SECURITY+ EXAM SY0-501
Which of the following BEST describes a network-based attack that can allow an attacker to take full control of a vulnerable host? A. Remote exploit B. Amplification C. Sniffing D. Man-in-the-middle
A
A Chief Information Officer (CIO) recently saw on the news that a significant security flaw exists with a specific version of a technology the company uses to support many critical applications. The CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed. Which of the following would BEST provide the needed information? A. Penetration test B. Vulnerability scan C. Active reconnaissance D. Patching assessment report
A.
A security analyst is assigned to perform a penetration test for one of the company's clients. During the scope discussion, the analyst is notified that the client is not going to share any information related to the environment to be tested. Which of the following BEST identifies the type of penetration testing? A. Black box B. White box C. Gray box D. Blue teaming
A.
A technician wants to perform network enumeration against a subnet in preparation for an upcoming assessment. During the first phase, the technician performs a ping sweep. Which of the following scan types did the technician use? A. Non-intrusive B. intrusive C. Credentialed D. Passive
A.
A user receives an email from ISP indicating malicious traffic coming from the user's home network is detected. The traffic appears to be Linux-based, and it is targeting a website that was recently featured on the news as being taken offline by an Internet attack. The only Linux device on the network is a home surveillance camera system. Which of the following BEST describes what is happening? A. The camera system is infected with a bot. B. The camera system is infected with a RAT. C. The camera system is infected with a Trojan. D. The camera system is infected with a backdoor.
A.
Which of the following components of printers and MFDs are MOST likely to be used as vectors of compromise if they are improperly configured? A. Embedded web server B. Spooler C. Network interface D. LCD control panel
A.
Which of the following enables sniffing attacks against a switched network? A. ARP poisoning B. IGMP snooping C. IP spoofing D. Syn flooding
A.
Which of the following threat actors is MOST likely to steal a company's proprietary information to gain a market edge and reduce time to market? A. Competitor B. Hacktivist C. Insider D. Organized crime
A.
Which of the following differentiates a collision attack from a rainbow table attack? A. A rainbow table attack performs a hash lookup. B. A rainbow table attack uses the hash as a password. C. In a collision attack, the hash and the input data are equivalent. D. In a collision attack, the same input results in different hashes.
A. Explanation/Reference: A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. A collision attack on a cryptographic hash tries to find two inputs producing the same hash value, i.e. a hash collision.
A user downloads and installs an MP3 converter, and runs the application. Upon running the application, the antivirus detects a new port in a listening state. Which of the following has the user MOST likely executed? A. RAT B. Worm C. Ransomware D. Bot
A. Explanation/Reference: A Remote Access Trojan is a type of malware that controls a system through a remote network connection. While desktop sharing and remote administration have many legal uses, "RAT" connotes criminal or malicious activity. A RAT is typically installed without the victim's knowledge, often as payload of a Trojan horse, and will try to hide its operation from the victim and from security software and other anti-virus software.
A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is looking for information about software versions on the network. Which of the following techniques is the intruder using? A. Banner grabbing B. Port scanning C. Packet sniffing D. Virus scanning
A. Explanation/Reference: Banner grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. However, an intruder can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 respectively. Tools commonly used to perform banner grabbing are Telnet, nmap, zmap and Netcat.
A senior incident response manager receives a call about some external IPs communicating with internal computers during off hours. Which of the following types of malware is MOST likely causing this issue? A. Botnet B. Ransomware C. Polymorphic malware D. Armored virus
A. Explanation/Reference: Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a combination of the words "robot" and "network". The term is usually used with a negative or malicious connotation.
A penetration tester is assessing a large organization and obtains a valid set of basic user credentials from a compromised computer. Which of the following is the MOST likely to occur? A. Impersonation B. Credential harvesting C. Password cracking D. Lateral movement
B.
A penetration testing team deploys a specifically crafted payload to a web server, which results in opening a new session as the web server daemon. This session has full read/write access to the file system and the admin console. Which of the following BEST describes the attack? A. Domain hijacking B. injection C. Buffer overflow D. Privilege escalation
B.
A technician is evaluating malware that was found on the enterprise network. After reviewing samples of the malware's binaries, the technician finds each has a different hash associated with it. Which of the following types of malware is MOST likely present in the environment? A. Trojan B. Polymorphic worm C. Logic Bomb D. Armored Virus
B.
An organization's IT department announced plans to update workstation operating systems to the latest version after electing to skip the prior two versions. Which of the following vulnerabilities is the organization seeking to mitigate? A. Incompatibility issues with currently implemented software B. Lack of vendor support on the version currently in use C. Poorly defined security baselines D. Use of expired certificates on the network
B.
During a routine review of firewall log reports a security technician notices multiple successful logins for the admin user during unusual hours the technician contact the network administrator, who confirms the logins were not related to the administrator's activities. Which of the following is the most likely reason for these logins? A. Firewall maintenance service windows were scheduled. B. Default credentials were still in place. C. The entries in the log were caused by the file Integrity monitoring system. D. A blue team was conducting a penetration test on a firewall.
B. Explanation/Reference: A Default Credential vulnerability is a type of vulnerability that is most commonly found to affect the devices like modems, routers, digital cameras, and other devices having some pre-set (default) administrative credentials to access all configuration settings. The vendor or manufacturer of such devices uses a single pre- defined set of admin credentials to access the device configurations, and any potential hacker can misuse this fact to hack such devices, if those credentials are not changed by the consumers.
Which of the following threats has sufficient knowledge to cause the MOST danger to an organization? A. Competitors B. Insiders C. Hacktivists D. Script kiddies
B. Explanation/Reference: An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems. The insider threat comes in three categories: 1) malicious insiders, which are people who take advantage of their access to inflict harm on an organization; 2) negligent insiders, which are people who make errors and disregard policies, which place their organizations at risk; and 3) infiltrators, who are external actors that obtain legitimate access credentials without authorization.
A security analyst is migrating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk? A. Enable CHAP B. Disable NTLM C. Enable Kerebos D. Disable PAP
B. Explanation/Reference: In cryptanalysis and computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. NTLM (NT LAN Manager) is Microsoft's old authentication protocol that was replaced with Kerberos starting Windows 2000. It was designed and implemented by Microsoft engineers for the purpose of authenticating accounts between Microsoft Windows machines and servers. The password hash is based on MD4, which is relatively weak. Second, even though the hash is salted before it is sent over the wire, it is saved unsalted in a machine's memory. But, the worst issue is that in order to authenticate to a machine, a user must respond to a challenge from the target, which exposes the password to offline cracking.
An external attacker can modify the ARP cache of an internal computer. Which of the following types of attacks is described? A. Replay B. Spoofing C. DNS poisoning D. Client-side attack
B. Explanation/Reference: Many of the protocols in the TCP/IP suite do not provide mechanisms for authenticating the source or destination of a message, and are thus vulnerable to spoofing attacks when extra precautions are not taken by applications to verify the identity of the sending or receiving host. IP spoofing and ARP spoofing in particular may be used to leverage man-in-the-middle attacks against hosts on a computer network. Spoofing attacks which take advantage of TCP/IP suite protocols may be mitigated with the use of firewalls capable of deep packet inspection or by taking measures to verify the identity of the sender or recipient of a message.
While browsing an external website, a human resources manager opens several links in new browser tabs to review later. After browsing 20 minutes, a full screen message appears in a completely new browser window with a critical error code and a help desk number to call. At the same time, an audio message plays over the laptop speaker, describing a critical error and warning that the IP address of the laptop will be blocked until the critical issue is resolved. The human resources manager is unable to escape out of the error message, and the keyboard is not responsive. After alerting the security team, the human resources manager holds down the power button to turn off the laptop and then powers it back on, which rectifies the issue. Which of the following BEST describes the type of attack the human resources manager is experiencing? A. Spyware B. Ransomware C. Adware D. Logic bomb
C.
Which of the following is commonly done as part of a vulnerability scan? A. Exploiting misconfigured applications B. Cracking employee passwords C. Sending phishing emails to employees D. Identifying unpatched workstations
D
A security analyst is conducting a web application vulnerability scan against the company website. Which of the following is considered an intrusive scan? A. Ping Sweep B. Time-delay port scanning C. Service identification D. Cipher suite order
D.
Hacktivists are commonly motivated by? A. Curiosity B. Notoriety C. Financial Gain D. Political Cause
D.
Which of the following BEST describes the impact of an unremediated session timeout vulnerability? A. The credentials of a legitimate user could be intercepted and reused to log in when the legitimate user is offline B. An attacker has time to attempt brute-force password cracking C. More than one user may be allowed to concurrently connect to the system, and an attacker can use one of those concurrent connections D. An attacker could use an existing session that has been initiated by a legitimate user
D.
Which of the following is a major difference between XSS attacks and remote code exploits? A. XSS attacks uses machine language, while remote exploits use interpreted language. B. XSS attacks target servers, while remote code exploits target clients. C. Remote code exploits aim to escalate attackers' privileges, while XSS attack aim to gain access only. D. Remote code exploits allow writing code at the client side and executing it, while XSS attacks require no code to work.
D.
An analyst is part of a team that is investigating a potential breach of sensitive data at a large organization, which serves the financial sector. The organization suspects a breach occurred when proprietary data was disclosed to the public. the team finds servers were accessed using shared credentials that have been in place for some time. In addition, the team discovers undocumented firewall rules, which provided unauthorized external access to a server. Suspecting the activities of a malicious insider threat, which of the following was the MOST likely to have been utilized to exfiltrate the proprietary data? A. Keylogger B. Botnet C. Crypto-malware D. Backdoor E. Ransomware F. DLP
D. Explanation/Reference: A backdoor is a malware type that negates normal authentication procedures to access a system. As a result, remote access is granted to resources within an application, such as databases and file servers, giving perpetrators the ability to remotely issue system commands and update malware.
A network administrator is reviewing the following IDS logs: ALERT: 192.163.1.20:1027 -> 192.168.1.21:445 malicious p ALERT: 192.163.1.20:1034 -> 192.168.1.22:445 malicious p ALERT: 192.163.1.20:2041 -> 192.168.1.23:445 malicious p ALERT: 192.163.1.20:1165 -> 192.168.1.24:445 malicious p Based on the above information, which of the following types of malware is triggering the IDS? A. Trojan B. Bot C. Logic Bomb D. Worm
D. Explanation/Reference: A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
Ann, a user, states that her machine has been behaving erratically over the past week. She has experienced slowness and input lag and found text files that appear to contain pieces of her emails or online conversations with coworkers. The technician runs a standard virus scan but detects nothing. Which of the following types of malware has infected the machine? A. Ransomware B. Rootkit C. Backdoor D. Keylogger
D. Explanation/Reference: Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keylogger can be either software or hardware.
A security analyst is monitoring the network and observes unusual traffic coming from a host on the LAN. Using a network monitoring tool, the analyst observes the following information: Time | IP Src | IP Dst | Src Port | Dst Port | Protocol 12.490000 | 192.168.2.155 | 192.168.2.100 | 32857 | 445 | SMBv1 12.490005 | 192.168.2.155 | 192.168.2.101 | 32858 | 445 | SMBv1 12.490013 | 192.168.2.155 | 192.168.2.102 | 32859 | 445 | SMBv1 12.490018 | 192.168.2.155 | 192.168.2.103 | 32860 | 445 | SMBv1 12.490024 | 192.168.2.155 | 192.168.2.104 | 32861 | 445 | SMBv1 12.490028 | 192.168.2.155 | 192.168.2.105 | 32862 | 445 | SMBv1 12.490029 | 192.168.2.155 | 192.168.2.106 | 32863 | 445 | SMBv1 12.490035 | 192.168.2.155 | 192.168.2.107 | 32864 | 445 | SMBv1 12.490037 | 192.168.2.155 | 192.168.2.108 | 32865 | 445 | SMBv1 12.490039 | 192.168.2.155 | 192.168.2.109 | 32866 | 445 | SMBv1 After ten seconds, some computers shown in the IP Dst field start to exhibit the same behavior and immediately make multiple outbound connection attempts. Based on this observed behavior, which of the following is the MOST likely cause? A. Users are running port scans on the network. B. A malicious host is performing a MITM attack. C. An amplified DDoS attack is in progress. D. A worm is attacking the network. E. a race condition is being leveraged.
D. Explanation/Reference: The indicator that this is a worm is the source and destination IP addresses. The source IPis one system, and it is trying to establish connections with multiple IPs.
A penetration tester harvests potential usernames from a social networking site. The penetration tester then uses social engineering to attempt to obtain associated passwords to gain unauthorized access to shares on a network server. Which of the following methods is the penetration tester MOST likely using? A. Escalation of privilege B. SQL injection C. Active reconnaissance D. Proxy server
C
A help desk technician receives a phone call from an individual claiming to be an employee of the organization and requesting assistance to access a locked account. The help desk technician asks the individual to provide proof of identity before access can be granted. Which of the following types of attack is the caller performing? A. Phishing B. Shoulder surfing C. Impersonation D. Dumpster diving
C.
A security auditor is testing perimeter security in a building that is protected by badge readers. Which of the following types of attacks would MOST likely gain access? A. Phishing B. Man-in-the-middle C. Tailgating D. Watering hole E. Shoulder surfing
C.
A security manager discovers the most recent vulnerability scan report illustrates low-level non-critical findings. Which of the following scanning concepts would BEST report critical threats? A. Non-credentialed scan B. Compliance scan C. Intrusive scan D. Application scan
C.
An auditor confirms the risk associated with a Windows specific vulnerability, which was discovered by the company's security tool, does not apply due to the server running a LinuxOS. Which of the following does this BEST describe? A. Inherent risk B. Attack vector C. False positive D. Remediation
C.
An employee is having issues when attempting to access files on a laptop. The machine was previously running slow, and many files were not accessible. The employee is not able to access the hard drive the next day, and all the file names were changed to some random names. Which of the following BEST represents what compromised the machine? A. Ransomware B. Worm C. Crypto-malware D. RAT
C.
Which of the following describes the key difference between vishing and phishing attacks? A. Phishing is used by attackers to steal a person's identity. B. Vishing attacks require some knowledge of the target of attack. C. Vishing attacks are accomplished using telephony services. D. Phishing is a category of social engineering attack.
C.
Ann, a customer, is reporting that several important files are missing from her workstation. She recently received communication from an unknown party who is requesting funds to restore the files. Which of the following attacks has occurred? A. Ransomware B. Keylogger C. Buffer overflow D. Rootkit
A. Explanation/Reference: Ransomware is a type of malicious software that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem - and difficult to trace digital currencies such as Ukash and cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry worm", traveled automatically between computers without user interaction.
Which of the following penetration testing concepts is an attacker MOST interested in when placing the path of a malicious file in the windows/Current Version.run registry key? A. Persistence B. Pivoting C. Active reconnaisance D. Escalation of privilege
A. Explanation/Reference: The Current Version.run key will execute any file within the key, every time a user logs into the system. This means the attacker is establishing persistence.
A security analyst is attempting to break into a client's secure network. The analyst was not given prior information about the client, except for a block of public IP addresses that are currently in use. After network enumeration, the analyst's NEXT step is to perform: A. a gray-box penetration test. B. a risk analysis. C. a vulnerability assessment. D. an external security audit. E. a red team exercise.
A. Explanation/Reference: There are three testing types: Black box- Tester has no information of systems being tested Gray box- Tester has a limited amount of information of target, such as a block of IP addresses White box- Tester has full knowledge of systems.
An actor downloads and runs a program against a corporate login page. The program imports a list of usernames and passwords, looking for a successful attempt. Which of the following terms BEST describes the actor in this situation? A.Script kiddie B. Hacktivist C. Cryptologist D. Security auditor
A. Explanation/Reference: a script kiddie, is an unskilled individual who uses scripts or programs developed by others to attack computer systems and networks and deface websites.
A security administrator wants to implement a logon script that will prevent MITM attacks on the local LAN. Which of the following commands should the security administrator implement within the script to accomplish this task? A. arp - s 192.168.1.1 00-3a-d1-fa-b1-06 B. dig - [email protected] mypc.comptia.com C. nmap - A - T4 192.168.1.1 D. tcpdump - lnv host 192.168.1.1 or either 00:3a:d1:fa:b1:06
A. Explanation/Reference: he Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. arp uses broadcast arp messages to resolve IP addresses to their respective MAC addresses. An attacker can take advantage of this by broadcasting a spoofed entry to the network. arp -s creates a static entry into the arp cache, preventing arp poisoning
Which of the following should a security analyst perform FIRST to determine the vulnerabilities of a legacy system? A. Passive scan B. Aggressive scan C. Credentialed scan D. Intrusive scan
A. Explanation/Reference: Legacy systems need caution when scanning for vulnerabilities. A vulnerability scan can cause system crashes in older systems.
Which of the following differentiates ARP poising from a MAC spoofing attack? A. ARP poisoning uses unsolicited ARP replies. B. ARP poisoning overflows a switch's CAM table. C. MAC spoofing uses DCHPOFFER/DHCPACKS packets D. MAC spoofing can be performed across multiple routers.
A. Explanation/Reference: The basic principle behind ARP spoofing is to exploit the lack of authentication in the ARP protocol by sending spoofed ARP messages onto the LAN. ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN. Generally, the goal of the attack is to associate the attacker's host MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker's host. The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default destination to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped.
An analyst is using a vulnerability scanner to look for common security misconfigurations on devices. Which of the following might be identified by the scanner? (Select TWO). A. The firewall is disabled on workstations. B. SSH is enabled on servers. C. Browser homepages have not been customized. D. Default administrator credentials exist on networking hardware. E. The OS is only set to check for updates once a day.
A. & D.
A user is unable to open a file that has a grayed-out icon with a lock. The user receives a pop-up message indicating that payment must be sent in Bitcoin to unlock the file. Later in the day, other users in the organization lose the ability to open files on the server. Which of the following has MOST likely occurred? (Select Three) A. Crypto-malware B. Adware C. Botnet attack D. Virus E. Ransomware F. Backdoor G. DDoS attack
A. & D. & E.
A security auditor is performing a vulnerability scan to find out if mobile applications used in the organization are secure. The auditor finds out that one application has been accessed remotely with no legitimate account credentials. After investigating, it seems the application has allowed some user to bypass authentication of that application. Which of the following types of malware allows such a compromise to take place? (Select TWO). A. RAT B. Ransomware C. Worm D. Trojan E. Backdoor
A. & E. Explanation/Reference: A Remote Access Trojan is a type of malware that controls a system through a remote network connection. While desktop sharing and remote administration have many legal uses, "RAT" connotes criminal or malicious activity. A RAT is typically installed without the victim's knowledge, often as payload of a Trojan horse, and will try to hide its operation from the victim and from security software and other anti-virus software.
A security analyst is attempting to identify vulnerabilities in a customer's web application without impacting the system or its data. Which of the following BEST describes the vulnerability scanning concept performed? A. Aggressive scan B. Passive scan C. Non-credentialed scan D. Compliance scan
B. Explanation/Reference: Passive scanning is a method of vulnerability detection that relies on information gleaned from network data that is captured from a target computer without direct interaction. Packet sniffing applications can be used for passive scanning to reveal information such as operating system, known protocols running on non-standard ports and active network applications with known bugs. Passive scanning may be conducted by a network administrator scanning for security vulnerabilities or by an intruder as a preliminary to an active attack. For an intruder, passive scanning's main advantage is that it does not leave a trail that could alert users or administrators to their activities. For an administrator, the main advantage is that it doesn't risk causing undesired behavior on the target computer, such as freezes. Because of these advantages, passive scanning need not be limited to a narrow time frame to minimize risk or disruption, which means that it is likely to return more information. Passive scanning does have limitations. It is not as complete in detail as active vulnerability scanning and cannot detect any applications that are not currently sending out traffic; nor can it distinguish false information put out for obfuscation.
A third-party penetration testing company was able to successfully use an ARP cache poison technique to gain root access on a server. The tester successfully moved to another server that was not in the original network. Which of the following is the MOST likely method used to gain access to the other host? A. Backdoor B. Pivoting C. Persistence D. Logic bomb
B. Explanation/Reference: Pivoting refers to a method used by penetration testers that uses the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, if an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network.
Which of the following types of penetration test will allow the tester to have access only to password hashes prior to the penetration test? A. Black box B. Gray box C. Credentialed D. White box
B. Explanation/Reference: There are three testing types: Black box- Tester has no information of systems being tested Gray box- Tester has a limited amount of information of target, such as a block of IP addresses White box- Tester has full knowledge of systems.
A public announcement is made about a newly discovered, rapidly spreading virus. The security team immediately updates and applies all its antivirus signatures. The security manager contacts the antivirus vendor support team to ask why one of the systems was infected. The vendor support team explains that the signature update is not available for this virus yet. Which of the following BEST describes this situation? A. Race condition B. Zero day C. Lack of vendor support D. untrained users
B. Explanation/Reference: Zero day means the malware is using a software vulnerability for which there is currently no available defense or fix
Compared to a non-credentialed scan, which of the following is a unique result of a credentialed scan? A. Uncommon open ports on the host B. Outdated software versions on the host C. Self-signed certificate on the host D. Fully qualified domain name
B. Explanation/Reference:Credentialed scan: A credentialed scan is a much safer version of the vulnerability scanner. It provides more detailed information than a non-credentialed scan. You can also set up the auditing of files and user permissions.
A systems administrator found a suspicious file in the root of the file system. The file contains URLs, usernames, passwords, and text from other documents being edited on the system. Which of the following types of malware would generate such a file? A. Keylogger B. Rootkit C. Bot D. RAT
B. Explanation/Reference: Modern rootkits do not elevate access,[3] but rather are used to make another software payload undetectable by adding stealth capabilities.[8] Most rootkits are classified as malware, because the payloads they are bundled with are malicious. For example, a payload might covertly steal user passwords, credit card information, computing resources, or conduct other unauthorized activities. A small number of rootkits may be considered utility applications by their users: for example, a rootkit might cloak a CD-ROM-emulation driver, allowing video game users to defeat anti-piracy measures that require insertion of the original installation media into a physical optical drive to verify that the software was legitimately purchased. Rootkits and their payloads have many uses: Provide an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal or falsify documents. One of the ways to carry this out is to subvert the login mechanism, such as the /bin/login program on Unix-like systems or GINA on Windows. The replacement appears to function normally, but also accepts a secret login combination that allows an attacker direct access to the system with administrative privileges, bypassing standard authentication and authorization mechanisms. Conceal other malware, notably password-stealing key loggers and computer viruses.[18] Appropriate the compromised machine as a zombie computer for attacks on other computers. (The attack originates from the compromised system or network, instead of the attacker's system.) "Zombie" computers are typically members of large botnets that can launch denial-of-service attacks, distribute e-mail spam, conduct click fraud, etc. Enforcement of digital rights management (DRM).
A security analyst conducts a manual scan on a known hardened host that identifies many non-compliant items. Which of the following BEST describe why this has occurred? (Select TWO) A. Privileged-user certificated were used to scan the host B. Non-applicable plug ins were selected in the scan policy C. The incorrect audit file was used D. The output of the report contains false positives E. The target host has been compromised
B. & D.
A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The main culprit of CPU utilization is the antivirus program. Which of the following issue could occur if left unresolved? (Select TWO) A. MITM attack B. DoS attack C. DLL injection D. Buffer overflow E. Resource exhaustion
B. & E.
Which of the following specifically describes the exploitation of an interactive process to access otherwise restricted areas of the OS? A. Pivoting B. Process affinity C. Buffer overflow D. XSS
C. Explanation/Reference: A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs; if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, then an anomalous transaction that produces more data could cause it to write past the end of the buffer. If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes.
The POODLE attack is an MITM exploit that affects: A. TLS1.0 with CBC mode cipher B. SSLv2.0 with CBC mode cipher C. SSLv3.0 with CBC mode cipher D. SSLv3.0 with ECB mode cipher
C. Explanation/Reference: A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. How To Protect your Server Against the POODLE SSLv3 Vulnerability On October 14th, 2014, a vulnerability in version 3 of the SSL encryption protocol was disclosed. This vulnerability, dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption), allows an attacker to read information encrypted with this version of the protocol in plain text using a man-in-the-middle attack. Although SSLv3 is an older version of the protocol which is mainly obsolete, many pieces of software still fall back on SSLv3 if better encryption options are not available. More importantly, it is possible for an attacker to force SSLv3 connections if it is an available alternative for both participants attempting a connection. The POODLE vulnerability affects any services or clients that make it possible to communicate using SSLv3. Because this is a flaw with the protocol design, and not an implementation issue, every piece of software that uses SSLv3 is vulnerable. To find out more information about the vulnerability, consult the CVE information found at CVE-2014-3566. What is the POODLE Vulnerability?The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in- the-middle context to decipher the plain text content of an SSLv3 encrypted message. Who is Affected by this Vulnerability?This vulnerability affects every piece of software that can be coerced into communicating with SSLv3. This means that any software that implements a fallback mechanism that includes SSLv3 support is vulnerable and can be exploited. Some common pieces of software that may be affected are web browsers, web servers, VPN servers, mail servers, etc. How Does It Work?In short, the POODLE vulnerability exists because the SSLv3 protocol does not adequately check the padding bytes that are sent with encrypted messages. Since these cannot be verified by the receiving party, an attacker can replace these and pass them on to the intended destination. When done in a specific way, the modified payload will potentially be accepted by the recipient without complaint. An average of once out of every 256 requests will accepted at the destination, allowing the attacker to decrypt a single byte. This can be repeated easily in order to progressively decrypt additional bytes. Any attacker able to repeatedly force a participant to resend data using this protocol can break the encryption in a very short amount of time. How Can I Protect Myself?Actions should be taken to ensure that you are not vulnerable in your roles as both a client and a server. Since encryption is usually negotiated between clients and servers, it is an issue that involves both parties. Servers and clients should should take steps to disable SSLv3 support completely. Many applications use better encryption by default, but implement SSLv3 support as a fallback option. This should be disabled, as a malicious user can force SSLv3 communication if both participants allow it as an acceptable method.
Which of the following uses precomputed hashes to guess passwords? A. Iptables B. NAT tables C. Rainbow tables D. ARP tables
C. Explanation/Reference: A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes.
The network team has detected a large amount of traffic between workstations on the network. The traffic as initially very light, but it is increasing exponentially as the day progresses. Which of the following types of malware might be suspected? A. Backdoor B. Rootkit C. Worm D. Spyware
C. Explanation/Reference: As a worm propagates throughout a network, the increased traffic from infected host to new targets will increase bandwidth usage.
Which of the following attack types BEST describes a client-side attack that is used to manipulate an HTML iframe with JavaScript code via a web browser? A. Buffer overflow B. MITM C. XSS D. SQLi
C. Explanation/Reference: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
A vulnerability scan is being conducted against a desktop system. The scan is looking for files, versions, and registry values known to be associated with system vulnerabilities. Which of the following BEST describes the type of scan being performed? A. Non-intrusive B. Authenticated C. Credentialed D. Active
C. Explanation/Reference: With vulnerability scan, you can perform a credentialed or non-credentialedvulnerability scan. A non-credentialed scan is the easiest and quickest; it reports back onlythe open services on the network. A credentialed scan goes further by attempting to connect to a resource with a set or list of credentials supplied before the scan. This scan requires getting an accurate list of credentials but provides better insight into insider attacks.
A company has noticed multiple instances of proprietary information on public websites. It has also observed an increase in the number of email messages sent to random employees containing malicious links and PDFs. Which of the following changes should the company make to reduce the risks associated with phishing attacks? (Select TWO) A. Install an additional firewall B. Implement a redundant email server C. Block access to personal email on corporate systems D. Update the X.509 certificates on the corporate email server E. Update corporate policy to prohibit access to social media websites F. Review access violation on the file server
C. & E.
An employee in the finance department receives an email, which appears to come from the Chief Financial Officer (CFO), instructing the employee to immediately wire a large sum of money to a vendor. Which of the following BEST describes the principles of social engineering used? (Select TWO) A. Familiarity B. Scarcity C. Urgency D. Liking E. Consensus F. Authority
C. & F.
A technician is investigating a potentially compromised device with the following symptoms: -Browser slowness -Frequent browser crashes -Hourglass stuck -New search toolbar -Increased memory consumption Which of the following types of malware has infected the system? A. Man-in-the-browser B. Spoofer C. Spyware D. Adware
D. Explanation/Reference: The term adware is frequently used to describe a form of malware (malicious software) which presents unwanted advertisements to the user of a computer. The advertisements produced by adware are sometimes in the form of a pop-up or sometimes in an "unclosable window". When the term is used in this way, the severity of its implication varies. While some sources rate adware only as an "irritant", others classify it as an "online threat" or even rate it as seriously as computer viruses and trojans. The precise definition of the term in this context also varies. Adware that observes the computer user's activities without their consent and reports it to the software's author is called spyware.
A systems administrator is deploying a new mission essential server into a virtual environment. Which of the following is BEST mitigated by the environment's rapid elasticity characteristic? A. Data confidentiality breaches B. VM escape attacks C. Lack of redundancy D. Denial of service
D. Explanation/Reference: Virtual environments can help mitigate Denial of Service attacks by quickly allocating more resources from the host machine to handle the flood of traffic that a Denial of Service attack generates.
A malicious system continuously sends an extremely large number of SYN packets to a server. Which of the following BEST describes the resulting effect? A. The server will be unable to server clients due to lack of bandwidth B. the server's firewall will be unable to effectively filter traffic due to the amount of data transmitted C. The server will crash when trying to reassemble all the fragmented packets D. The server will exhaust its memory maintaining half-open connections
D. Explanation/Reference: When a system tries to establish a connection with a server, it will send a SYN packet to the server, initiating a three-way handshake. The server will then reply with a SYN/ACK response, and wait for the final ACK response from the originating system. When there is no response, the server maintains the half-open connections, resulting in possible resource exhaustion.
In determining when it may be necessary to perform a credentialed scan against a system instead of a non- credentialed scan, which of the following requirements is MOST likely to influence its decisions? A. The scanner must be able to enumerate the host OS of devices scanner B. The scanner must be able to footprint the network C. The scanner must be able to check for open ports with listening services D. The scanner must be able to audit file system permissions
D. Explanation/Reference: Non-credentialed: A non-credentialed scan will monitor the network and see any vulnerabilities that an attacker would easily find; we should fix the vulnerabilities found with a non-credentialed scan first, as this is what the hacker will see when they enter your network. For example, an administrator runs a non-credentialed scan on the network and finds that there are three missing patches. The scan does not provide many details on these missing patches. The administrator installs the missing patches to keep the systems up to date as they can only operate on the information produced for them. Credentialed scan: A credentialed scan is a much safer version of the vulnerability scanner. It provides more detailed information than a non-credentialed scan. You can also set up the auditing of files and user permissions.
When attackers use a compromised host as a platform for launching attacks deeper into a company's network, it is said that they are: A. escalating privilege B. becoming persistent C. fingerprinting D. pivoting
D. Explanation/Reference: Pivoting refers to a method used by penetration testers that uses the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, if an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network.
A website form is used to register new students at a university. The form passes the unsanitized values entered by the user and uses them to directly add the student's information to several core systems. Which of the following attacks can be used to gain further access due to this practice? A. Cross-site request forgeries. B. XSS attacks C. MITM attacks D. SQL Injection
D. Explanation/Reference: SQL injection is a code injection technique, used to attack data-driven applications, in which diabolical SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
A new security administrator ran a vulnerability scanner for the first time and caused a system outage. Which of the following types of scans MOST likely caused the outage? A. Non-intrusive credentialed scan B. Non-intrusive non-credentialed scan C. Intrusive credentialed scan D. Intrusive non-credentialed scan
D. Explanation/Reference: Vulnerability scanners generally take one of two approaches to discovering security holes: nonintrusive or intrusive scanning. Nonintrusive methods generally include a simple scan of the target system's attributes (e.g., inspecting the file system for specific files or file versions, checking the registry for specific values, scanning for missing security updates, port scanning to discover which services are listening). Intrusive scanning actually tries to exploit the vulnerabilities the scanner is looking for. Several products use varying levels of intrusive scanning and let you pick an increasing or decreasing level of intrusiveness. Always be wary when scanning production computers, lest a scan's successful exploit accidentally takes down the target system.