CompTIA Security+, CIS3500, Test 1, Chapters 1-10
Typo squatting(also called URL hijacking)
A colleague asks you for advice on why he can't log in to his Gmail account. Looking at his browser, you see he has typed www.gmal.com in the address bar. The screen looks very familiar to the Gmail login screen. Your colleague has just fallen victim to what type of attack?
Crypto-malware
A colleague can't open any Word document he has stored on his local system. When you force open one of the documents to analyze it, you will see nothing but seemingly random characters. There's no visible sign the file is still a Word document. Your colleague was most likely a victim of what type of malware?
A Trojan
A colleague has been urging you to download a new animated screensaver he has been using for several weeks. While he is showing you the program, the cursor on his screen moves on its own and a command prompt window opens and quickly closes. Based on what you have seen, you suspect the animated screensaver is really what type of malware?
What is the main difference between a credentialed and non-credentialed vulnerability scan?
A credentialed scan is performed with a valid userid/password
Firmware rootkit
A desktop system on your network has been compromised. Despite loading different operating systems using different media on the same desktop, attackers appear to have access to that system every time it is powered up and placed on the network. This could be an example of what type of rootkit?
Logic Bomb
A disgruntled administrator is fired for negligence at your organization. Thirty days later, your organization's internal file server and backup server crash at exactly the same time. Examining the servers, it appears that critical operating system files were deleted from both systems. If the disgruntled administrator was responsible for administering those servers during her employment, this is most likely an example of what kind of malware?
Open Source Intelligence
A method of gathering data using public sources, such as social media sites and news outlets.
Worm
A piece of malware is infecting the desktops in your organization. Every hour more systems are infected. The infections are happening in different departments and in cases where the users don't share any files, programs, or even e-mails. What type of malware can cause this type of infection?
You're working with a group testing a new application. You've noticed that when three or more of you click Submit on a specific form at the same time, the application crashes every time. This is most likely an example of which of the following?
A race condition
Buffer Overflow Attack
A user calls to report a problem with an application you support. The says when she accidentally pasted an entire paragraph into an input field, the application crashed. You are able to consistently reproduced the results using the same method. What vulnerability might that user have accidentally discovered in the application?
Vishing
A user in your organization contacts you to see if there's any update to the "account compromise" that happened last week. When you ask him to explain what he means, the user tells you he received a phone call earlier in the week from your department and was asked to verify his userid and password. The user has fallen victim to what specific type of attack?
Adware
A user in your organization is having issues with her laptop. Every time she opens a web browser, she sees different pop-ups every few minutes. It doesn't seem to matter which websites are being visited--the pop ups still appear. What type of malware does this sound like?
Man-in-the-Middle
A user reports seeing "odd certificate warnings" on her web browser this morning whenever she visits Google. Looking at her browser, you see certificate warnings. Looking at the network traffic, you see all HTTP and HTTPS requests from that system are being routed to the same IP regardless of destination. Which of the following attack types are you seeing in this case?
ARP Poisoning Attack
A user wants to know if the network is down, because she is unable to connect to anything. While troubleshooting, you notice the MAC address for her default gateway doesn't match the MAC address of your organization's router. What type of attack has been used against this user?
Why should you never use a network scanner on a network you are not authorized to scan?
A. A network scanner or port scanner is that same tool that an attacker would use.
What kind of device provides tamper protection for encryption keys?
A. HSM
Why is internet Key Exchange preferred in enterprise VPN deployments?
A. IKE automates key management by authenticating each peer to exchange session keys.
Why should you compare hashes of the files you downloaded from the internet to a library of known hash values?
A. It prevents the spread of malware by checking a file's integrity
Your organization is having issues with a custom web application. The application seems to run fine for a while but starts to lock up or crash after 7 to 10 days of continuous use. Examining the server, you notice that memory usage seems to climb every day until the server runs out of memory. The application is most likely suffering from which of the following?
A. Memory leak
Why are false negatives more critical than false positives in NIDS/NIPS solutions?
A. a false negative is a missed attack, whereas a false positive is just extra noise.
Your network traffic logs show a large spike in traffic to your DNS server. Looking at the logs, you see a large number of TCP connection attempts from a singe IP address. The destination port of the TCP connections seems to increment by one with each new connection attempt.
Active reconnaissance
Disassociation attack
All of the wireless users on the third floor of your building are reporting issues with the network. Every 15 minutes, their devices disconnect from the network. Within a minute or so they are able to reconnect. What type of attack is most likely underway in this situation?
Keylogger
An employee at your organization is concerned because her ex-spouse "seems to know everything she does." She tells you her ex keeps accessing her e-mail and social media accounts even after she has changed her passwords multiple times. She is using a laptop at home that was a gift from her ex. You suspect the laptop has what type of malware loaded on it?
A colleague on your team takes three times longer than you do to complete common tasks in a particular application. When you go to help him, you notice immediately that he doesn't use any of the shortcuts designed into the application. When you ask him why his not using shortcuts, he tells you he didn't know the shortcuts exists. This is an example of which of the following>
An untrained user
You're providing incident response services for a small company after a breach. The first thing you notice is the entire network is completely flat once you get behind the firewall. Services, user workstations, and printers are all on the same subnet with no VLANs or network segmentation. This is an example of what type of weakness?
Architecture/design weakness
Hactavist
Attacks by an individual or even a small group of attackers fall into which threat category?
Structured threat
Attacks by individuals from organized crime are generally considered to fall into what category
You have book asked to prepare a report on network-based intrusion detection systems that compares the NIDS solution from two potential vendors your company is considering. One solution is signature based and one is behavioral based. Which of the following lists what your report will identify as the key advantage of each?
B. Behavioral: ability to detect zero day attacks; Signature low false-positive rates
What is the most common use of data sanitization tools?
B. Erasing hard drives before computers are recycled
A network-based intrusion prevention system (NIPS) relies on what other technology at its core?
B. IDS
How does a mail gateway's control of spam improve security?
B. It can defeat many phishing attempts
What two things can removable media control do to improve security?
B. Prevent infiltration of malware and prevent exfiltration of data
How can proxy servers improve security?
B. They can control which sites and content employees access, lessening the chances of malware
While auditing an organization you discover that new users are added to the domain by sending an e-mail request to the IT department, but the e-mails don't always come from human resources, and IT doesn't always check with HR to ensure the new user request corresponds to an authorized user. This is an example of which of the following?
B. Vulnerable business process
A web application you are reviewing has an input field form username and indicates the username should be between 6 and 12 characters. You've discovered that if you input a username 150 characters or more in length, the application crashes. What is this an example of?
Buffer overflow
Which of the following is an example of an embedded system?
C. A network-enabled thermostat
You are managing a large network with several dozen switches when your monitoring system loses control over half of them. Tis monitoring system uses SNMPv2 to read traffic statistics and to make configuration changes to the switches. What has most likely happened to cause the loss of control?
C. An attacked has sniffed the SNMP password and made unauthorized configuration changes
Why is e-mail encryption difficult?
C. Because of a alack of uniform standardization protocol and method for encryption
After you implement a new firewall on your corporate network, a coworker comes to you and asks why he can no longer connect to a Telnet server he has installed on his home DSL Line. This failure to connect is likely due to
C. Blocked by policy, Telnet not considered secure
There are reports of a worm going through your company that communicates to other nodes on porty TCP/1337. What tool would you use to find infected nodes on your network?
C. Network scanner
The tecpdump command-line tool is classified as which of the following?
C. Protocol analyzer
After an upgrade to your VPN concentrator hardware, your manager comes to you with a traffic graph showing a 50% increase in VPN traffic since the new hardware was installed. What is a possible cause of this increase?
C. The new VPN defaults to full tunneling.
While examining internal network traffic, you notice a large amount of suspicious traffic coming from an IP address in the development environment. the IP address isn't listed on any network diagram and shouldn't be active on your network as far as you can tell. when you ask the developer about it, one of them tells you he set up that server over 12 months ago for a temporary project and forgot all about it. this is an example of which of the following?
C. undocumented asset
your manager comes to you with an audit finding that 85% of the machines on you network are vulnerable to a variety of different exploits. He wants you to verify the findings of the report. What would be the best tool for this?
C. vulnerability scanner
Dumpster diving.
Coming into your office, you overhear a conversation between two security guards. One guard is telling the other she caught several people digging through the trash behind the building early this morning. The security guard says the people claimed to be looking for aluminum cans, but only had a bag of papers-- and no cans
Fraud Extortion Theft Embezzlement Forgery
Criminal activity on the internet can include..
Your organization has been hit with multiple targeted network attacks over the last few months resulting in two data breaches. To attempt to discover how the attackers are getting into your systems, you set up a few vulnerable virtual machines with fake data on them that look like the organization's real machines. What defense mechanism have you built?
D. A honeynet
Why will NAT likely continue to be used even in IPv6 networks?
D. It can hide the internal addressing structure from direct outside connections
What technology can check the client's health before allowing access to the network?
D. NAC
What kind of tool is Wireshark?
D. Protocol analyzer
You are asked to present to senior management virtual private network methodologies in advance of you company's purchase of new VPN concentrators. Why would you strongly recommend IPSec VPN's?
D. all of the above (connection integrity,data-origin authentication, traffic-flow confidentiality)
You've been asked to help address some findings from a recent PCI (payment card industry) audit, one of which is support for SS: 2.0 on a web server. Your CFO wants to know why SSL 2.0 support is a problem. You tell her SSL 2.0 support is an example of which of the following vulnerabilities?
D. weak cipher suites
While examining a laptop infected with malware, you notice the malware loads on a startup and also loads a file called netutilities.dll each time Microsoft Word is opened. This is an example of which of the following?
DLL injection
A colleague shows you a scanning report indicating your web server is not vulnerable to the Heartbleed bug. You know this isn't true as you've personally verified that web server is vulnerable. You believe the scanner used to examine your web server is reporting which of the following?
False Negative
You're reviewing a custom web application and accidentally type a number in a text field. The application returns an error message containing variable names, filenames, and the full path of the application. This is an example of which of the following?
Improper error handling
Your organization is considering using a new ticket identifier with your current help desk system. The new identifier would be an 16-digit integer created by combining the date, time, and operator ID. Unfortunately, when you've tried using the new identifier in the "ticket number" field on your current system, the application crashes every time. The old method of using a 5-digit integer works just fine. This is most likely an example of which of the following?
Integer overflow
While validating a vulnerability, your colleague changes the password of the administrator account on the Windows Server she is examining( as proof of success). This is an example of what type of testing?
Intrusive Testing
Armored virus
Malware engineers sometimes take steps to prevent reverse engineering of their code. A virus, such as Zeus, that use encryption to resist reverse engineering attempts is what type of malware?
Passive
Most network tools that are designed to detect an attack are considered
You are attempting to perform an external vulnerability assessment for a client, but your source IP addresses keep getting blocked every time you attempt to run a vulnerability scan. The client confirms this is "as expected" behavior. You aren't able to scan for vulnerabilities, but you have been able to do which of the following?
Passively test security controls
What is the primary difference between penetration tests and vulnerability scans?
Penetration tests exploit discovered vulnerabilities
An externally facing web server in your organization keeps crashing. Looking at the server after a reboot, you notice CPU usage is pegged and memory usage is rapidly climbing. The traffic logs show a massive amount of incoming HTTP and HTTPS requests to the server. Which type of attack is this web server experiencing?
Resource exhaustion
Ransomware
Several desktops in your organization are displaying a red screen with the message "Your files have been encrypted. Pay 1 Bitcoin to recover then." These desktops have most likely been affected by what type of malware?
Script kiddies
Term used to refer to individuals who do not have technical expertise to develop scripts or discover new vulnerabilities in software but who have just enough understanding of computer systems to be able to download and run scripts that others have developed
Threat Intelligence
The gathering of information from a variety of sources, including non-public sources, to allow an entity to properly focus their defenses against the most likely threat actors
Which of the following is a vulnerability related to a lack of vendor support?
The product has been declared "end of life" by the vendor The vendor is no longer is business The vendor does not support nonstandard configurations for its products.
Which of the following are characteristics of remote-access Trojans(RAT)
They can be deployed through malware such as worms They allow attacks to connect to the system remotely They give attackers the ability to modify files and change settings
Which of the following is a passive tool?
Tripwire
Rogue AP
Users are reporting the wireless network on one side of the building is broken. They can connect, but can't seem to get to the Internet. While investigating, you notice all of the affected users are connecting to an access point you don't recognize.
Bot
Users at your organization are complaining about slow systems. Examining several of them, you see that CPU utilization is extremely high and a process called"btmine" is running on each of the affected systems. You also notice each of the affected systems is communicating with an IP address outside your country on UDP port 43232. If you disconnect the network connections on the affected systems, the CPU utilization drops significantly.
Which of the following would be an example of initial exploitation?
Using a SQL injection attack to successfully bypass a login prompt
A colleague calls you to ask for assistance. He is having trouble keeping an attacker out of his network. He tells you no matter what he tries, he can't seem to keep the attacker of his network and he has no idea how the attacker keeps getting in. This is an example of what kind of attack?
Whack-a-mole attack
Hacktivists
What is the name given to a group of hackers who work together for a collectivist effort, typically on behalf of some cause
Elite Hackers
What is the name given to the group of people who not only have the ability to write scripts that exploit vulnerabilities but also are capable of discovering new vulnerabilities
Shimming
What type of attack involves an attacker putting a layer of code between an original device driver and the operating system?
Where in the past it would take significant amount of risk to copy detailed things; today it can be done with a few clicks and a USB
What us a threat concern regarding competitors
Replay atttack
When an attacker captures network traffic and re-transmits it at a later time, what type of attack are they attempting?
Unusual outbound network traffic Increased number of logins Large number of requests from the same file
Which of the following could be an indicator of compromise?
Attack
Which of the following is the term generally used to refer to the act of deliberately accessing computer systems and networks without authorization?
Escalation of Privileges
While examining log files on a Linus system, you notice an unprivileged user account was compromised, followed by several processes crashing and restarting, and finally the shadow file was accessed and modified. what technique is being used by the attacker?
Backdoor
While port scanning your network for unauthorized systems, you notice one of your file servers has TCP port 31337 open. When you connect to the port with netcat, you see a prompt that reads " Enter password for access:". Your server may be infected with what type of malware?
false positive
While running a vulnerability scanner against a Windows server, the tool reports the server maybe affected by an offset2lib patch vulnerability. You find this odd because offsetlib only applies to Linux-based systems. What is this called?
Tailgating
While waiting in the lobby of your building for a guest, you notice a man in a red shirt standing close to a locked door with a large box in his hands. He waits for someone else to come along and open the locked door. What type of social engineering attack have you just witnessed?
You've been asked to examine a custom web application your company is developing. You will have access to design documents, data structure descriptions, data flow diagrams, and any other details about the application you think would be useful. This an example of what type of testing?
White Box Testing
These users unwittingly installed spyware
You notice some unusual network traffic and discover several systems in your organization are communicating with a rather dubious "market research" company on a regular basis. When you investigate further you discover that users of the affected systems all installed the same piece of freeware. What might be happening on your network?
Bluejacking
You're sitting at the airport when you friend gets a message on her phone. In the text is a picture of a duck with the word "Pwnd" as the caption. Your friend is a victim of what type of attack?
Wireshark
You've been asked to examine network traffic. You have 1TB of tcpdump logs to review. What tool would you use to examine the logs?
Rainbow Tables
You've been asked to try and crack the password of a disgruntled user who was recently fired. Which of the following could help you crack that password in the least amount of time?
DDos attack (Distributed Denial of Service attack)
Your e-commerce site is crashing under an extremely high traffic volume. Looking at the traffic logs, you see tens of thousands of requests for the same URL coming from hundreds of different IP addresses around the world. What type of attack are you facing?
Your systems are infected with polymorphic malware
Your organization is struggling to contain a recent outbreak of malware. On some of the PCs, your antivirus solution is able to detect and clean the malware. On other PCs exhibiting the exact same symptoms, your antivirus solution reports the system is "clean." These PCs are all running the same operating system and same antivirus software. What might be happening?
Zero-day attack
Your organization's web server was just compromised despite being protected by a firewall and IPS. The web server is fully patched and properly configured according to industry best practices. The IPS logs show no unusual activity, but your network traffic logs show an unusual connection from an IP address belonging to a university. What type of attack is most likely occurring?
Pivoting
Your team examines network traffic logs. You see incoming connectios to a web server in the DMZ. Several hours later in the same traffic logs you see connections from the web server to the other systems in the DMZ as well as internal systems. This is an example of?
A web server in your organization has been defaced. The server is patched and properly configured as far as anyone can tell. Your logs show unusual traffic from external IP addresses just before the defacement occurred. It's possible your server was attacked by which of the following?
Zero Day Exploit
Highly Structured threat
a threat characterized by a greater amount of planning, a longer period of time to conduct the activity, more financial backing to accomplish it, and the possible corruption of or collusion with insiders and/or an organized group of attackers
List three key functions of security information and event management systems
aggregation, correlation,alerting
Advanced Persistent Threat (APT)
attacks that are characterized by using toolkit to achieve a presence on a target network, with a focus on the long game- maintaining a persistence on the target network
Information warfare
warfare conducted against the information and information processing equipment used by an adversary
- Insiders have the access and knowledge necessary to cause immediate damage to an organization -Insiders may actually already have access to what they need to perpetrate criminal activity such as fraud -Attacks by insiders are often the result of employees who have become disgruntled with their organization and are looking for ways to disrupt operations
what are the reasons that the insider threat is considered so dangerous
-attackers have persistence and skill to keep attacking weaknesses -There are a surprising amount of attacks being performed using old attacks, old vulnerabilities, and simple methods that take advantage of "low hanging fruit"
what are true concerning attacker skills and sophistication
Black Box Testing
you've been asked to perform an assessment of a new software application. Your client wants you to perform the assessment without providing you any information about the software. This is what kind of testing?
