security investigation report showed that the agency did not set up virtual appliances with data-at-rest security features. What must the system administrators do to ensure another breach does not jeopardize the government?
Encrypt the virtual server
Which Wi-Fi attack uses a rogue access point configured with the same SSID as the organization's SSID?
Evil twin
A security analyst is testing to find SQL injection vulnerabilities. She uses automation of a large volume of random data inserted into the web application's input fields in order to check the output. Which type of testing was done?
Fuzz testing
Which of the following ICS components allows an operator in a manufacturing plant to make configuration changes in the ICS system?
HMI
Which of the following can contain a wealth of information that can be used to determine the authenticity of an email?
Header block
You are the security analyst for your organization. During a vulnerability analysis, you have noticed the following: - File attributes being altered - Unknown .ozd files - Files that do not match the existing naming scheme - Changes to the log files Which of the following do these signs indicate has occurred?
Host-based intrusion
Which of the following handles the workflow and automation processes for all sorts of machinery?
ICS
Which of the following is a security service that monitors network traffic in real time or reviews the audit logs on servers looking for security violations?
IDS
After a sniffing attack has been discovered on an organization's large network, Jim, a security analyst, has been asked to take steps to secure the network from future attacks. The organization has multiple buildings and departments. Which of the following is the BEST step Jim could take to make the network more secure?
Implement switched networks.
Your company has had a problem with users getting hacked even though you have established strong password policies. What is the next logical step to increase your company's security?
Implement two or more methods of authentication.
A network reliability engineer for a commercial dairy company receives an alert from the sensor in refrigeration unit 7. It shows the cooler as 15 degrees higher than usual, and the backup refrigeration units are working at max capacity to control the increase in temperature. The engineer alerts the floor manager on shift to distribute inventory to nearby coolers and send a maintenance specialist to resolve the issue. What type of controls saved the company's inventory from a catastrophe?
Industrial control systems (ICSs)
A security administrator is testing their organization's database server, which services a publicly accessible web application server. The security administrator sends unexpected input combined with arbitrary commands to the web application to determine whether the database server is vulnerable. What kind of vulnerability is the security administrator testing?
Injection flaws
An attacker performs a successful SQL injection attack against your employer's web application that they use for daily business. What is the MOST likely reason the web application was vulnerable to attack?
Input fields in the comment forms were not being validated.
There are several types of signature evasion techniques. Which of the following BEST describes the obfuscated code technique?
Is a SQL statement that is hard to read and understand
Which of the following BEST describes the countermeasures you would take against a cross-site request forgery attack?
Log off immediately after using a web application. Clear the history after using a web application, and don't allow your browser to save your login details.
Which of the following is a method of attack that is intended to overload the memory of a network switch, forcing the switch into open-fail mode and thereby causing it to broadcast incoming data to all ports?
MAC flooding
An email's Internet header contains address information for the recipient and sender, plus details of the servers handling the message's transmission, using the fields set out in the Simple Mail Transfer Protocol (SMTP). When an email is created, the mail user agent (MUA) creates an initial header and forwards the message to which of the following?
MDA
Which of the following ICS components is a special network protocol that controller systems use to communicate with each other?
Modbus
Which of the following BEST describes the components of an ICS network?
Operational technology
A company's security team needs to assess the security posture of its Amazon Web Services (AWS) environment, focusing on both the reconnaissance and exploitation phases of a penetration testing engagement. The team requires a tool that can automate various attack scenarios and validate the effectiveness of its cloud security controls. Which of the following tools is best suited for this task?
Pacu
An organization moves computing resources to the cloud. A team of security consultants performs penetration tests on a newly established install of AWS virtual machine instances. Which resource does the team deploy to gain unauthorized access to these cloud resources?
Pacu
A Chief Executive Officer (CEO) receives an email that appears to be from the Chief Operations Officer (COO) discussing quarterly reports. The email includes a link to a nonsuspicious-looking website that allows unauthenticated persons to leave comments at the bottom of the form. One of the comments, in non-visible text, includes a Javascript code snippet and link. What kind of attack is this?
Persistent XSS
Which of the following types of cyberattacks include a legitimate-looking embedded link to a malicious site in an email purporting to be from a legitimate source?
Phishing
Which of the following attacks sends fragmented packets that exceed 65, 535 bytes and cause a buffer overflow and system crash when reassembled?
Ping of death attack
An attacker is disguising a signature by encoding the attack payload and placing a decoder in front of the payload. Every time the payload is sent, the code is rewritten so the signature changes. Which of the following obfuscation techniques is the attacker using?
Polymorphic shellcode
The network IDS has sent alerts regarding malformed messages and sequencing errors. Which of the following IDS detection methods is MOST likely being used?
Protocol
An organization moves computing resources to the cloud. A team of security consultants reviews the new configurations and reports on the details from an external perspective. As part of the investigation, the team takes advantage of regulatory compliance features of what tool?
Prowler
Which of the following describes an attack where injected script is immediately mirrored off a web server when a user inputs data in a form or search field?
Reflected cross-site scripting
A large-scale business needs a system to control field devices with embedded PLCs on multiple sites spread over a large geographical area. What system should an Information Security Program Manager choose to BEST suit the coverage needed for this business?
SCADA
Many industries use automated systems to manage the control of machinery and equipment, which is critical to a company's safety, productivity, and efficiency. What technology governs whole process automation system?
SCADA
What system manages large-scale, multiple-site devices and equipment spread over geographically large areas from a housed server to field devices?
SCADA
Which of the following is used to monitor and control PLC systems?
SCADA
The field in the image below is supposed to return just the username associated with the user ID (a number). The output in the image, however, includes more information, including the username running the database. What is being exploited here?
SQL injection
Which of the following cyberattacks involves an attacker inserting their own code through a data entry point created for regular users in such a way that the server accepts the malicious code as legitimate?
SQL injection
Which of the following types of attacks involves constructing malicious commands with the goal of modifying a database?
SQL injection
A monster truck forum permit users to upload URLs of their favorite monster truck videos for their friends to view. An attacker submits a specially crafted URL that includes a call for the forum's internal network resources, and the web application processes the request without proper validation. The internal network, trusting the forum server, complies with the malicious call, permitting the attacker to steal payment information from the internal database. What vulnerability does this situation describe?
SSRF
A security consultant uses a software tool to perform security tests for an organization's cloud presence. Which tool will the consultant use in an attempt to gain a list of all virtual machine and storage container instances?
Scout Suite
A coworker has run Scout Suite against your Microsoft Azure environment. What were they looking for?
Scout Suite is used to show potential security risks on cloud deployments.
It is important to be prepared for a DoS attack, as these attacks are becoming more common. Which of the following BEST describes the response you should take for a service degradation?
Set services to throttle or shut down.
Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database?
Signature-based IDS
An attack targets ICMP protocol vulnerabilities and is conducted by creating ICMP echo request packets using the spoofed IP address of the target machine. It then sends packets to the broadcast address network, which results in numerous devices responding with replies to the target's IP address, disabling it. Which type of attack is this?
Smurf DDoS attack
You configure your switches to shut down a port immediately after it being accessed by an unauthorized user. Which type of attack are you trying to prevent?
Sniffing
DDoS attacks are successful when they use all available bandwidth. What is the method an attacker normally uses to consume all available bandwidth to a targeted server?
Spoofing a target IP address by opening connections with multiple servers, then directing all SYN/ACK responses to the target server.
You are currently attempting to establish a baseline of regular network traffic to detect potential DDoS attacks. At the moment, you are choosing a representative period for data collection. Which step in establishing a baseline are you currently working on?
Step 1
Business email compromise attacks have been increasingly waged against corporations' email systems. Attackers exploit an auto-forwarding email vulnerability to set emails that contain keywords to be redirected to their own inboxes. Which of the following BEST helps protect against this form of attack?
Sync email accounts settings.
An analyst reviews an alert detecting a rogue backend server being deployed behind the company's load balancer. The analyst attempts multiple map scans in hopes of identifying the possible threat but fails to reach the destination. What problem is presented in this instance?
The screened subnet firewall is blocking the scans.
While performing an audit of your company's network, you use Wireshark to sniff the network and then use the tcp contains password command to filter and see the results below. What might you conclude based on these findings?
There is a website that someone on your network logged in to that has no encryption.
Which of the following BEST describes the purpose of the wireless attack type known as wardriving?
To find information that will help breach a victim's wireless network.
Which of the following analysis methods involves looking at data over a period of time and then uses those patterns to make predictions about future events?
Trend
As a security analyst, you want to evade an IDS system while testing for SQL injection vulnerabilities. Which of the following actions will help you avoid detection?
Use in-line comments in strings.
Match each attack on the left to the appropriate defense on the right.
Use rigid specifications to validate all headers, cookie query strings, hidden fields, and form fields. > XSS Attack Perform input validation. Do not permit dangerous characters in the input. > Injection Attack Log off immediately after using a web application. Clear History after using a web application, and don't allow your browser to save your login details. > CSRF Attack Secure remote administration and connectivity testing. Perform extensive input validation. Configure the firewall to deny ICMP traffic. Stop data processed by the attacker from being executed. > DoS Attack Update web servers with security patches on a regular basis. Limit access to the secure areas of the website. > Directory Traversal
A company assigns a security analyst to monitor the network traffic and identify any potential security breaches. The analyst is debating between using Wireshark or tcpdump to analyze the network packets for unusual network activity. Which of the following statements about Wireshark and tcpdump is true?
Wireshark is a graphical user interface tool, while tcpdump is a command line tool.
You are monitoring your network's traffic, looking for signs of strange activity. After looking at the logs, you see that there was a recent spike in database read volume. Could this be a problem and why?
Yes. A spike in database read volume can show that a hacker has downloaded a great deal of information from the database.
You are looking through your network usage logs and notice logins from a variety of geographic locations that are far from where your employees usually log in. Could this be a problem and why?
Yes. Logins from strange geographical locations can show that a hacker is trying to gain access from a remote location.
Which set of tools is often used to intercept the four-way handshake?
aircrack-ng
The IT director has requested that you verify that traffic to a new server from her machine goes only where it is supposed to and can't be redirected to another IP address. You decide to attempt to manipulate traffic on the network to see if things are really secure. You have pulled up Ettercap and plan on using one of the plug-ins for testing. Which of the displayed plug-ins should you use?
dns_spoof
When it comes to obfuscation mechanisms, nmap has the ability to generate decoys, meaning that detection of the actual scanning system becomes much more difficult. Which of the following is the proper nmap command used to generate decoys?
nmap -D RND:10 target_IP_address
There is strong evidence that a machine is compromised on your company network, but you have not determined which computer. You are going to try to pinpoint the host by scanning for any network devices that are in promiscuous mode. Which of the following Nmap scripts would you use?
sniffer-detect
You are reviewing packets captured by a co-worker. The traffic is from a Linux server that hosts private customer data, and your job is to analyze the content for potential security risks. The .pcap file appears to be a bit small for what you wanted. (It contains traffic to and from the target system during a given time period.) Some of that traffic is shown below. You suspect that only SSH traffic is represented in this capture, which was done with tcpdump. What command do you think your co-worker used to capture only SSH traffic?
tcpdump port 22
