Security Plus Chapter questions
As a security professional, what should you do to address weak configurations that pose security risks to your organization? (Choose all that apply.) A. Change default usernames and passwords. B. Remove unnecessary apps. C. Disable unnecessary services. D. Open all ports so that everything can be scanned.
A, B, and C. Every effort should be made to remove unnecessary apps, disable any unnecessary services, and change default account usernames and passwords. Opening all ports is a recipe for disaster. Unnecessary or unused ports should be closed or secured.
Direct third-party risks include which of the following? (Choose all that apply.) A. System integration B. Supply chain C. Financial management D. Vendor management
A, B, and D. System integration, supply chain, and vendor management are sources of third-party risk. Financial management is related to impacts, not mainly third-party risks.
Threat hunting involves which of the following? (Choose all that apply.) A. Analysis of adversarial actions B. Interpretation of threats to other companies C. Compliance reporting D. Understanding how data flows in an enterprise
A, B, and D. Threat hunting involves analyzing adversarial actions, interpreting the threats to other companies, and understanding how data flows in an enterprise so adversaries can be caught maneuvering.
Which team involves members who emulate both attackers and defenders? A. Purple team B. Gold team C. Blue team D. White team
A. Purple teams have both offensive (red) and defensive (blue) personnel to provide a balanced response.
Financial risks associated with vulnerabilities can include which of the following? (Choose all that apply.) A. Regulatory fines and penalties B. Business reputation loss C. Loss of revenue due to downtime D. Loss of data
A and C. Regulatory fines and penalties as well as lost income because of downtime are direct financial impacts of cybersecurity problems. Business reputation may lead to a loss of customers, but this is not a direct connection. Loss of data may or may not have a financial impact depending upon the data and its connection to revenue.
Weak configurations can include which of the following? (Choose all that apply.) A. Open ports B. Lack of vendor support C. Firmware D. Use of unsecure protocols
A and D. Having open ports and using unsecure protocols can both provide openings for attackers to get into a system. Lack of vendor support is a third-party risk, and firmware has a fixed configuration.
Data protection includes all of the following topics except which ones? (Choose all that apply.) A. Honeypots B. Masking C. Tokenization D. DNS sinkholes
A and D. Honeypots and DNS sinkholes are part of deception and disruption activities, not data protection.
Common sources of vulnerability issues for systems include which of the following? (Choose all that apply.) A. Weak patch management B. Data loss C. Identity theft D. Weak configurations
A and D. Improper or weak patch management and weak configurations are defined as common sources for vulnerabilities.
A patch management process should include which of the following? (Choose all that apply.) A. Automated management of software assets B. Automated verification of current patch levels C. A specified period by which systems should be patched D. Connection of the patch management process to the change control process
A, B, C, and D. A good patch management process should include automated management of software assets, automated verification of current patch levels, a specified period by which systems should be patched, and connection of the patch management process to the change control process.
What is the purpose of deception in an enterprise? (Choose all that apply.) A. To trick attackers into stealing fake data B. To identify misconfigured systems C. To permit easy identification of unauthorized actors D. To provide a place to test new systems without impacting regular operations
A, B, and C. Deception techniques such as honeynets and honeypots can trick attackers into stealing fake data and make them easier to find in the network. These techniques can also help in determining systems that are misconfigured.
Which of the following is not associated typically with SIEM processes? A. Applications B. Syslog C. Log capture D. Log aggregation
A. Applications may be all over the network and may provide data to a SIEM, but they are not typically part of the SIEM process.
Once an organization's security policies have been established, what is the single most effective method of countering potential social engineering attacks? A. An active security awareness program B. A separate physical access control mechanism for each department in the organization C. Frequent testing of both the organization's physical security procedures and employee telephone practices D. Implementing access control cards and the wearing of security identification badges
A. Because any employee may be the target of a social engineering attack, the best thing you can do to protect your organization from these attacks is to implement an active security awareness program to ensure that all employees are cognizant of the threat and what they can do to address it.
Which process allows log files to be enriched with additional data to provide context? A. Log aggregation B. Log collectors C. Log reviews D. Syslog
A. During the process of aggregation, the log entries can be parsed, modified, and have key fields extracted or modified based on lookups or rules.
Which of the following are not typically scanned during a vulnerability scan? A. End users B. Network C. Applications D. Web applications
A. End users are not part of a vulnerability scan; they are air gapped from the system and are not part of the elements that are searched for vulnerabilities.
Anti-malware software fails to detect a ransomware attack that is supposed to be within its capabilities of detecting. What is this an example of? A. False negative B. False positive C. Measurement error D. Analysis failure
A. Failing to report on a known reportable event is a false negative.
You have read about a new threat against software that is vulnerable to hacking. The vulnerability is in a Python library, and your firm uses Python for the development of many in-house projects. Where is the best source of information with respect to this threat? A. File/code repositories B. Vulnerability databases C. Open source intelligence D. Indicators of compromise
A. File/code repositories is the correct answer because the code you are concerned about was developed in-house; hence, it will not show up in commercial databases or other sources.
Your organization is having issues with a custom web application. The application seems to run fine for a while but starts to lock up or crash after seven to ten days of continuous use. Examining the server, you notice that memory usage seems to climb every day until the server runs out of memory. The application is most likely suffering from which of the following? A. Memory leak B. Overflow leak C. Zero-day exploit D. Pointer dereference
A. Memory leaks are programming errors caused when a computer program does not properly handle memory resources. Over time, while a program runs, if it does not clean up memory resources as they are no longer needed, chunks of dead memory can become scattered across the program's footprint in memory. If a program executes for a long time, these dead memory areas can grow in size and consume resources, causing the system to crash.
OSINT involves which of the following? A. Passive reconnaissance B. Active reconnaissance C. Port scanning D. Persistence
A. OSINT is a passive activity, so passive reconnaissance is the correct answer. All of the other answers involve active measures.
While port-scanning your network for unauthorized systems, you notice one of your file servers has TCP port 61337 open. When you use Wireshark and examine the packets, you see encrypted traffic, in single packets, going back and forth every five minutes. The external connection is a server outside of your organization. What is this connection? A. Command and control B. Backdoor C. External backup location D. Remote login
A. Periodic traffic that looks like a heartbeat on high ports to an unknown server outside the network is suspicious, and this is what many command-and-control signals look like.
You need to move to the cloud a specific customer service module that has a web front end. This application is highly scalable and can be provided on demand. Which cloud deployment model is best for this application? A. SaaS B. PaaS C. IaaS D. None of the above
A. Software as a Service is suitable for delivering highly scalable, on- demand applications without installing endpoint software.
Which of the following teams is commonly used for active pen testing? A. Red team B. Black team C. White team D. Green team
A. The red team is a team of offense actors used in penetration testing.
A user in your organization is having issues with her laptop. Every time she opens a web browser, she sees different pop-up ads every few minutes. It doesn't seem to matter which websites are being visited— the pop-ups still appear. What type of attack does this sound like? A. A potentially unwanted program (PUP) B. Ransomware C. Worm D. Virus
A. This behavior is often seen in a potentially unwanted program—a type of application that has been bundled with others and is performing tasks that are undesired.
Your network scan is showing a large number of address changes to the MAC tables and lots of ARP and RARP messages. What is happening? A. MAC flooding attack B. Disassociation attack C. Jamming attack D. DNS poisoning
A. This is a MAC flooding attack—an attempt to overflow the MAC tables in the switches.
Users are reporting that the wireless network on one side of the building is broken. They can connect but can't seem to get to the Internet. While investigating, you notice all of the affected users are connecting to an access point you don't recognize. These users have fallen victim to what type of attack? A. Rogue AP B. WPS C. Bluejacking D. Disassociation
A. This is a rogue AP attack. Attackers set up their own access points in an attempt to get wireless devices to connect to the rogue APs instead of the authorized access points.
You're working with a group testing a new application. You've noticed that when three or more of you click Submit on a specific form at the same time, the application crashes every time. This is most likely an example of which of the following? A. A race condition B. A nondeterministic error C. An undocumented feature D. A DLL injection
A. This is most likely an example of a race condition. A race condition is an error condition that occurs when the output of a function is dependent on the sequence or timing of the inputs. In this case, the application crashes when multiple inputs are submitted at the same time because the application is not receiving the inputs or handling the inputs in the expected order.
Which of the following is a type of social engineering attack in which an attacker attempts to obtain sensitive information from a user by masquerading as a trusted entity in an e-mail? A. Phishing B. Pharming C. Spam D. Vishing
A. This is the definition of a phishing attack, as introduced in the chapter. The key elements of the question are e-mail and the unsolicited nature of its sending (spam).
Which of the following can provide complete traceability to an original transaction without revealing any personal information if disclosed to an outside party? A. Tokenization B. Data sovereignty C. Rights management D. Baseline configuration
A. Tokenization is the use of a random value to take the place of a data element that has traceable meaning. This provides complete traceability to the original transaction, and yet if disclosed to an outside party, it reveals nothing. Data sovereignty relates to a country's specific laws regarding the storage and transmission of personal data. Rights management is the systematic establishment of rules and order to the various rights that users can invoke over digital objects. A baseline configuration is originally created at system creation and is a representation of how the system is supposed to be configured.
Which of the following items do you as a defender have control over with respect to using threat intelligence to defend your systems? A. Vectors B. Actors C. Threat intelligence sources D. Attributes of actors
A. Vectors is the correct answer because this is the only item you have any direct control over. The other items are real issues, just not ones you have any measure of direct control over.
What is the primary downside of a private cloud model? A. Restrictive access rules B. Cost C. Scalability D. Lack of vendor support
B. A private cloud model is considerably more expensive, as it is a dedicated resource, negating some of the advantages of outsourcing the infrastructure in the first place.
When an attacker captures network traffic and retransmits it at a later time, what type of attack are they attempting? A. Denial-of-service attack B. Replay attack C. Bluejacking attack D. Man in the middle attack
B. A replay attack occurs when the attacker captures a portion of the communication between two parties and retransmits it at a later time. For example, an attacker might replay a series of commands and codes used in a financial transaction to cause the transaction to be conducted multiple times. Generally, replay attacks are associated with attempts to circumvent authentication mechanisms, such as the capturing and reuse of a certificate or ticket.
What type of threat exploits system and application vulnerabilities that are unknown to software developers and even anti-malware manufacturers? A. An on-premises attack B. A zero-day attack C. A cloud-based attack D. A legacy platform attack
B. A zero-day attack exploits system and application vulnerabilities that are unknown to others except the person who found it. The other answer options are not attack types. Vulnerabilities can exist on premises or be cloud based, and legacy platforms is the term used to describe systems that are no longer being marketed or supported.
A user wants to know if the network is down because she is unable to connect to anything. While troubleshooting, you notice the MAC address for her default gateway setting doesn't match the MAC address of your organization's router. What type of attack has been used against this user? A. MAC cloning B. ARP poisoning C. Disassociation D. Rogue access point
B. ARP poisoning is an attack that involves sending spoofed ARP or RARP replies to a victim in an attempt to alter the ARP table on the victim's system. If successful, an ARP poisoning attack will replace one of more MAC addresses in the victim's ARP table with the MAC address the attacker supplies in their spoofed responses.
Understanding how an attacker operates so that you can develop a defensive posture is done through the use of which of the following? A. Predictive analysis B. TTPs C. Threat maps D. Automated Indicator Sharing
B. Adversary tactics, techniques, and procedures (TTPs) provide details on how an adversary operates.
Your e-commerce site is crashing under an extremely high traffic volume. Looking at the traffic logs, you see tens of thousands of requests for the same URL coming from hundreds of different IP addresses around the world. What type of attack are you facing? A. Domain hijacking B. DDoS C. DNS poisoning D. URL redirection
B. This is a DDoS attack. DDoS (or distributed denial-of-service) attacks attempt to overwhelm their targets with traffic from many different sources. Botnets are quite commonly used to launch DDoS attacks.
When doing incident response for your company, you review the forensics of several virtual servers and you see the attacker on the web server injecting code into uninitialized memory blocks. What attack is the attacker likely attempting? A. Denial-of-service attack on the hypervisor B. VM escape C. Containerization attack D. Crashing the CASB
B. Although all hypervisors actively try to prevent it, any flaw in memory handling could allow code that is maliciously placed in a block to be read by the hypervisor or another machine. This is known as VM escape. The scenario states virtual server, eliminating answers C and D, and operational code blocks in uninitialized memory would not cause a denial of service, eliminating answer A.
Your threat intelligence vendor is sending out urgent messages concerning a new form of memory-resident malware. What is the likely item they are sharing with you? A. Vulnerability database B. Indicator of compromise C. Dark web D. Trusted Automated Exchange of Intelligence Information (TAXII)
B. An indicator of compromise (IoC) provides the details associated with how one can find active malware on a system.
You have deployed a network of Internet-connected sensors across a wide geographic area. These sensors are small, low-power IoT devices, and you need to perform temperature conversions and collect the data into a database. The calculations would be best managed by which architecture? A. Fog computing B. Edge computing C. Thin client D. Decentralized database in the cloud
B. Edge computing on the way to the cloud would be the best fit given the lightweight processing capability of the IoT devices.
Your company has had bad press concerning its support (or lack of support) for a local social issue. Which type of hacker would be the most likely threat to attack or deface your website with respect to this issue? A. State actor B. Hacktivist C. Black hat D. Competitor
B. Hacktivists are hackers that are pursuing a mission associated with a cause.
How does a hypervisor enable multiple guest operating systems to run concurrently on a host computer? A. Via a specialized driver package B. By abstracting the hardware from the guest operating system C. By providing specific virtual hardware to each guest OS D. By hiding the underlying Linux operating system
B. The hypervisor abstracts the hardware from the guest operating system to enable multiple guest operating systems to run concurrently on a host computer.
Which of the following is not a state of data in the enterprise? A. At rest B. In storage C. In processing D. In transit/motion
B. In storage is not a correct term used in describing the states of data. The correct states are at rest, in transit/motion, and in processing.
What is the most important first step in a penetration test? A. OSINT B. Rules of engagement C. Reconnaissance D. Privilege escalation
B. The rules of engagement describe the scope of an engagement and provide important information regarding contacts and permissions. Obtaining these rules is essential before any pen test work begins.
You want to get specific information on a specific threat that you have read about in your online newsfeed on your phone. Which of the following is the best source for detailed information? A. Vulnerability database B. Open source intelligence C. Dark web D. Predictive analysis
B. Open source intelligence is the best answer. Because you are looking for threat information, this eliminates vulnerability information as an answer. The dark web may or may not have information, and you would have to find it, and predictive analysis needs the information you seek in order to function.
You are seeing a bunch of PDFs flood people's inboxes with titles such as "New Tax Rates for 2021." What attack vector is most likely in use? A. Python B. Macro C. Man in the middle D. DDoS
B. PDFs have macro capability and can execute a variety of code bases if allowed.
Which cloud deployment model has the fewest security controls? A. Private B. Public C. Hybrid D. Community
B. The shared environment of a public cloud has the least amount of security controls.
One of the primary resources in use at your organization is a standard database that many applications tie into. Which cloud deployment model is best for this kind of application? A. SaaS B. PaaS C. IaaS D. None of the above
B. Platform as a Service is suitable for standard resources in use by many other applications.
Users at your organization are complaining about slow systems. Examining several of them, you see that CPU utilization is extremely high and a process called "btmine" is running on each of the affected systems. You also notice each of the affected systems is communicating with an IP address outside your country on UDP port 43232. If you disconnect the network connections on the affected systems, the CPU utilization drops significantly. Based on what you've observed, you suspect these systems are infected with what type of malware? A. Rainbow tables B. Crypto-malware C. Dictionary D. Hybrid attack
B. These systems are most likely infected with crypto-malware and are now part of a botnet that's mining cryptocurrency. The systems are running an unknown/unauthorized process, communicating with an external IP address, and using significant resources. These are all classic signs of crypto-malware.
You are planning to move some applications to the cloud, including your organization's accounting application, which is highly customized and does not scale well. Which cloud deployment model is best for this application? A. SaaS B. PaaS C. IaaS D. None of the above
C. Infrastructure as a Service is appropriate for highly customized, poorly scaling solutions that require specific resources to run.
Which of the following is important to consider when specifically examining configuration management? A. Data loss prevention B. Standard naming conventions C. Rights management D. Hashing
B. Standard naming conventions improve the communication of critical elements, thus enabling better configuration management activities.
A colleague has been urging you to download a new animated screensaver he has been using for several weeks. While he is showing you the program, the cursor on his screen moves on its own and a command prompt window opens and quickly closes. You can't tell what if anything was displayed in that command prompt window. Your colleague says, "It's been doing that for a while, but it's no big deal." Based on what you've seen, you suspect the animated screensaver is really what type of malware? A. A worm B. A trojan C. Ransomware D. Spyware
B. The animated screensaver is most likely a trojan. The software appears to do one thing, but contains hidden, additional functionality. Your colleague brought the trojan "inside the walls" when he downloaded and installed the software on his desktop.
A web application you are reviewing has an input field for username and indicates the username should be between 6 and 12 characters. You've discovered that if you input a username that's 150 characters or more in length, the application crashes. What is this is an example of? A. Memory leak B. Buffer overflow C. Directory traversal D. Integer overflow
B. This is a fairly classic example of a buffer overflow. The input routine does not validate the provided input to ensure a maximum of 12 characters is received and processed. In this case, the application tries to store all 150 (or more) characters of the username, resulting in areas of memory being overwritten and causing the application to crash.
If a system sends an alert that a user account is being hacked because of too many password failures, but analysis shows that the person's device had cached an old password, triggering the failures, what is this an example of? A. False negative B. False positive C. Measurement error D. Analysis failure
B. This is a false positive, as the report was positive that something had happened, when in fact it had not.
You notice a new custodian in the office, working much earlier than normal, emptying trash cans, and moving slowly past people working. You ask him where the normal guy is, and in very broken English he says, "Out sick," indicating a cough. What is happening? A. Watering hole attack B. Impersonation C. Prepending D. Identity fraud
B. This is a likely impersonation attack, using the cover of the janitor. Because of the unusual circumstances, it would be wise to report to a manager for investigation.
While examining a laptop infected with malware, you notice the malware loads on startup and also loads a file called netutilities.dll each time Microsoft Word is opened. This is an example of which of the following? A. Race condition B. DLL injection C. System infection D. Memory overflow
B. This is an example of DLL injection, which is the process of adding to a program, at runtime, a DLL that has a specific function vulnerability that can be capitalized upon by an attacker.
You're sitting at the airport when your friend gets a message on her phone. In the text is a picture of a duck with the word "Pwnd" as the caption. Your friend doesn't know who sent the message. Your friend is a victim of what type of attack? A. Snarfing B. Bluejacking C. Quacking D. Collision
B. This is most likely a bluejacking attack. If a victim's phone has Bluetooth enabled and is in discoverable mode, it may be possible for an attacker to send unwanted texts, images, or audio to the victim's phone.
A user reports "odd" certificate warnings on her web browser this morning whenever she visits Google. Looking at her browser, you see these certificate warnings. Looking at the network traffic, you notice that all HTTP and HTTPS requests from that system are being routed to the same IP regardless of destination. Which of the following attack types are you seeing in this case? A. Evil twin B. Man in the middle C. Disassociation D. MAC cloning
B. This is most likely some type of man in the middle attack. This attack method is usually done by routing all of the victim's traffic to the attacker's host, where the attacker can view it, modify it, or block it. The attacker inserts himself into the middle of his victim's network communications.
Your boss thanks you for pictures you sent from the recent company picnic. You ask him what he is talking about, and he says he got an e- mail from you with pictures from the picnic. Knowing you have not sent him that e-mail, what type of attack do you suspect is happening? A. Phishing B. Spear phishing C. Reconnaissance D. Impersonation
B. This is spear phishing, which is a targeted phishing attack against a specific person.
To test your systems against weak passwords, you as an admin (with proper permissions) test all the accounts using the top 100 commonly used passwords. What is this test an example of? A. Dictionary B. Password spraying C. Rainbow tables D. Online
B. Using preset passwords against all accounts is an example of password spraying.
A user in your organization contacts you to see if there's any update to the "account compromise" that happened last week. When you ask him to explain what he means, and the user tells you he received a phone call earlier in the week from your department and was asked to verify his user ID and password. The user says he gave the caller his user ID and password. This user has fallen victim to what specific type of attack? A. Spear phishing B. Vishing C. Phishing D. Replication
B. Vishing is a social engineering attack that uses voice communication technology to obtain the information the attacker is seeking. Most often the attacker will call a victim and pretend to be someone else in an attempt to extract information from the victim.
War flying is a term to describe which of the following? A. Pen testing networks on commercial planes B. The use of aerial platforms to gain access to wireless networks C. Driving around and sampling open Wi-Fi networks D. The use of pen testing techniques against the Defense Department
B. War flying is the use of drones, airplanes, and other flying means of gaining access to wireless networks that are otherwise inaccessible.
You have a helpdesk ticket for a system that is acting strangely. Looking at the system remotely, you see the following in the browser cache: www.micros0ft.com/office. What type of attack are you seeing? A. PowerShell B. Domain hijacking C. URL redirection D. Disassociation
C. This is a URL redirection, as the name Microsoft has a zero in place of the o character.
You're reviewing a custom web application and accidentally type a number in a text field. The application returns an error message containing variable names, filenames, and the full path of the application. This is an example of which of the following? A. Resource exhaustion B. Improper error handling C. Generic error message D. Common misconfiguration
B. When an application fails to properly trap an error and generates error messages containing potentially sensitive information, this is known as improper error handling.
What is the purpose of a white team? A. To represent senior management B. To provide judges to score or rule on a test C. To represent parties that are targets in a pen test D. To provide a set of team members with offense and defensive skills (all stars)
B. When an exercise involves scoring and/or a competition perspective, the team of judges is called the white team. If the exercise is such that it requires an outside set of coordinators to manage it, independent of the defending team, they are also called a white team. White team members are there to ensure that the actual exercise stays on track and involves the desired elements of a system.
Who assumes the risk associated with a system or product after it has entered EOL status? A. The original manufacturer B. The vendor C. The organization D. The supply chain manager
C. An organization that continues to use a system or product assumes all of the risk associated with issues uncovered after the product has entered end-of-life (EOL) status. The manufacturer is in fact most often the vendor, and from their standpoint, the product reaches EOL when they stop supporting it. The supply chain manager is a distractor answer choice.
What is the primary limitation of a credentialed scan on a network? A. Speed B. Examining too deeply into individual boxes C. The inability to scale across multiple systems D. Slowing down your network with ancillary traffic
C. Because a credentialed scan requires credentials for each system it is examining, and these credentials will change across a network, this type of scan is less scalable with automation.
Covering one's tracks to prevent discovery is also known as what? A. Lateral movement B. OSINT C. Cleanup D. Pivoting
C. Cleanup involves the steps of clearing logs and other evidence to prevent one from being easily discovered.
Which of the following best describes what CVE is? A. A place to report errors and vulnerabilities B. A measure of the severity of a vulnerability C. A list of known vulnerabilities D. A list of systems that have vulnerabilities
C. Common Vulnerabilities and Exposures is an enumeration or list of known vulnerabilities.
Your new application has multiple small processes that provide services to the network. You want to make this application run more efficiently by virtualizing it. What is the best approach for virtualization of this application? A. Type II hypervisor B. Linux KVM C. Containerization D. Type I hypervisor
C. Containerization runs small applications on a host OS with virtually no overhead.
Enterprises can employ ___________ to block malicious command-and-control traffic from malware. A. encryption B. honeyfiles C. DNS sinkholes D. honeynets
C. DNS sinkholes can prevent communications on command-and- control systems associated with malware and botnets by blocking the destination address through the intentional misrouting of traffic to a dead end.
Which of the following best describes the exporting of stolen data from an enterprise? A. Data loss B. Data breach C. Data exfiltration D. Identity theft
C. Data exfiltration is the exporting of stolen data from an enterprise. Data loss is when an organization actually loses information. Data breaches are the release of data to unauthorized parties. Identity theft is a crime where someone uses information on another party to impersonate them.
Several desktops in your organization are displaying a red screen with the message "Your files have been encrypted. Pay 1 bitcoin to recover them." These desktops have most likely been affected by what type of malware? A. Spyware B. Spraying C. Ransomware D. Crypto-malware
C. This is quite clearly ransomware. The malware has encrypted files on the affected systems and is demanding payment for recovery of the files.
Coming into your office, you overhear a conversation between two security guards. One guard is telling the other she caught several people digging through the trash behind the building early this morning. The security guard says the people claimed to be looking for aluminum cans, but only had a bag of papers—no cans. What type of attack has this security guard witnessed? A. Spear phishing B. Pharming C. Dumpster diving D. Rolling refuse
C. Dumpster diving is the process of going through a target's trash in the hopes of finding valuable information such as user lists, directories, organization charts, network maps, passwords, and so on.
Creating fake network traffic to deceive attackers in segments of the network designed to deceive them is called what? A. DNS sinkhole B. Honeytraffic C. Fake telemetry D. Masking
C. Fake telemetry is the name for fake network traffic in a deception- based environment.
Which of the following are specifically used to spread influence, alter perceptions, and sway people toward a position favored by those spreading it? A. Identity fraud, invoice scams, credential harvesting B. Hoaxes, eliciting information, urgency C. Influence campaigns, social media, hybrid warfare D. Authority, intimidation, consensus
C. Influence campaigns are used to alter perceptions and change people's minds on a topic. They are even more powerful when used in conjunction with social media to spread influence through influencer propagation. Nation-states often use hybrid warfare to sway people toward a position favored by those spreading it.
When you update your browser, you get a warning about a plugin not being compatible with the new version. You do not recognize the plugin, and you aren't sure what it does. Why is it important to understand plugins? What attack vector can be involved in plugins? A. Man in the middle attack B. Domain hijacking attack C. Man in the browser attack D. URL redirection attack
C. Man in the browser attacks are frequently carried out via browser extensions or plugins.
You are new to your job, new to the industry, and new to the city. Which of the following sources would be the best to connect with your peers on threat intelligence information? A. Vendors B. Social media C. Local industry groups D. Vulnerability or threat feeds
C. Networking between peers is a useful attribute of local industry groups.
An externally facing web server in your organization keeps crashing. Looking at the server after a reboot, you notice CPU usage is pegged and memory usage is rapidly climbing. The traffic logs show a massive amount of incoming HTTP and HTTPS requests to the server. Which type of attack is this web server experiencing? A. Input validation B. Distributed error handling C. Resource exhaustion D. Race condition
C. Resource exhaustion is the state where a system does not have all of the resources it needs to continue to function. In this case, the server does not have the memory or CPU capacity to handle the massive volume of incoming HTTP/HTTPS requests.
What type of attack involves an attacker putting a layer of code between an original device driver and the operating system? A. Refactoring B. Trojan horse C. Shimming D. Pass the hash
C. Shimming is the process of putting a layer of code between the device driver and the operating system.
While port-scanning your network for unauthorized systems, you notice one of your file servers has TCP port 31337 open. When you connect to the port with the security tool netcat, you see a prompt that reads, "Enter password for access:". Your server may be infected with what type of malware? A. PUP B. Fileless virus C. Backdoor D. Man in the middle attack
C. This prompt most likely belongs to a backdoor—an alternate way of accessing the system. The TCP service is listening for incoming connections and prompts for a password when connections are established. Providing the correct password would grant command-line access to the system.
Which of the following is a formal approach to identifying system or network weaknesses and is open to the public? A. Passive reconnaissance B. Active reconnaissance C. Port scanning D. Persistence
D. Bug bounty programs can open up vulnerability discovery to the public with a set of rules that manages the disclosure process and the engaging of the systems.
A system that is ready for immediate use in the event of an outage is called what? A. Standby system B. Disaster recovery site C. Backup site D. Hot site
D. A hot site is one that is ready for immediate use in the event of a failure. All of the other options are names created using distractor words.
Which of the following are characteristics of remote-access trojans? A. They can be deployed through malware such as worms. B. They allow attacks to connect to the system remotely. C. They give attackers the ability to modify files and change settings. D. All of the above.
D. All of these are characteristics of remote-access trojans (RATs). RATs are often deployed through other malware, allow remote access to the affected system, and give the attacker the ability to manipulate and modify the affected system.
Which statement is false regarding cryptographic practices and weak encryption? A. Developing your own cryptographic algorithm is considered an insecure practice. B. Cryptographic algorithms become trusted only after years of scrutiny and repelling attacks. C. The ability to use ever-faster hardware has enabled attackers to defeat some cryptographic methods. D. Because TLS is deprecated, SSL should be used instead.
D. All versions of SSL are now considered deprecated and should not be used. Everyone should switch their systems to TLS-based solutions. All other statements are true.
Which of the following is not part of SIEM processes? A. Data collection B. Event correlation C. Alerting/reporting D. Incident investigation
D. Incident investigations occur after and as a result of SIEM processes but are not typically part of them.
Your organization is considering using a new ticket identifier with your current help desk system. The new identifier would be a 16-digit integer created by combining the date, time, and operator ID. Unfortunately, when you've tried using the new identifier in the "ticket number" field on your current system, the application crashes every time. The old method of using a five-digit integer works just fine. This is most likely an example of which of the following? A. Common misconfiguration B. Zero-day vulnerability C. Memory leak D. Integer overflow
D. An integer overflow is a programming error condition that occurs when a program attempts to store a numeric value, an integer, in a variable that is too small to hold it. In this case, the 16-digit integer is too large for the field, which is working just fine with the five-digit integer.
You desire to prove a vulnerability can be a problem. The best method would be to use a(n) _____________ scan? A. credentialed B. non-intrusive C. non-credentialed D. intrusive
D. An intrusive scan attempts to exercise a vulnerability. This presents risk in that it might upset the system, but if it works, it is clear proof of the risk associated with a vulnerability.
A disgruntled administrator is fired for negligence at your organization. Thirty days later, your organization's internal file server and backup server crash at exactly the same time. Examining the servers, you determine that critical operating system files were deleted from both systems. If the disgruntled administrator was responsible for administering those servers during her employment, this is most likely an example of what kind of malware? A. Crypto-malware B. Trojan C. Worm D. Logic bomb
D. Because both servers crashed at exactly the same time, this is most likely a logic bomb. A logic bomb is a piece of code that sits dormant for a period of time until some event or date invokes its malicious payload —in this case, 30 days after the disgruntled employee was fired.
All of the wireless users on the third floor of your building are reporting issues with the network. Every 15 minutes, their devices disconnect from the network. Within a minute or so they are able to reconnect. What type of attack is most likely underway in this situation? A. Evil twin B. Jamming C. Domain hijacking D. Disassociation
D. Disassociation attacks against a wireless system are attacks designed to disassociate a host from the wireless access point and from the wireless network. If the attacker has a list of MAC addresses for the wireless devices, they can spoof de-authentication frames, causing the wireless devices to disconnect from the network.
Your database server is returning a large dataset to an online user, saturating the network. The normal return of records would be a couple at most. This is an example of what form of attack? A. Memory leak B. LDAP injection C. Man in the middle D. SQL injection
D. Excessive records being returned from a SQL query is a sign of SQL injection.
What is masking? A. The use of stand-in data to replace real-time data B. The marking of regions where data is not allowed by policy C. The use of backups to preserve data during disruptive events D. Redacting portions of data using a covering symbol such as * or x
D. Masking is the marking over of portions of information to prevent disclosure (for example, using x's for all but the last four numbers of a credit card).
When a pen tester uses OSINT to gain information on a system, the type of environment can be changed from ______ to _______. A. closed, open B. unknown, known C. secure, vulnerable D. unknown, partially known
D. OSINT provides information about systems and their addresses and connections, including applications. This takes the status of a system from a completely unknown environment to a partially known environment.
Your senior financial people have been attacked with a piece of malware targeting financial records. Based on talking to one of the executives, you now know this is a spear phishing attack. Which of the following is the most likely vector used? A. Cloud B. Wireless C. Direct access D. Removeable media
D. Removeable media is commonly linked to social engineering attacks such as spear phishing.
Proper use of separation of duties with respect to privileged users on your systems is a defense against which type of hacker? A. Nation-state actor B. Insider C. Criminal syndicate D. All of the above
D. Separation of duties is designed to provide defenses against malicious insiders. But nation-state actors and criminal organizations have the resources and abilities to hack accounts and gain insider access. There are no external accounts, so once a well-resourced hacker is in, they will have permissions associated with an insider.
Which of the following is/are psychological tools used by social engineers to create false trust with a target? A. Impersonation B. Urgency or scarcity C. Authority D. All of the above
D. Social engineers use a wide range of psychological tricks to fool users into trusting them, including faking authority, impersonation, creating a sense of scarcity or urgency, and claiming familiarity.
If end-to-end encryption is used, which of the following technologies facilitates security monitoring of encrypted communication channels? A. Fake telemetry B. Tokenization C. Hashing D. TLS inspections
D. TLS inspection systems allow TLS channels to be broken and re- established, permitting monitoring of secure traffic.
While waiting in the lobby of your building for a guest, you notice a man in a red shirt standing close to locked door with a large box in his hands. He waits for someone else to come along and open the locked door and then proceeds to follow her inside. What type of social engineering attack have you just witnessed. a impersonation b phishing c boxing d tailgating
D. Tailgating (or piggybacking) is the simple tactic of following closely behind a person who has just used their own access card, key, or PIN to gain physical access to a room or building. The large box clearly impedes the person in the red shirt's ability to open the door, so they let someone else do it for them and follow them in.
When an attacker moves to a new machine and rescans the network to look for machines not previously visible, what is this technique called? A. Lateral movement B. Privilege escalation C. Persistence D. Pivoting
D. The key part of the question is the rescanning. Pivoting involves the rescanning of network connections to find unknown or previously unseen connections.
You use a "golden disk" to provision new machines from your vendors. As part of the incident response, you have discovered that the source of the malware you are seeing comes from this golden disk. This is an example of what vector? A. Insider B. Direct access C. Removeable media D. Supply chain
D. This is a supply chain vector. Although the work was done in-house, the supply chain stretches from each part to functioning system, and you added the final software to create the functioning system, so your own team is part of the supply chain.
A piece of malware is infecting the desktops in your organization. Every hour, more systems are infected. The infections are happening in different departments and in cases where the users don't share any files, programs, or even e-mails. What type of malware can cause this type of infection? A. Virus B. Trojan C. RAT D. Worm
D. This is most likely a worm attack. Attacks that move across the network, seemingly without user intervention, are commonly worms.
A colleague asks you for advice on why he can't log in to his gmail account looking at his browser you see he has typed www.gmal.com in the address bar. The screen looks very similar to the Gmail login screen. Your colleague has just fallen victim to why type of attack. a jamming b rainbow table c whale phishign d typosquatting
D. Typosquatting capitalizes on common typing errors, such as gmal instead of gmail. The attacker registers a domain very similar to the real domain and attempts to collect credentials or other sensitive information from unsuspecting users.
Why is VM sprawl an issue? A. VM sprawl uses too many resources on parallel functions. B. The more virtual machines in use, the harder it is to migrate a VM to a live server. C. Virtual machines are so easy to create, you end up with hundreds of small servers only performing a single function. D. When servers are no longer physical, it can be difficult to locate a specific machine.
D. VM sprawl is an issue because when virtual machines proliferate, they can be easily moved and potentially easily copied to random locations. This can make finding a specific machine difficult without a carefully constructed and consistently managed organizational structure.