Security + SY0-601

Which of these represents active reconnaissance instead of passive reconnaissance? (Choose multiple) A. Can impact employee productivity B. May be illegal on the internet C. Using a wireless packet sniffer D. Actions can be traced back to the attacker E. OWASP web scanning F. Collecting metadata unobtrusively

A. Can impact employee productivity B. May be illegal on the internet D. Actions can be traced back to the attacker E. OWASP web scanning

What are varied access control technologies used to control usage of proprietary hardware and copyrighted works? A. DRM B. DLP C. CMDB D. CIA

A. DRM

Which RAID level needs at least 3 drives and has relatively low read/write performance? A. RAID 5 B. RAID 6 C. RAID 0 D. RAID 1

A. RAID 5

What process involves changing an application's source code without modifying the characteristics? A. Refactoring B. Driver manipulation C. Shimming D. Request forgery

A. Refactoring

What service allows organizations to aggregate threat management, incident response, and repeatable security operations? A. SOAR B. SIEM C. Syslog D. OWASP

A. SOAR

What is Availability in CIA?

Availability is the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users. Measures to maintain data availability can include disk arrays for redundant systems and clustered machines, antivirus software to combat malware, and distributed denial-of-service (DDoS) prevention systems.

What type of attack is also known as a SOAP injection? A. LDAP injection B. DLL injection C. XML injection D, SQL injection

C

What component will typically store the instances of all organizational configuration items? A. SCADA B. CASB C. CMDB D. APT

C. CMDB

Which of these would commonly not be considered a benign usage of man-in-the-middle? A. Application layer gateway B. Network address translator C. Web proxy server D. ARP proxy

D. ARP proxy

What concept is concerned with the ownership, custodianship, stewardship, and usage of data based on jurisdictional, legal, and governmental directives? A. Data deduplication B. Data in use C. Data masking D. Data sovereignty

D. Data sovereignty

Which type of threat actor has some level of information about the target but often needs more? A. Blue hat B. Black hat C. White hat D. Gray hat

D. Gray hat

What is a recent privacy law that governs the EU and its partners? A. HIPAA B. CIS C. PCI-DSS D. GDPR

D. GDPR

What is Integrity in CIA?

Integrity is the trustworthiness of data or resources in the prevention of improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose. Measures to maintain data integrity may include a checksum (a number produced by a mathematical function to verify that a given block of data is not changed) and access control (which ensures that only authorized people can update, add, or delete data).

Name some vulnerability scanning tools.

Nessus, Open VAS, Core Impact, Nexpose, GFI LanGuard, QualysGuard. 2 web vulnerability scanning tools are OWASP ZAP and Burp Suite.

The receptionist received a phone call from an individual claiming to be a partner in a high-level project and requesting sensitive information. The individual is engaging in which type of social engineering? A. Authority B. Social validation C. Commitment D. Persuasive

A. Authority Authority social engineering entails an attacker either lying about having authority or using their high status in a company to force victims to perform actions that exceed their authorization level. Persuasive social engineering entails an attacker convincing a person to give them information or access that they shouldn't. Social validation entails an attacker using peer pressure to coerce someone else to bend rules or give information they shouldn't. Commitment social engineering entails convincing someone to buy into an overall idea, then demanding or including further specifics that were not presented up front.

Which of these statements is true regarding zero-day attacks? A. The "zero" refers to the threat level on a scale of 0-10 B. All malware and exploits were zero-day at one time or another C. The CVE is months behind in identifying these vulnerabilities D. Most malicious code is accounted for today

B. All malware and exploits were zero-day at one time or another

In a Linux-based privilege escalation attack what is the typical first step? A. Check the available users and the current user privileges B. Check the OS release of the vulnerable system C. List the SUID files D. View its kernel version

B. Check the OS release of the vulnerable system

Which of these third-party risks would most likely occur due to the use of unsecure coding practices and lack of testing? A. System integration B. Outsourced container development C. Supply chain activities D. Data storage

B. Outsourced container development

In a disaster recovery plan order of restoration, which action will typically come first for most organizations? A. Deliver value proposition profitably B. Protect people and critical assets C. Sustain ongoing operational viability D. Maintain financial stability

B. Protect people and critical assets

Which role will offer initiatives and information sharing between teams to improve the organizational security posture? A. Red team B. Purple team C. Blue team D. White team

B. Purple team

Which source of research would be published by the IEEE? A. Twitter B. RFC C. TTP D. OSINT

B. RFC

Which type of activity changes or falsifies information in order to mislead or re-direct traffic? A. Spamming B. Spoofing C. Snooping D. Sniffing

B. Spoofing Spoofing changes or falsifies information in order to mislead or re-direct traffic. Snooping is the act of spying into private information or communications. One type of snooping is sniffing. Sniffing captures network packets to examine the contents of communications. Spamming is sending a victim unwanted and unrequested email messages.

Which is an advantage of on-premise database solution as opposed to a cloud service provider? A. Many accounts will reduce the attack surface B. The threat actors are typically internal privileged users C. You will often leverage a cloud access security broker D. The public API calls are likely protected with digital signatures

B. The threat actors are typically internal privileged users

When a SYN flood is altered so that the SYN packets are spoofed in order to define the source and destination address as a single victim IP address, the attack is now called what? A. Land attack B. Impersonation C. Fraggle attack D. Analytic attack

A. Land attack A land attack is a SYN flood where the source and destination address of the SYN packets are both defined as the victim's IP address. A fraggle attack uses UDP packets, not SYN packets from TCP. An impersonation attack is not usually a protocol attack; it is simply taking on an authorized identity in order to gain entry into a secured environment. An analytic attack is an attack on the algorithm of a cryptography system.

A SYN packet is received by a server. The SYN packet has the exact same address for both the sender and receiver addresses, which is the address of the server. This is an example of what type of attack? A. Land attack B. SYN flood C. Ping of death D. Teardrop attack

A. Land attack A land attack is when the SYN packet has the exact same address for both the sender and receiver addresses, which is the address of the server. The ping of death involves an ICMP packet that is larger than 65,536 bytes. The teardrop attack uses partial IP packets with overlapping sequencing numbers. A SYN flood exploits or attacks the ACK packet of the TCP three-way handshake. By not sending the final ACK packet, the server holds open an incomplete session, consuming system resources. If the attacker can cause the server to open numerous sessions in this manner, all system resources are consumed, and no legitimate connections are established.

Which of these are attributes of a structured attack? (Choose Multiple) A. Organized B. Not following AUP C. Drive-by D. Multi-phased E. Persistent F. Planned

A. Organized D. Multi-phased E. Persistent F. Planned

Which attacks takes advantage of Windows Safe Mode? A. Pass the hash B. Path traversal C. SSL stripping D. Race conditions

A. Pass the hash

What is Authenticity?

Authenticity refers to the characteristic of communication, documents, or any data that ensures the quality of being genuine or uncorrupted. The major role of authentication is to confirm that a user is genuine. Controls such as biometrics, smart cards, and digital certificates ensure the authenticity of data, transactions, communications, and documents.

Match the threat intelligence source with the definintion. A. IoC | B. OSINT | C. STIX | D. Dark web | E. Vulnerability databases 1. Network or host-based cyber observables or artifacts of an incursion 2. Data or information that can be collected legally from free, public sources concerning an individual or organization 3. A collection and distribution of information about exposed computer security exposures 4. An overlay network that is not indexed by search engines 5. A structured language for cyber threat intelligence

1A, 2B, 3E, 4D, 5C

What is Non-Repudiation?

Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Individuals and organizations use digital signatures to ensure non-repudiation.

What penetration testing technique would involve having some level of limited knowledge of the internal workings of the target? A. Blue box B. White box C. Black box D. Gray box

D. Gray box

What are threat hunters attempting to quickly recognize to counter cyber criminals and mitigate threats? A. RFCs B. SOARs C. SIEMs D. IoCs

D. IoCs

Which of these refers to malicious scripts as opposed to malicious code? A. It is another generic term for malware B. It is rarely sent through email attachments C. It is an unwanted and unsolicited malicious program D. It affects only those applications for which it has been written

D. It affects only those applications for which it has been written

What are most often used to catch a privileged insider during a structured attack? A. Honeypot B. Honeynet C. Honeyfile D. Honeycomb

C. Honeyfile

Which of these attacks takes advantage of inadequate mechanisms to stop clients from automated attempts through credential stuffing? A. MITM attacks B. Input validation attacks C. Login attacks D. DDoS attacks

C. Login attacks

What technique can overwhelm the content addressable memory (CAM) tables on Layer 2 switches? A. ARP spoofing B. MAC cloning C. MAC flooding D. ARP poisoning

C. MAC flooding

What is Confidentiality in CIA?

Confidentiality is the assurance that the information is accessible only to authorized. Confidentiality breaches may occur due to improper data handling or a hacking attempt. Confidentiality controls include data classification, data encryption, and proper disposal of equipment (such as DVDs, USB drives, and Blu-ray discs).

In a distributed denial of service (DDoS) account what does the zombified system communicate with? A. An agent B. A feed C. A bot D. A C2C server

D. A C2C server

Which of these is an AEAD that has built-in hash authentication and integrity with its symmetric encryption? A. 3DES B. RC4 C. SHA1 D. AES-256-GCM

D. AES-256-GCM

What term describes the technique or method used to exploit a vulnerability of deliver a malware payload? A. Threat category B. Threat actor C. Threat agent D. Threat vector

D. Threat vector

What type of backup is an immediate point-in-time virtual copy of source typically to on-premise or cloud object storage? A. Differential B. Incremental C. Full D. Snapshot

D. Snapshot

In what phase of the change management lifecycle is the proposed change analyzed and optionally validated? A. Testing B. Documenting C. Approving D. Submitting

C. Approving

Match the type of targeted coding attack with the proper characteristic. A. Session replay | B. Time-of-check | C. Buffer overflow | D. Integer Overflow | E. Directory traversal 1. Attacker sends larger than expected input and a server accepts it and writes it to memory areas. 2. Web applications allows reusing old session credentials for authorization. 3. An error when the result of a math operation does not fit within the allocated memory space. 4. A condition when an attacker tries to gain privilege to a system by racing it to a resource. 5. It is also known as a "dot slash" attack.

1C, 2A, 3D, 4B, 5E

Match the type of wireless vulnerability or attack with the proper characteristic. A. Bluesnarfing | B. Dragonblood | C. Evil twin | D. Disassociation | E. Bluejacking 1. Replaces an existing wireless service set so that users will connect to a fake one. 2. Can steal data from a wireless device using a Bluetooth connection. 3. A prank that takes advantage of sending contact information automatically without authentication. 4. A timing-based side-channel attack against WPA3. 5. Compromises various control and management frames when MPP is not used.

1C, 2A, 3E, 4B, 5D

Which of these represents passive reconnaissance instead of active reconnaissance? (Choose multiple) A. Conduct packet tracing B. Grabbing HTTP banners C. Less-intrusive process to daily operations D. Nessus vulnerability scan E. Using a network tap F. Leaving no footprints

A. Conduct packet tracing C. Less-intrusive process to daily operations E. Using a network tap F. Leaving no footprints

Which of these are valid recovery control activities? (Choose multiple) A. Conducting a remote mobile discovery and wipe function B. Testing a business continuity plan C. Setting up an intrusion detection service sensor D. Restoring a database from a snapshot E. Determining recovery time objectives for an email system F. Installing an uninterruptible power supply

A. Conducting a remote mobile discovery and wipe function B. Testing a business continuity plan D. Restoring a database from a snapshot E. Determining recovery time objectives for an email system

Which area of enterprise diversity would specifically involve using defense in depth to secure access to the safe in the company CEO's office? A. Controls B. Cryptosystems C. Technology D. Vendors

A. Controls

Which of these states are the result of an erroneous action triggering from a benign event? A. False positive B. True positive C. True negative D. False negative

A. False positive

What is the greatest threat to the confidentiality of data in most secure organizations? A. USB devices B. Hacker intrusion C. Malware D. Operator error

A. USB devices The greatest threat to data confidentiality in most secure organizations is portable devices (including USB devices). There are so many devices that can support file storage that stealing data has become easy, and preventing data theft is difficult.

Which of these are valid examples of weak configuration vulnerabilities? (Choose multiple) A. Unhardened systems and protocols B. Open ports and services C. Privileged insiders D. Weak cryptosystems E. Zero-day code deployments F. Default passwords

A. Unhardened systems and protocols B. Open ports and services D. Weak cryptosystems F. Default passwords

Which of these are other terms used for DNS domain hijacking? (Choose multiple) A. User interface redress B. Clickjacking C. DNS poisoning D. Domain reputation attack E. UI redressing

A. User interface redress B. Clickjacking E. UI redressing

Which variant of XSS attacks leverages an insecurely written HTML page on an end user's system or endpoint gadgets and widgets? A. Stored B. DOM-based C. Reflected D. Persistent

B. DOM-based

What is the ability of a system to increase the workload on its current and additional dynamically added, on demand hardware resources? A. Availability B. Elasticity C. Scalability D. Durability

B. Elasticity

What are dedicated crypto processors consisting of hardened, tamper-resistant devices and virtual appliances for key management? A. DLP B. HSM C. DRM D. DAM

B. HSM

Which of these solutions would be best described as a "mirrored" site that duplicates the entire enterprise running in parallel within minutes or hours? A. Hybrid cloud B. Hot site C. Cold site D. Mobile site

B. Hot site

Which of these represents a likely primary or secondary loss due to using unsecure and unpatched legacy platforms? (Choose multiple) A. Loss of employee skillsets B. Loss of reputation C. Exfiltration D. Identity theft E. Loss of availability F. Increased costs

B. Loss of reputation C. Exfiltration D. Identity theft E. Loss of availability

What term describes thin, stateless systems where the user cannot retain data or configure a desktop instance as it is deleted at the end of a session? A. Live boot media B. Non-persistent VDI C. Persistent VDI D. Type 2 hypervisor

B. Non-persistent VDI

Which of these SYSLOG messages would have the code number "4"? A. Notice B. Warning C. Error D Informational

B. Warning

What term describes a situation where the number of VMs overtakes the administrator's ability to manage them? A. VM escape B. Bare metal VM C. VM sprawl D. Hosted VM

C. VM sprawl

Match the specific penetration testing testing phase to the proper activity. A. Rules of engagement B. Cleanup C. Lateral movement D. Persistence E. Reconnaissance F. Privilege escalation 1. Pivoting from one domain or VLAN to another 2. Conducting planning, preparation, or information gathering 3. Agreeing to the target customers bug bounty program 4. Removing all footprints and artifacts of the attack chain 5. Forcing the exploit to remain even with a reboot or network disconnect 6. Attempting to get root or administrative credentials of a database

C1, E2, A3, B4, D5, F6

What is a software service implemented between cloud customers and software-as-a-service providers to provide visibility, compliance, data security, and threat protection? A. DLP B. DRP C. CMDB D. CASB

D. CASB

Which of these scanning techniques would decide if a system is configured in agreement with a recognized governance or regulatory policy? A. Web application scan B. Vulnerability C. Network scan D. Compliance scan

D. Compliance scan

What device would most likely perform a TLS inspection? A. Database activity monitor B. Microsoft Exchange servers C. Cloud-based SIEM service D. Web-application firewall

D. Web-application firewall

When a malicious user captures authentication traffic and replays it against the network later, what is the security problem you are most concerned about? A. An unauthorized user gaining access to sensitive resources B. Spam C. Denial of service D. Bandwidth consumption

A. An unauthorized user gaining access to sensitive resources When a malicious user captures authentication traffic and replays it against the network later, the security problem you are most concerned about is an unauthorized user gaining access to sensitive resources. Once a replay attack has been successful, the attacker has the same access to the system as the user from whom the authentication traffic was captured.

Which of the following is an example of privilege escalation? A. Creeping privileges B. Separation of duties C. Principle of least privilege D. Mandatory vacations

A. Creeping privileges Creeping privileges occur when a user's job position changes and they are granted a new set of access privileges for their new work tasks, but their previous access privileges are not removed. As a result, the user accumulates privileges over time that are not necessary for their current work tasks. This is a form of privilege escalation. Principle of least privilege and separation of duties are countermeasures against privilege escalation. Mandatory vacations are used to perform peer reviews, which requires cross-trained personnel and help detect mistakes and fraud.

Which type of active scan turns off all flags in a TCP header? A. Null B. Stealth C. Christmas tree D. FIN

A. Null A null scan turns off all flags in a TCP header, creating a lack of TCP flags that should never occur in the real world. A FIN scan sends TCP packets to a device without first going through the normal TCP handshaking, thus preventing non-active TCP sessions from being formally closed. A stealth scan sends a single frame to a TCP port without any TCP handshaking or additional packet transfers with the expectation of receiving a single response. A Christmas tree scan sends a TCP frame to a remote device with the URG, PUSH, and FIN flags set.

Which of the following measures are you most likely to implement to protect against a worm or Trojan horse? A. IPsec B. Password policy C. Anti-virus software D. Firewall

C. Anti-virus software Worms and Trojan horses are types of virus. The best way to protect against them is to ensure that every system on the network has anti-virus software installed and up-to-date virus definitions. A firewall helps prevent hackers from penetrating a network from the internet. They do not specifically guard against viruses, though some application-level firewall solutions do include anti-virus capabilities. IPsec is an encryption mechanism. A password policy enforces password composition rules and helps prevent against authentication attacks.

Which of the following locations contributes the greatest amount of interference for a wireless access point? (Select two.) A. In the top floor of a two-story building B. Near DCHP servers C. Near backup generators D. Near cordless phones

C. Near backup generators D. Near cordless phones Other wireless transmitting devices (such as cordless phones or microwaves) and generators cause interference for wireless access points. In general, place access points higher up to avoid interference problems caused by going through building foundations. DHCP servers provide IP information for clients and do not cause interference.

What type of malware monitors your actions? A. Worm B. Virus C. Spyware D. Trojan Horse

C. Spyware Spyware monitors the actions performed on a machine and then sends the information back to its originating source. A virus is a program that attempts to damage a computer system and replicate itself to other computer systems. A worm is a self-replicating program that can be designed to do any number of things, such as negatively impacting network traffic. A Trojan horse is a malicious program that is disguised as legitimate software.

An attacker has hidden an NFC reader behind an NFC-based kiosk in an airport. The attacker uses the device to capture NFC data in transit between end user devices and the reader in the kiosk. She then uses that information to masquerade as the original end user device and establish an NFC connection to the kiosk. What kind of attack has occurred in this scenario? A. NFC jamming B. NFC man-in-the-middle attack C. NFC denial of services (DoS) D. NFC relay attack

D. NFC relay attack In this scenario, an NFC relay attack has occurred. NFC devices and readers are susceptible to relay attacks where the attacker captures NFC data in transit and then use that information to masquerade as the original device. In NFC jamming, signals are jammed by malicious interference. In an NFC man-in-the-middle exploit, an attacker captures transmissions from the reader and then forwards them on to the device, potentially capturing or modifying data in transit. Currently, no NFC-based DoS-type attacks have been detected and identified.

What is the weakest point in an organization's security infrastructure? A. Procedures B. Technology C. People D. Physical structure

People are usually the weakest point in an organization's security infrastructure. Procedures, technology, and physical security are often reasonably secure when controlled under a well-designed security policy.

Which of the following is a common social engineering attack? A. Using a sniffer to capture network traffic B. Distributing hoax virus information emails C. Distributing false information about your organization's financial status D. Logging on with stolen credentials

B. Distributing hoax virus information emails Distributing hoax virus information emails is a social engineering attack. This type of attack preys on email recipients who are fearful and will believe most information if it is presented in a professional manner. The victims of these attacks fail to double-check the information or instructions with a reputable third-party antivirus software vendor before implementing the recommendations. Usually, these hoax messages instruct the reader to delete key system files or download Trojan horse viruses. Social engineering relies on the trusting nature of individuals to take an action or allow an unauthorized action.

Which of the following social engineering attacks use Voice over IP (VoIP) to gain sensitive information? A. Spear phishing B. Vishing C. Tailgating D. Masquerading

B. Vishing Vishing is a social engineering attack that uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing. In spear phishing, attackers gather information about the victim, such as identifying which online banks they use. They then send phishing emails for the specific bank. Masquerading refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. Tailgating refer to an attacker entering a secured building by following an authorized employee without their consent.

You need to enumerate the devices on your network and display the network's configuration details. Which of the following utilities should you use? A. neotrace B. nmap C. samspade D. nslookup

B. nmap Nmap is an open-source security scanner used for network enumeration and to the creation of network maps. Nmap sends specially-crafted packets to the target host and then analyzes the responses to create the map. Use neotrace or traceroute to trace the devices in a network path between two hosts. Use samspade to identify the source of spam emails. Use nslookup to submit name resolution requests to identify DNS name servers and IP addresses for hosts.

hich of the following is not a protection against session hijacking? A. Time stamps B. Packet sequencing C. DHCP reservations D. Anti-IP spoofing

C. DHCP reservations DHCP reservations are not a protection against session hijacking. If a valid MAC address can be discovered, then an IP address is handed out freely to the spoofed client by the DHCP server. Packet sequencing and time stamps prevent session hijacking by disallowing packets that are out of order or have expired. Anti-IP spoofing checks the identity of the host before allowing communication to occur, even if the IP address is known.

Match the malicious interference type (number) with the appropriate characteristic (letter). (1)Spark Jamming | (2)Random Noise Jamming | (3)Random Pulse Jamming A. Produces RF signals using random amplitudes and frequencies B. Repeatedly blasts receiving equipment with high-intensity, short-duration RF bursts at a rapid pace C. Uses radio signal pulses of random amplitude and frequency

1B, 2A, 3C Some interference is malicious in nature, designed to disrupt wireless network communications. Malicious interference is sometimes referred to as jamming. In a jamming attack, a transmitter is tuned to the same frequency as a wireless network and uses the same type of modulation. The jamming signal overrides the legitimate wireless network radio signals at the receiving devices. The following list describes different types of jamming signals that can be used to disrupt a Wi-Fi network: • Spark jamming is the most effective type of Wi-Fi interference attack. It repeatedly blasts receiving equipment with high-intensity, short-duration RF bursts at a rapid pace. Experienced RF signal technicians can usually identify this type of attack quickly because of the regular nature of the signal. • Random noise jamming produces radio signals using random amplitudes and frequencies. While not as effective as a spark attack, the random noise attack is harder to identify due to the intermittent jamming it produces and the random nature of the interference. In fact, this type of signal is frequently mistaken for normal background radio noise that occurs naturally. • Random pulse jamming uses radio signal pulses of random amplitude and frequency to interfere with a Wi-Fi network.

Identify and label the following attacks by matching the term (number) with the definition (letter). (1)Masquerading | (2)Whaling | (3)Vishing | (4)Spear phishing | (5)Scarcity A. Attackers use Voice over IP (VoIP) to pretend to be from a trusted organization and ask victims to verify personal information or send money. B. An attacker convinces personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. C. Attackers send emails with specific information about the victim (such as which online banks they use) that ask them to verify personal information or send money. D. Attackers attempts to make the person believe that if they don't act quickly, they will miss out on an item, opportunity or experience. E. An attacker pretending to be from a trusted organization sends emails to senior executives and high-profile personnel asking them to verify personal information or send money.

1B, 2E, 3A, 4C, 5D Masquerading is convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. Masquerading passive when compared to impersonating. Urgency is an active social engineering technique that attempts to make the people believe they must act quickly to avoid imminent damage or suffering. Scarcity is an active social engineering technique that attempts to make the people believe that if they don't act quickly, they will miss out on an item, opportunity or experience. Tailgating refers to an attacker who enters a secured building by following an authorized employee through a secure door without providing identification. Piggybacking usually implies consent of an authorized employee, whereas tailgating implies no such consent. Phishing is an email pretending to be from a trusted organization that asks the receiver to verify personal information or send money. Whaling is another form of phishing that targets senior executives and high-profile victims. Vishing is similar to phishing, but instead of an email, the attacker uses Voice over IP (VoIP) to gain sensitive information. Spear phishing is an attack that uses specific information about the victim, such as identifying which online banks they use.

Match the social engineering description (number) with the appropriate attack type (letter). (1)Phishing | (2)Whaling | (3)Spear phishing | (4)Dumpster diving | (5)Piggybacking | (6)Vishing A. An attacker gathers personal information about the target individual in an organization. B. An attacker searches through an organization's trash looking for sensitive information. C. An attacker pretending to be from a trusted organization sends an email asking users to access a website to verify personal information. D. An attacker enters a secured building by following an authorized employee through a secure door without providing identification. E. An attacker gathers personal information about the target individual, who is a CEO. F. An attacker uses a telephone to convince target individuals to reveal their credit card information.

1C, 2E, 3A, 4B, 5D, 6F • Phishing: a scam where an email pretending to be from a trusted organization that asks receivers to verify personal information or send money. A phishing attack usually uses a fraudulent message (which appears to be legitimate) is sent to a target. The message requests that the target visit a fraudulent website (which also appears to be legitimate). Graphics, links, and websites look almost identical to legitimate requests and web sites they are trying to represent. The fraudulent website requests that the victim provide sensitive information, such as the account number and password. • Whaling: targets senior executives and high-profile victims. • Spear phishing: where an attacker tries to gain access to information that will allow the attacker to gain commercial advantage or commit fraud. Spear phishing frequently involves sending seemingly genuine emails to all employees or members of specific teams. • Dumpster Diving: the process of looking in the trash for sensitive information that has not been properly disposed of. • Tailgating and Piggybacking: where an attacker entering a secured building by following an authorized employee through a secure door and not providing identification. Piggybacking usually implies the authorized employee's consent; tailgating implies no consent. • Vishing: exploits VOIP telephone services.

Which of the following describes a logic bomb? A. A program that performs a malicious activity at a specific time or after a triggering event. B. A program that appears to be a legitimate application, utility, game, or screensaver and performs malicious activities surreptitiously. C. A type of malicious code similar to a virus whose primary purpose is to duplicate itself and spread, while not necessarily intentionally damaging or destroying resources. D. A program that has no useful purpose, but attempts to spread itself to other systems and often damages resources on the systems where it is found.

A. A program that performs a malicious activity at a specific time or after a triggering event. A logic bomb is a program that performs a malicious activity at a specific time or after a triggering event. Logic bombs can be planted by a virus, a Trojan horse, or an intruder. Logic bombs may perform their malicious activity at a specific time and date or when a specific event occurs on the system, such as logging in, accessing an online bank account, or encrypting a file. A type of malicious code similar to a virus whose primary purpose is to duplicate itself and spread while not necessarily intentionally damaging or destroying resources is a worm. A program that appears to be a legitimate application, utility, game, or screensaver that performs malicious activities surreptitiously is a Trojan horse. A program that has no useful purpose but attempts to spread itself to other systems and often damages resources on the systems where it is found is a virus.

Which of the following is an example of an internal threat? A. A user accidentally deletes the new product designs. B. A delivery man is able to walk into a controlled area and steal a laptop. C. A server back door allows an attacker on the internet to gain access to the intranet site. D. A water pipe in the server room breaks.

A. A user accidentally deletes the new product designs. Internal threats are intentional or accidental acts by employees, including: • Malicious acts such as theft, fraud, or sabotage • Intentional or unintentional actions that destroy or alter data • Disclosing sensitive information by snooping or espionage External threats are events that originate outside of the organization. They typically focus on compromising the organization's information assets. Examples of external threats include hackers, fraud perpetrators, and viruses. Natural events are events that may reasonably be expected to occur over time, such as a fire or a broken water pipe.

A SYN attack or SYN flood exploits or alters which element of the TCP three-way handshake? A. ACK B. SYN C. FIN or RES D. SYN/ACK

A. ACK A SYN attack or SYN flood exploits or attacks the ACK packet of the TCP three-way handshake. By not sending the final ACK packet, the server holds open an incomplete session, consuming system resources. If the attacker can cause the server to open numerous sessions in this manner, all system resources are consumed, and no legitimate connections are established. A SYN attack or SYN flood must send the initial SYN packet with no malicious content, other than the possibility of spoofing the source address to hide the attacker's identity or location. The SYN/ACK packet is sent by the server; therefore, the attacker cannot modify or alter this element of the handshake. The FIN or RES packet is not part of the handshake or part of the SYN flood or SYN attack process. These packets are often used legitimately to end communication sessions. However, they can be used in other forms of attack to disable communications maliciously.

Which of the following statements about the use of anti-virus software is correct? A. Anti-virus software should be configured to download updated virus definition files as soon as they become available. B. If you install anti-virus software, you no longer need a firewall on your network. C. Once installed, anti-virus software needs to be updated on a monthly basis. D. If servers on a network have anti-virus software installed, workstations do not need anti-virus software installed.

A. Anti-virus software should be configured to download updated virus definition files as soon as they become available. Anti-virus software is only effective against new viruses if it has the latest virus definition files installed. You should configure your anti-virus software to automatically download updated virus definition files as soon as they become available. Anti-virus software needs to be updated with virus definitions files as soon as they become available, not on a monthly basis. All systems on a network, regardless of whether they are workstations or servers, should have anti-virus software installed on them. An anti-virus solution is not a substitute for a firewall. Firewalls examine network traffic to prevent network- based attacks.

What is another name for a logic bomb? A. Asynchronous attack B. Trojan horse C. DNS poisoning D. Pseudo flaw

A. Asynchronous attack A logic bomb is a specific example of an asynchronous attack. An asynchronous attack is a form of malicious attack where actions taken at one time do not cause their intended, albeit negative, action until a later time. A pseudo flaw is a form of IDS that detects when an intruder attempts to perform a common but potentially dangerous administrative task. DNS poisoning is the act of inserting incorrect domain name or IP address mapping information into a DNS server or a client's cache. A Trojan horse is any malicious code embedded inside of a seemingly benign carrier. None of these three terms is a synonym for logic bomb.

What are the most common network traffic packets captured and used in a replay attack? A. Authentication B. DNS query C. Session termination D. File transfer

A. Authentication Authentication traffic is the most commonly captured type of network traffic packets in replay attacks. If someone is able to replay the stream of authentication packets successfully, they can gain the same access to the system or network as the original user. Fortunately, many authentication security systems include time stamps or dynamic challenge response mechanisms to prevent authentication packets from being replayed.

You are concerned that wireless access points may have been deployed within your organization without authorization. What should you do? (Select two. Each response is a complete solution.) A. Check the MAC addresses of devices connected to your wired switch B. Implement an intrusion detection system (IDS) C. Conduct a site survey D. Implement an intrusion prevention system (IPS) E. Implement a network access control (NAC) solution

A. Check the MAC addresses of devices connected to your wired switch C. Conduct a site survey A rogue host is an unauthorized system that has connected to a wireless network. It could be an unauthorized wireless device, or even an unauthorized wireless access point that someone connected without permission to a wired network jack. Rogue hosts could be benign in nature, or they could be malicious. Either way, rogue hosts on your wireless network could represent a security risk and should be detected and removed if necessary. Four commonly used techniques for detecting rogue hosts include: • Using site survey tools to identify hosts and APs on the wireless network • Checking connected MAC addresses to identify unauthorized hosts • Conducting an RF noise analysis to detect a malicious rogue AP that is using jamming to force wireless clients to connect to it instead of legitimate APs • Analyzing wireless traffic to identify rogue hosts Using an IDS or an IPS would not be effective, as these devices are designed to protect networks from perimeter attacks, and rogue APs are internal threats. A NAC solution can be used to remediate clients that connect to the network, but it can't be used to detect a rogue AP.

Which of the following is not a form of social engineering? A. Impersonating a user by logging on with stolen credentials B. Impersonating a manager over the phone C. A virus hoax email message D. Impersonating a utility repair technician

A. Impersonating a user by logging on with stolen credentials Impersonating a user by logging on with stolen credentials is not a social engineering attack. It is an intrusion attack made possible by network packet capturing or obtaining logon credentials through social engineering. Impersonating someone over the phone or in person are easily recognizable forms of social engineering. A virus hoax email message is also a form of social engineering because it attacks people by exploiting the common weaknesses of fear and ignorance.

Which of the following are characteristics of a Rootkit? (Select two) A. Hides itself from detection B. Uses cookies saved on the hard drive to track user preferences C. Requires administrator-level privileges for installation D. Monitors user actions and opens pop-ups based on user preferences

A. Hides itself from detection C. Requires administrator-level privileges for installation A rootkit is a set of programs that allows attackers to maintain hidden, permanent, administrator-level access to a computer. A rootkit: • Is almost invisible software • Resides below regular antivirus software detection • Requires administrator privileges for installation, then maintains those privileges to allow subsequent access • Might not be malicious • Often replaces operating system files with alternate versions that allow hidden access Spyware collects various types of personal information, such as internet surfing habits and passwords, and sends the information back to its originating source. Adware monitors actions that denote personal preferences, then sends pop-ups and ads that match those preferences. Both Spyware and adware can use cookies to collect and report a user's activities.

When the TCP/IP session state is manipulated so that a third party is able to insert alternate packets into the communication stream, what type of attack has occurred? A. Hijacking B. Spamming C. Replay D. Masquerading

A. Hijacking A hijacking attack is one where the TCP/IP session state is manipulated so that a third party is able to insert alternate packets into the communication stream. Session hijacking has become difficult to accomplish due to the use of time stamps and randomized packet sequencing rules employed by modern operating systems.

Which of the following is the most effective protection against IP packet spoofing on a private network? A. Ingress and egress filters B. Antivirus scanners C. Digital signatures D. Host-based IDS

A. Ingress and egress filters Ingress and egress filters are the most effective protection against IP packet spoofing. Ingress filters examine packets coming into the network, while egress filters examine packets going out of the network. These filters examine packets based on rules that identify any spoofed packets. Any packet suspected of being spoofed on its way into or out of your network is dropped. Antivirus scanners are useful against viruses. Host-based IDSs are good at detecting host intrusions and security violations. Digital signatures are used to provide a recipient with proof of non-repudiation and integrity of communications.

A user calls to report that she is experiencing intermittent problems while accessing the wireless network from her laptop computer. While she normally works from her office, today she is trying to access the wireless network from a conference room across the hall and next to the elevator. What is the most likely cause of her connectivity problem? A. Interference is affecting the wireless signal. B. MAC filtering is preventing the computer from connecting. C. The user has not yet rebooted her laptop computer while at her new location. D. SSID broadcast has been disabled. E. The client computer is using the wrong channel number.

A. Interference is affecting the wireless signal. In this scenario, interference from the elevator motor is the most likely cause. Cordless phones and motors can generate interference that affects wireless signals. Interference is a common cause of intermittent problems. Windows clients automatically detect the channel to use. If the SSID had changed or MAC filtering were preventing access, the computer would not be able to connect at all, even from her office.

Which of the following best describes spyware? A. It monitors the actions you take on your machine and sends the information back to its originating source. B. It is a malicious program disguised as legitimate software. C. It is a program that attempts to damage a computer system and replicate itself to other computer systems. D. It monitors user actions that denote personal preferences, then sends pop-ups and ads to the user that match their tastes.

A. It monitors the actions you take on your machine and sends the information back to its originating source. Spyware monitors the actions you take on your machine and sends the information back to its originating source. Adware monitors the actions of the user that denote their personal preferences, then sends pop-ups and ads to the user that match their tastes. A virus is a program that attempts to damage a computer system and replicate itself to other computer systems. A Trojan horse is a malicious program disguised as legitimate software.

You install a new Linux distribution on a server in your network. The distribution includes an SMTP daemon that is enabled by default when the system boots. The SMTP daemon does not require authentication to send email messages. Which type of email attack is this server susceptible to? A. Open SMTP relay B. Phishing C. Sniffing D. Viruses

A. Open SMTP relay An SMTP relay is an email server that accepts mail and forwards it to other mail servers. An open SMTP relay allows anyone to forward mail. If your mail server is an open SMTP relay, spammers can use it to send mail. Spammers use your relay to obscure the actual source of the email. If spammers use your relay for sending mail, your server will soon be placed on a blacklist. Other mail servers will then stop receiving any mail (even legitimate mail) sent from your servers. As a best practice: • Configure your mail server to accept mail only from authenticated users or specific email servers that you authorize. • Require TLS encryption to connect to the server. A phishing scam uses an email pretending to be from a trusted organization that asks you to verify personal information or send money. Sniffing occurs when a user captures packets from the network and inspects their contents. Viruses are types of malware that spread by infecting legitimate files on a computer system and are sometimes sent as email attachments.

Which of the following is most vulnerable to a brute force attack? A. Password authentication B. Biometric authentication C. Two-factor authentication D. Challenge-response token authentication

A. Password authentication Password authentication is the most vulnerable to a brute force attack. The brute force attack itself may take a considerable amount of time, especially if the attack is against a single user account or online login prompt rather than a localized copy of a security accounts database. However, once the attack is complete, the attacker has all they need to log in to the secured system.

Which of the following denial of service (DoS) attacks uses ICMP packets and is only successful if the victim has less bandwidth than the attacker? A. Ping flood B. Ping of death C. Fragmentation D. LAND

A. Ping flood A ping flood is where the attacker overwhelms the victim with ICMP Echo Request (ping) packets. In a ping flood, the attack succeeds only if the attacker has more bandwidth than the victim. The ping-of-death attack (also known as a long ICMP attack) uses the Ping program to send oversized ICMP packets. A LAND attack floods the victim's system with packets that have forged headers. Fragmentation attacks contaminate IP packet fragments that infiltrate the system.

An attacker has obtained the logon credentials for a regular user on your network. Which type of security threat exists if this user account is used to perform administrative functions? A. Privilege escalation B. Impersonation C. Social engineering D. Replay

A. Privilege escalation Privilege escalation allows a user to take advantage of a software bug or design flaw in an application to gain access to system resources or additional privileges that are typically not available to normal users. Examples of privilege escalation include: • A user accessing a system with a regular user account who is able to access functions reserved for higher-level user accounts (such as administrative features). • A user who is able to access content that should be accessible only to a different user. • A user who should have only administrative access being able to access content that should only be accessible to a regular user. Note: Privilege escalation does not occur when a user is able to steal or hack administrator credentials and is, therefore, able to access administrative functions. Privilege escalation refers to accessing features with an account that normally should not have access to those features.

Which of the following is a characteristic of a virus? A. Requires an activation mechanism to run. B. Capable of replicating itself. C. Requires administrative privileges to install. D. Is remotely controlled by a central command.

A. Requires an activation mechanism to run. A virus has the following characteristics: • A virus requires a replication mechanism, which is a file that it uses as a host. When the host file is distributed, the virus is also distributed. Viruses typically attach to files with execution capabilities such as .doc, .exe, and .bat extensions. Many viruses are distributed to everyone in your email address book. • The virus only replicates when an activation mechanism is triggered. For example, each time the infected file or program is executed, the virus is activated. • The virus is programmed with an objective, which is usually to destroy, compromise, or corrupt data. A worm is a self-replicating virus. A zombie or bot is a computer that is remotely controlled for malicious activities. A rootkit is malicious software that requires administrative privileges for installation.

Which of the following is undetectable software that allows administrator-level access? A. Rootkit B. Spyware C. Worm D. Logic bomb E. Trojan Horse

A. Rootkit A rootkit is a set of programs that allows attackers to maintain permanent, administrator-level, hidden access to a computer. A rootkit: • Is almost invisible software • Resides below regular antivirus software detection • Requires administrator privileges for installation, then maintains those privileges to allow subsequent access • Might not be malicious • Often replaces operating system files with alternate versions that allow hidden access A worm is a self-replicating virus. A Trojan horse is a malicious program that is disguised as legitimate or desirable software. A logic bomb is designed to execute only under predefined conditions and lays dormant until the predefined condition is met. Spyware is software that is installed without the user's consent or knowledge and designed to intercept or take partial control over the user's interaction with the computer.

Which of the following is a denial of service attack that: • Subverts the TCP three-way handshake process by attempting to open numerous sessions on a victim server • Intentionally fails to complete the session by not sending the final required packet A. SYN flood B. Teardrop C. Ping of death D. Session hijacking

A. SYN flood A SYN attack or a SYN flood is a form of denial of service attack that subverts the TCP three- way handshake process by attempting to open numerous sessions on a victim server but intentionally fails to complete the session by not sending the final required packet. A ping of death sends an ICMP packet that is larger than 65,536 bytes. Session hijacking is the act of taking over a logon session from a legitimate client, impersonating the user and taking advantage of their established communication link. The teardrop attack uses partial IP packets with overlapping sequencing numbers.

You have installed anti-virus software on the computers on your network. You update the definition and engine files and configure the software to update those files every day. What else should you do to protect your systems from malware? (Select two.) A. Schedule regular full system scans B. Enable account lockout C. Enable chassis intrusion detection D. Disable UAC E. Educate users about malware

A. Schedule regular full system scans E. Educate users about malware You should schedule regular full system scans to look for any malware. In addition, educate users about the dangers of downloading software and the importance of anti-malware protections. You should enable User Account Control (UAC) to prevent unauthorized administrative changes to your system. Use Account Lockout to help protect your system from hackers trying to guess passwords. Use chassis intrusion detection to identify when the system case has been opened.

Which of the following are denial of service attacks? (Select two.) A. Smurf B. Fraggle C. Hijacking D. Salami

A. Smurf B. Fraggle Smurf and Fraggle attacks are both denial of service attacks. A smurf attack spoofs the source address in ICMP packets and sends the ICMP packets to an amplification network (bounce site). The bounce site responds to the victim site with thousands of messages that he did not send. A Fraggle attack is similar to a Smurf attack, but uses UDP packets directed to port 7 (echo) and port 19 (chargen - character generation). A salami attack is not a denial of service attack. A salami attack is when a small amount of information, data, or valuables are taken over a period of time. The result is to construct or obtain data or property of great value. A common example of a salami attack is to deposit the fractions of cents from an accounting program into a numbered account. Eventually, the fraction deposits total a significant sum. Hijacking is an attack directed at authentication. Hijacking is stealing an open and active communication session from a legitimate user (an extension of a man-in-the-middle attack). The attacker takes over the session and cuts off the original source device.

Which of the following common network monitoring or diagnostic activities can be used as a passive malicious attack? A. Sniffing B. Denial of service C. Packet capture, edit, and re-transmission D. Logic bombs

A. Sniffing Sniffing is a common network monitoring or diagnostic activity that can be used as a passive malicious attack. Sniffing is considered passive because it simply duplicates the packets it sees on the communication medium without altering or interfering with traffic flow. When performed properly, it is impossible to detect true passive sniffing on a network. Denial of service and logic bombs are not common network monitoring and diagnostic activities, nor are they passive. Packet capture, edit, and retransmission can be a form of network monitoring and diagnostic activity, and a malicious attack, but it is not a passive activity.

What is modified in the most common form of spoofing on a typical IP packet? A. Source address B. Destination address C. Protocol type field value D. Hash total

A. Source address The most common form of spoofing on a typical IP packet is modification of the source address. In this way, the correct source device address is hidden. Modifications of the destination address would be pointless because the packets would not be sent to the intended victim or target. Modification of the protocol type field value is not typical, but doing so would cause the recipient to process the contents of the packet under different protocol rules than what the actual contents should be processed under, such as processing the packet as a UDP packet when it is actually an IGMP packet. Modification of the hash total would cause the packet to be dropped when it reached its destination because the target's computation of the hash would not match the stated hash in the header. This indicates that packet's integrity was compromised.

Which type of malicious activity can be described as numerous unwanted and unsolicited email messages sent to a wide range of victims? A. Spamming B. Trojan horse C. Hijacking D. Brute force

A. Spamming Spamming is a type of malicious activity can be described as numerous unwanted and unsolicited email messages being sent to a wide range of victims. Spam itself is not usually malicious in nature. More often than not, it is advertising for some product or service. Unfortunately, spam accounts for 40 to 60 percent of the email traffic on the internet. Most of this activity is unsolicited.

Which type of virus conceals its presence by intercepting system requests and altering service outputs? A. Stealth B. Retro C. Slow D. Polymorphic

A. Stealth Stealth viruses reside in low-level system service functions where they intercept system requests and alter service outputs to conceal their presence. The term rootkit is often used to describe a malicious program that can hide itself and prevent its removal from the system. A polymorphic virus mutates while keeping the original algorithm intact. A slow virus counters the ability of antivirus programs to detect changes in infected files. A retro virus tries to destroy virus countermeasures by deleting key files that antivirus programs use.

Which of the following is the main difference between a DoS attack and a DDoS attack? A. The DDoS attack uses zombie computers. B. The DDoS attack does not respond to SYN ACK packets in the three-way handshake process. C. The DDoS attack spoofs the source IP address. D. The DDoS attack uses an amplification network.

A. The DDoS attack uses zombie computers. The term denial of service (DoS) is a generic term that includes many types of attacks. In a DoS attack, a single attacker directs an attack at a single target, sending packets directly to the target. In a distributed DoS attack (DDoS), multiple PCs attack a victim simultaneously. DDoS compromises a series of computers by scanning computers to find vulnerabilities and capitalizing on the most vulnerable systems. In a DDoS attack: • The attacker identifies one of the computers as the master (also known as zombie master or bot herder) . • The master uses zombies/bots (compromised machines) to attack. • The master directs the zombies to attack the same target. A distributed reflective denial of service (DRDoS) uses an amplification network to increase the severity of the attack. Packets are sent to the amplification network addressed as coming from the target. The amplification network responds back to the target system. Spoofed source addresses can be used with both DoS and DDoS attacks. A SYN flood is a form of DoS attack that does not complete the three-way handshake process. DDoS and even DRDoS attacks could use this method to overload the target system.

You suspect that an Xmas tree attack is occurring on a system. Which of the following could result if you do not stop the attack? (Select two.) A. The system will be unavailable to respond to legitimate requests. B. The threat agent will obtain information about open ports on the system. C. The system will send packets directed with spoofed source addresses. D. The system will become a zombie.

A. The system will be unavailable to respond to legitimate requests. B. The threat agent will obtain information about open ports on the system. A Christmas (Xmas) tree attack (also known as a Christmas tree scan, nastygram, kamikaze, or lamp test segment) conducts reconnaissance by scanning for open ports. It also conducts a DoS attack if sent in large amounts. • When it is sent to a target host, the TCP header of a Christmas tree packet has the flags FIN, URG, and PSH. By default, closed ports on the host are required to reply with a TCP connection reset flag (RST). Open ports must ignore the packets, informing the attacker which ports are open. • Christmas tree packets require much more processing by network devices compared to typical packets, producing DoS attacks when large amounts are sent to the target host. A Fraggle attack sends a large amount of UDP packets with spoofed source addresses. A Distributed DoS (DDoS) attack compromises many computers and turns them into zombies for a concentrated attack.

If your anti-virus software does not detect and remove a virus, what should you try first? A. Update your virus detection software. B. Scan the computer using another virus detection program. C. Search for and delete the file you believe to be infected. D. Set the read-only attribute of the file you believe to be infected.

A. Update your virus detection software. Virus detection software can search only for viruses listed in its known viruses data file. An outdated file can prevent the virus detection software from recognizing a new virus.

You've just deployed a new Cisco router that connects several network segments in your organization. The router is physically located in a server room that requires an ID card to gain access. You've backed up the router configuration to a remote location in an encrypted file. You access the router configuration interface from your notebook computer by connecting it to the console port on the router. You configured the management interface with a user name of admin and a password of password. What should you do to increase the security of this device? A. Use a stronger administrative password. B. Move the device to a secure data center. C. Use an SSH client to access the router configuration. D. Use a web browser to access the router configuration using an HTTP connection.

A. Use a stronger administrative password. In this scenario, the password assigned to the device is weak and easily guessed. It should be replaced with a strong password that is at least eight characters long, uses upper- and lower- case letters, and uses numbers or symbols. Using HTTP to manage the router configuration could expose sensitive information to sniffers, as it transmits data in cleartext. Using the console port to access the device creates a dedicated connection, making the use of SSH unnecessary. Because the device has been installed in a secured room, it's not necessary to move it to a data center.

What is the common name for a program that has no useful purpose, but attempts to spread itself to other systems and often damages resources on the systems where it is found? A. Virus B. Trojan horse C. Java applet D. Windows Messenger

A. Virus A virus is the common name for a program that has no useful purpose, but attempts to spread itself to other systems and often damages resources on the systems where it is found. Viruses are a serious threat to computer systems, especially if they are connected to the internet. It is often a minimal requirement to have an antivirus scanner installed on every machine of a secured network to protect against viruses. Trojan horses are programs that claim to serve a useful purpose but hide a malicious purpose or activity. Windows Messenger is an instant message chat utility. Java applets are web applications that operate within a security sandbox.

A collection of zombie computers have been setup to collect personal information. What type of malware do the zombie computers represent? A. Logic bomb B. Botnet C. Spyware D. Trojan Horse

B. Botnet A botnet is a collection of zombie computers that are commanded from a central control infrastructure and propagate spam or to collect usernames and passwords to access secure information. A logic bomb is malware that lies dormant until triggered. A Trojan horse is a malicious program that is disguised as legitimate software. Spyware monitors the actions performed on a machine and then sends the information back to its originating source.

An attacker uses an exploit to push a modified hosts file to client systems. This hosts file redirects traffic from legitimate tax preparation sites to malicious sites to gather personal and financial information. What kind of exploit has been used in this scenario? (Choose two. Both responses are different names for the same exploit.) A. Domain name kiting B. DNS poisoning C. Reconnaissance D. Pharming E. Man-in-the-middle

B. DNS poisoning D. Pharming DNS poisoning (also known as DNS cache poisoning) occurs when a name server receives malicious or misleading data that incorrectly maps host names and IP addresses. In a DNS poisoning attack: • Incorrect DNS data is introduced into the cache of a primary DNS server. • The incorrect mapping is made available to client applications. Pharming is a cyber attack intended to redirect a website's traffic to another, fake site. Pharming can be conducted by changing the hosts file on a victim's computer. Reconnaissance is used to gather information for an attack. The goal is to obtain DNS records that identify computer names and IP addresses in a network. Domain name kiting occurs when spammers exploit domain registration by taking advantage of the five-day grace period for a newly registered domain name to acquire domains and never pay for the registration of domain names. They accomplish this by unregistering a domain name just before the grace period is up and then immediately re-registering the domain name. Man-in-the-middle attacks are used to intercept information passing between two communication partners.

Which of the following is the best protection to prevent attacks on mobile phones through the Bluetooth protocol? A. Set the phone to non-discoverable mode B. Disable Bluetooth on the phone C. Add a user account and strong password for Bluetooth access D. Apply the latest patches and updates

B. Disable Bluetooth on the phone The best method to protect against Bluetooth attacks is to disable Bluetooth on the device. If Bluetooth is required, then configure the device for non-discoverable mode. Applying the latest patches and updates also ensures that the device is protected against known vulnerabilities for which patches exist.

What is the goal of a TCP/IP hijacking attack? A. Destroying data. B. Executing commands or accessing resources on a system the attacker does not otherwise have authorization to access. C. Preventing legitimate authorized access to a resource. D. Establishing an encryption tunnel between two remote systems over an otherwise secured network.

B. Executing commands or accessing resources on a system the attacker does not otherwise have authorization to access. The goal of a TCP/IP hijacking attack is to execute commands or access resources on a system the attacker does not otherwise have authorization to access. When an attacker successfully performs TCP/IP hijacking, they take over control of the hijacked communication session. Whatever access the original user had, the attacker can now exploit. However, the attack only grants access within the confines of the hijacked session. Just because a hacker gains the victim's access to a server, it does not automatically grant the attacker the victim's access to a different server. A virus's goal is often to destroy data. A denial of service attack's goal is often to prevent legitimate access to a resource. An internal VPN's goal is often to establish an encryption tunnel between two remote systems over an otherwise secured network.

What is the primary distinguishing characteristic between a worm and a logic bomb? A. Masquerades as a useful program B. Self-replication C. Spreads via email D. Incidental damage to resources

B. Self-replication The primary distinguishing characteristic between a worm and a logic bomb is self-replication. Worms are designed to replicate and spread as quickly and as broadly as possible. Logic bombs do not self-replicate. They are designed for a specific single system or type of system. Once planted on a system, it remains there until it is triggered. Both worms and logic bombs can be spread via email, and both may cause incidental damage to resources. While either may be brought into a system as a parasite on a legitimate program or file or as the payload of a Trojan horse, the worm or logic bomb itself does not masquerade as a useful program.

Which of the following is a form of denial of service attack that uses spoofed ICMP packets to flood a victim with echo requests using a bounce/amplification network? A. Fraggle B. Smurf C. Fingerprinting D. Session hijacking

B. Smurf Smurf is a form of denial of service attack that uses spoofed ICMP packets to flood a victim with echo requests using a bounce/amplification network. Fingerprinting is the act of identifying an operating system or network service based upon its ICMP message quoting characteristics. A fraggle attack uses spoofed UDP packets to flood a victim with echo requests using a bounce network, which makes it similar to Smurf. Session hijacking is the act of taking over a login session from a legitimate client, impersonating the user and taking advantage of their established communication link.

An attacker sends an unwanted and unsolicited email message to multiple recipients with an attachment that contains malware. What kind of attack has occurred in this scenario? A. Phishing B. Spam C. Repudiation attack D. Open SMTP relay

B. Spam Spam is unwanted and unsolicited email sent to many recipients. Spam: • Can be benign, such as emails trying to sell products. • Can be malicious, such as emails containing phishing content, drive by downloads, or malware. • Can contain malware as attachments. • Wastes bandwidth and could fill the inbox, resulting in a denial of service condition. An open SMTP relay allows anyone to forward mail. An open SMTP relay can be used by spammers to send mail. A phishing scam is an email pretending to be from a trusted organization, asking the recipient to verify personal information or send money. In a repudiation attack, the attacker accesses your email server and sends spoofed emails to others, making them appear as if they came from you.

Which is a program that appears to be a legitimate application, utility, game, or screensaver and performs malicious activities surreptitiously? A. Worm B. Trojan Horse C. ActiveX Control D. Outlook Express

B. Trojan Horse A Trojan horse is a program that appears to be a legitimate application, utility, game, or screensaver, but performs malicious activities surreptitiously. Trojan horses are very common on the internet. To keep your systems secure and free from such malicious code, you need to take extreme caution when downloading any type of file from just about any site on the internet. If you don't fully trust the site or service that is offering a file, don't download it. Outlook Express is an email client found on Windows. A worm is a type of malicious code similar to a virus. A worm's primary purpose is to duplicate itself and spread, while not necessarily intentionally damaging or destroying resources. ActiveX controls are web applications written in the framework of ActiveX.

You've just received an email message explaining that a new and serious malicious code threat is ravaging across the internet. The message contains detailed information about the threat, its source code, and the damage it can inflict. The message states that you can easily detect whether or not you have already been a victim of this threat by the presence of three files in the \Windows\System32 folder. As a countermeasure, the message suggests that you delete these three files from your system. In response to this message, which action should you take first? A. Delete the indicated files if present B. Verify the information on well-known malicious code threat management websites C. Reboot the system D. Perform a complete system backup E. Distribute the message to everyone in your address book

B. Verify the information on well-known malicious code threat management websites The best first step to take after receiving an email message about a new malicious code threat is to verify the information it contains. You can easily verify information by visiting two or more well-known malicious code threat management websites. These sites can be your anti-virus vendor or a well-known and well-regarded internet security watch group. All too often, messages of this type are hoaxes. It is important not to fall prey to email hoaxes or spread them to others. Your first step should not be to follow any directions included in the email, especially deleting files. You should never forward email warnings until you have firmly established the authenticity and validity of such information. Even then, it is not your responsibility to inform anyone about such a threat except for the security personnel in your organization. Let those responsible for such activities, such as anti-virus vendors or your security team, inform the general public. Making a full backup is often a good idea, but it is not necessary in this instance.

A senior executive reports that she received a suspicious email concerning a sensitive internal project that is behind production. The email was sent from someone she doesn't know, and he is asking for immediate clarification on several of the project's details so the project can get back on schedule. Which type of an attack best describes the scenario? A. Masquerading B. Whaling C. Passive D. MAC spoofing

B. Whaling Whaling is a social engineering attack that targets senior executives and high profile victims. Social engineering is an attack that exploits human nature by convincing someone to reveal information or perform an activity. Masquerading refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. Passive social engineering attacks take advantage of the unintentional actions of others to gather information or gain access to a secure facility. MAC spoofing is changing the source MAC address on frames sent by the attacker and can be used to hide the identity of the attacker's computer or impersonate another device on the network.

Which of the following describes a man-in-the-middle attack? A. An IP packet is constructed that is larger than the valid size. B. A person convinces an employee to reveal their login credentials over the phone . C. A false server intercepts communications from a client by impersonating the intended server. D. Malicious code is planted on a system, where it waits for a triggering event before activating.

C. A false server intercepts communications from a client by impersonating the intended server. A false server intercepting communications from a client by impersonating the intended server is a form of a man-in-the-middle attack. Convincing an employee to reveal his logon credentials over the phone is an example of a social engineering attack. Constructing an IP packet that is larger than the valid size is a land attack (a form of DoS). Planting malicious code that waits for a triggering event before activating is a logic bomb.

While browsing the internet, you notice that the browser displays ads that are targeted towards recent keyword searches you have performed. What is this an example of? A. Zombie B. Worm C. Adware D.Logic bomb

C. Adware Adware monitors actions that denote personal preferences, then sends pop-ups and ads that match those preferences. Adware: • Is usually passive • Is privacy-invasive software • Is installed on your machine by visiting a particular website or running an application • Is usually more annoying than harmful A logic bomb is designed to execute only under predefined conditions and lays dormant until the predefined condition is met. A worm is a self-replicating virus. A zombie is a computer that is infected with malware that allows remote software updates and control by a command and control center called a zombie master.

Which of the following sends unsolicited business cards and messages to a Bluetooth device? A. Bluesnarfing B. Bluebugging C. Bluejacking D. Slamming

C. Bluejacking Bluejacking is a rather harmless practice that entails an unknown sender sending business cards anonymously to a Bluetooth recipient within a distance of 10-100 meters, depending on the class of the Bluetooth device. The business cards usually include a flirtatious message so the attacker can see a visual reaction from the recipient. Multiple messages ware sent to the device if the attacker thinks there is a chance they will be added as a contact. Bluetooth devices are not susceptible to bluejacking if they are set to non-discoverable mode. Bluesnarfing is the use of a Bluetooth connection to gain unauthorized access to an existing Bluetooth connection between phones, desktops, laptops, or PDAs. Bluesnarfing allows the attacker to view calendars, emails, text messages, and contact lists. Bluebugging gives an attacker access to all mobile phone commands that use Bluetooth technology, such as initiating phone calls, sending and receiving messages, eavesdropping, and reading and writing phone book contacts. Slamming entails unauthorized or fraudulent changes made to a subscriber's telephone service or DSL internet service.

What is spoofing? A. Spying into private information or communications B. Capturing network packets in order to examine the contents of communications C. Changing or falsifying information in order to mislead or re-direct traffic D. Sending a victim unwanted and unrequested email messages

C. Changing or falsifying information in order to mislead or re-direct traffic Spoofing is the act of changing or falsifying information in order to mislead or re-direct traffic. For example, an email-based spoofing attack changes the source email address so that it is impossible to back-track the message to its original source. Other spoofing methods include Smurf and Fraggle. These attacks send ICMP or UDP echo requests that have spoofed source addresses to an intermediary system. The echo responses are returned to the stated source address, which is not the real address of the sender, but the address of the intended victim. A land attack is another example of an attack that uses spoofing. A land attack is when a SYN packet, the first packet of the TCP three-way handshake, is sent to a server, but the source address is spoofed as the target server's address. Snooping is the act of spying into private information or communications. One type of snooping is sniffing. Sniffing is the act of capturing network packets in order to examine the contents of communications. Spamming is sending a victim unwanted and unrequested email messages.

While using the internet, you type the URL of one of your favorite sites in the browser. Instead of going to the correct site, however, the browser displays a completely different website. When you use the IP address of the web server, the correct site is displayed. Which type of attack has likely occurred? A. Man-in-the-middle B. Hijacking C. DNS poisoning D. Spoofing

C. DNS poisoning Because the correct site shows when you use the IP address, you know that the main website is still functional and that the problem is likely caused by an incorrect domain name mapping. DNS poisoning occurs when a name server receives malicious or misleading data that incorrectly maps host names and IP addresses. In a DNS poisoning attack: • Incorrect DNS data is introduced into the cache of a primary DNS server. • The incorrect mapping is made available to client applications through the resolver. Spoofing is used to hide the true source of packets or redirect traffic to another location. Spoofing attacks use modified source and/or destination addresses in packets, and can include site spoofing that tricks users into revealing information. A man-in-the-middle attack is used to intercept information passing between two communication partners. TCP/IP hijacking is an extension of a man-in-the-middle attack where the attacker steals an open and active communication session from a legitimate user. With spoofing, man-in-the-middle, and hijacking, the attack would be successful regardless of whether the DNS name or the IP address were used.

Which type of denial of service (DoS) attack occurs when a name server receives malicious or misleading data that incorrectly maps host names and IP addresses? A. ARP poisoning B. Spam C. DNS poisoning D. SYN flood

C. DNS poisoning DNS poisoning occurs when a name server receives malicious or misleading data that incorrectly maps host names and IP addresses. In a DNS poisoning attack: • Incorrect DNS data is introduced into a primary DNS server. • The incorrect mapping is made available to client applications through the resolver. • Traffic is directed to incorrect sites. ARP poisoning corrupts the ARP cache or sends incorrect ARP data that spoofs MAC addresses, causing devices to send frames to the wrong host or an unreachable host. Spam sent in such great amounts can consume bandwidth or fill a mailbox, leaving no room for legitimate traffic. The SYN flood exploits the TCP three-way handshake.

You are implementing a wireless network in a dentist's office. The dentist's practice is small, so you choose to use an inexpensive consumer-grade access point. While reading the documentation, you notice that the access point supports Wi-Fi Protected Setup (WPS) using a PIN. You are concerned about the security implications of this functionality. What should you do to reduce risk? A. Require a complex PIN in the access point's configuration B. Update the access point's firmware C. Disable WPS in the access point's configuration D. Require a complex PIN in the configuration of each wireless device

C. Disable WPS in the access point's configuration Because WPS automates the Wi-Fi association process, it is a target attackers can try to exploit to gain unauthorized access to the wireless network. The push-button, USB, and NFC WPS implementations are considered more secure because they require physical contact with the access point. However, WPS implementations that only require a PIN are susceptible to brute force attacks. For this reason, the best security practice is to disable WPS functionality in access points that support it. There is no way to make a PIN more complex because the WPS standard specifies the use of an 8-digit number. Updating the device's firmware may or may not address the access point's vulnerability to WPS brute force attacks, depending upon the manufacturer. The only sure way to close the security hole is to disable the functionality altogether.

What is the most common means of virus distribution? A. Music downloaded from the internet B. Floppy disks C. Email D. Commercial software CDs

C. Email Email is the most common means of virus distribution. Often, viruses employ self-contained SMTP servers to facilitate self-replication and distribution over the internet. Viruses are able to spread quickly and broadly by exploiting the communication infrastructure of internet email. For this reason, it is important to keep your anti-virus software updated so as to block any possible attempt of viruses to infect your systems or to spread to other systems. Floppy disks, downloaded music files, and commercial software CDs all have the potential to spread viruses, but they are not as common as email.

Network packet sniffing is often used to gain the information necessary to conduct more specific and detailed attacks. Which of the following is the best defense against packet sniffing? A. Hubs B. Promiscuous NICs C. Encryption D. Switches

C. Encryption Encryption provides the best protection from sniffing attacks. Technologies such as SSL, SSH, and IPSEC provide a level of protection beyond traditional network layout and design countermeasures. Switches are frequently used to segment networks. Switches reduce the size of the shared media space and have long been regarded as the frontline defense against packet sniffing. Switched Ethernet does not, however, provide protection from advanced attacks, such as ARP redirection and cache poisoning. Hubs provide no protection from packet sniffing. The shared media architecture broadcasts traffic to all hosts on the segment. Network Interface Cards (NICs) in promiscuous mode are configured to see all packets on the local segment, regardless of source and destination. This mode is required for the proper operation of many packet-sniffing applications.

Which of the following is the best countermeasure against man-in-the-middle attacks? A. PPP B. UDP C. IPsec D. MIME email

C. IPsec IPsec is the best countermeasure against man-in-the middle attacks from the selections listed here. Use IPsec to encrypt data in a VPN tunnel as it passes between two communication partners. Even if someone intercepts the traffic, they will be unable to extract the contents of the messages because they are encrypted. All email is MIME email, so this is not a countermeasure against man-in-the middle attacks.

You have installed anti-malware software that checks for viruses in email attachments. You configure the software to quarantine any files with problems. You receive an email with an important attachment, but the attachment is not there. Instead, you see a message that the file has been quarantined by the anti-malware software What has happened to the file? A. The file extension has been changed to prevent it from running. B. The infection has been removed, and the file has been saved to a different location. C. It has been moved to a secure folder on your computer. D. It has been deleted from your system.

C. It has been moved to a secure folder on your computer. Quarantine moves the infected file to a secure folder where it cannot be opened or run normally. By configuring the software to quarantine any problem files, you can view, scan, and possibly repair those files. Quarantine does not automatically repair files. Deleting a file is one possible action to take, but this action removes the file from your system.

Which of the following attacks tricks victims into providing confidential information (such as identity information or login credentials) through emails or websites that impersonate an online entity that the victim trusts? A. Adware B. Session hijacking C. Phishing D. Man-in-the-middle

C. Phishing Phishing tricks victims into providing confidential information, such as identity information or logon credentials, through emails or websites that impersonate an online entity that the victim trusts, such as a financial institution or well-known e-commerce site. Phishing is a specific form of social engineering. Session hijacking takes over a login session from a legitimate client, impersonating the user and taking advantage of their established communication link. A man-in-the-middle attack is where an attacker intercepts a data stream, slightly modifies it, then forwards that data stream to the destination. Adware is a type of malware that sends you advertisements that you do not request.

A relatively new employee in the data entry cubical farm was assigned a user account similar to the other data entry employees' accounts. However, audit logs have shown that this user account has been used to change ACLs on several confidential files and has accessed data in restricted areas. A. This situation indicates which of the following has occurred? B. Smurf attack C. Privilege escalation D. Man-in-the-middle attack E. Social engineering

C. Privilege escalation This situation describes the result of a successful privilege escalation attack. If a low-end user account is detected performing high-level activities, it is obvious that user account has somehow gained additional privileges. A man-in-the-middle attack involves a third party placing themselves between two legitimate communication partners in order to intercept and possibly alter their transmissions. Social engineering attacks involve stealing information or convincing someone to perform an inappropriate activity via email, phone, or in person. A smurf attack is a form of distributed reflective denial of service where spoofed ICMP packets are bounced and multiplied off another network to flood the victim's communication pipeline.

Which of the following password attacks uses preconfigured matrices of hashed dictionary words? A. Hybrid B. Dictionary C. Rainbow table D. Brute force

C. Rainbow table A rainbow table attack applies hashing algorithms to every word in a dictionary (sometimes including hybrids or passwords accumulated in brute force techniques). It then saves the results in a table or matrix. An encrypted password is compared to the pre-computed hashed passwords in the matrix until a match is found. A dictionary attack tries known words (such as from a dictionary). A brute force attack works through all possibilities until the password is cracked. A hybrid attack adds appendages to known dictionary words (for example, 1password, password07, and p@ssword1).

You recently discovered that several key files of your antivirus program have been deleted. You suspect that a virus has deleted the files. Which type of virus deletes key antivirus program files? A. Stealth B. Polymorphic C. Retro D. Slow

C. Retro A retro virus tries to destroy virus countermeasures by deleting key files that antivirus programs use. A stealth virus resides in low-level system service functions, where they intercept system requests and alter service outputs to conceal their presence. A polymorphic virus mutates while keeping the original algorithm intact. A slow virus counters antivirus programs' ability to detect changes in infected files by making gradual modifications.

You have heard about a new malware program that presents itself to users as a virus scanner. When users run the software, it installs itself as a hidden program that has administrator access to various operating system components. The program then tracks system activity and allows an attacker to remotely gain administrator access to the computer. Which of the following terms best describes this software? A. Privilege escalation B. Trojan horse C. Rootkit D. Spyware E. Botnet

C. Rootkit This program is an example of a rootkit. A rootkit is a set of programs that allow attackers to maintain permanent, administrator-level, and hidden access to a computer. Rootkits require administrator access for installation and typically gain this access using a Trojan horse approach--masquerading as a legitimate program to entice users to install the software. While this program is an example of a Trojan horse that also performs spying activities (spyware), the ability to hide itself and maintain administrator access makes rootkit a better description for the software. A botnet is a group of zombie computers that are commanded from a central control infrastructure.

Which of the following are examples of social engineering? (Select two.) A. Port scanning B. War dialing C. Shoulder surfing D. Dumpster diving

C. Shoulder surfing D. Dumpster diving Social engineering leverages human nature. Internal employees are often the target of trickery, and false trust can quickly lead to a serious breach of information security. Shoulder surfing and dumpster diving are examples of social engineering. Shoulder surfing is the act of looking over an authorized user's shoulder in hopes of obtaining an access code or credentials. Dumpster diving involves searching through trash or other discarded items to obtain credentials or information that may facilitate further attacks. These low-tech attack methods are often the first course of action that a hacker pursues. Port scanning and war dialing are technical attacks that seek to take advantage of vulnerabilities in systems or networks.

Which of the following best describes Bluesnarfing? A. Sending anonymous electronic business cards B. Cloning a mobile device C. Viewing calendar, emails, and messages on a mobile device without authorization D. Executing commands on a mobile device

C. Viewing calendar, emails, and messages on a mobile device without authorization Bluesnarfing is the use of a Bluetooth connection to gain unauthorized access to an existing Bluetooth connection between phones, desktops, laptops, or PDAs. Bluesnarfing allows access to view the calendar, emails, text messages, and contact lists. Many Bluetooth devices have built-in features to prevent bluesnarfing, but it is still a known vulnerability. Bluejacking is a rather harmless practice that entails an unknown sender sending business cards anonymously to a Bluetooth recipient within a distance of 10-100 meters, depending on the class of the Bluetooth device. The business cards usually include a flirtatious message so the attacker to see a visual reaction from the recipient. Multiple messages are sent to the device if the attacker thinks there is a chance they will be added as a contact. Bluetooth devices are not susceptible to bluejacking if they are set to non-discoverable mode. Bluebugging gives an attacker access to all mobile phone commands that use Bluetooth technology, such as initiating phone calls, sending and receiving messages, eavesdropping, and reading and writing phone book contacts. Only highly-skilled individuals can perform bluebugging.

Which of the following describes the marks attackers place outside a building to identify an open wireless network? A. War driving B. Bluejacking C. War chalking D. Bluesnarfing

C. War chalking War chalking is marking the outside of buildings to indicate the presence of a wireless network. Attackers might use these marks to alert others of open or secured wireless networks. Businesses might even use these marks to advertise their free wireless networks. War driving is a technique that hackers use to find wireless networks. They use detection tools that locate wireless access points within an area, even if the SSID broadcast has been disabled. Bluejacking is a rather harmless practice that entails an unknown sender sending business cards anonymously to a Bluetooth recipient within a distance of 10-100 meters, depending on the class of the Bluetooth device. The business cards usually include a flirtatious message so the attacker to see a visual reaction from the recipient. Multiple messages are sent to the device if the attacker thinks there is a chance they will be added as a contact. Bluetooth devices are not susceptible to bluejacking if they are set to non-discoverable mode. Bluesnarfing is the use of a Bluetooth connection to gain unauthorized access to an existing Bluetooth connection between phones, desktops, laptops, or PDAs. Bluesnarfing allows the attacker to view calendars, emails, text messages, and contact lists. Many Bluetooth devices have built-in features that prevent bluesnarfing, but it is still a known vulnerability.

The process of walking around an office building with an 802.11 signal detector is known as what? A. War dialing B. Daemon dialing C. War driving D. Driver signing

C. War driving War driving is the act of searching for wireless networks (802.11) using a signal detector or a network client (such as a PDA or notebook). While the phrase war driving originated from the action of driving around a city searching for wireless networks, the name currently applies to any method of searching for wireless networks, including walking around. War dialing and daemon dialing are both the act of dialing phone numbers in search of an answering modem. Often, war/daemon dialing calls all of the phone numbers in an area code or a prefix range in search of active modems. Driver signing is a method of signing device drivers in an attempt to verify the source and quality of installed drivers. However, signing a device driver only indicates its source. Signing does not guarantee the reliability, stability, quality, or compatibility of a device driver.

You are troubleshooting a wireless connectivity issue in a small office. You determine that the 2.4 GHz cordless phones used in the office are interfering with the wireless network transmissions. If the cordless phones are causing the interference, which of the following wireless standards could the network be using? (Select two.) A. 802.11a B. 802.3a C. Infrared D. 802.11g E. Bluetooth

D. 802.11g E. Bluetooth Both the 802.11g and Bluetooth wireless standards use the 2.4GHz RF range to transmit data. Cordless phones that operate at the same frequency can cause interference on the wireless network. Other devices, such as microwaves and electrical devices, may also cause interference. 802.11 a uses 5GHz radio frequency. Therefore, it would not be affected by the 2.4GHz phones used in the office. Infrared uses a light beam to connect computer and peripheral devices to create a personal area network (PAN).

What is the main difference between a worm and a virus? A. A worm requires an execution mechanisim to start, while a virus can start itself. B. A worm is restricted to one system, while a virus can spread from system to system. C. A worm tries to gather information, while a virus tries to destroy data. D. A worm can replicate itself, while a virus requires a host for distribution.

D. A worm can replicate itself, while a virus requires a host for distribution. A worm is a self-replicating program that uses the network to replicate itself to other systems. A worm does not require a host system to replicate. Both viruses and worms can cause damage to data and systems, and both spread from system to system, although a worm can spread itself while a virus attaches itself to a host for distribution.

Which of the following attacks tries to associate an incorrect MAC address with a known IP address? A. Null session B. MAC flooding C. Hijacking D. ARP poisoning

D. ARP poisoning ARP spoofing/poisoning associates the attacker's MAC address with the IP address of victim devices. When computers send an ARP request to get the MAC address of a known IP address, the attacker's system responds with its MAC address. MAC flooding overloads the switch's MAC forwarding table to make the switch function like a hub. The attacker floods the switch with packets, each containing different source MAC addresses. The flood of packets fills up the forwarding table and consumes so much of the memory in the switch that it causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out all ports (as with a hub), instead of just to the correct ports. A null session is the ability to log on using a blank user name and password. With hijacking, an attacker steals an open session, inserting himself into the session in place of the original client.

Which of the following best describes the ping of death? A. Sending multiple spoofed ICMP packets to the victim B. Redirecting echo responses from an ICMP communication C. Partial IP packets with overlapping sequencing numbers D. An ICMP packet that is larger than 65,536 bytes

D. An ICMP packet that is larger than 65,536 bytes The ping of death involves an ICMP packet that is larger than 65,536 bytes. The teardrop attack uses partial IP packets with overlapping sequencing numbers. The Smurf attack sends multiple spoofed ICMP packets to the victim. The ability to re-direct echo responses is a feature of ICMP that is often involved in malicious attacks (but is not part of the ping of death).

Which of the following best describes an evil twin? A. A threat agent that marks the outside of buildings to indicate the presence of a wireless network. B. A Bluetooth device that receives mobile phone commands via bluebugging. C. An access point that is added to the network by an internal employee to provide unauthorized network access. D. An access point that is configured to mimic a valid access point to obtain logon credentials and other sensitive information.

D. An access point that is configured to mimic a valid access point to obtain logon credentials and other sensitive information. An evil twin is a rogue access point that is configured to mimic a valid access point; in contrast, a rogue access point is any unauthorized access point added to a network. The evil twin may be configured to prompt for credentials, allowing the attacker to steal those credentials or use them in a man-in-the-middle attack to connect to the valid wireless access point. War chalking is marking the outside of buildings to indicate the presence of a wireless network. Attackers might use these marks to alert others of open or secured wireless networks. Businesses might even use these marks to advertise free wireless networks. Bluebugging gives an attacker access to all mobile phone commands that use Bluetooth technology, such as initiating phone calls, sending and receiving messages, eavesdropping, and reading and writing phone book contacts. Only highly-skilled individuals can perform bluebugging.

While developing a network application, a programmer adds functionally that allows her to access the running program without authentication so she can capture debugging data. The programmer forgets to remove this functionality prior to finalizing the code and shipping the application. What type of security weakness does this represent? A. Privilege escalation B. Weak passwords C. Buffer overflow D. Backdoor

D. Backdoor A backdoor is an unprotected access method or pathway. Backdoors may include hard-coded passwords or hidden service accounts. They are often added during development as a shortcut to circumvent security. If they are not removed, they present a security problem. Privilege escalation allows a user to take advantage of a software bug or design flaw in an application to gain access to system resources or additional privileges that would typically not be available to the user. Weak passwords are passwords that are blank, too short, dictionary words, or not complex enough, which allows them to be quickly identified using password- cracking tools. A buffer overflow occurs when the operating system or an application does not properly enforce boundaries for how much and what type of data can be inputted.

As the victim of a Smurf attack, what protection measure is the most effective during the attack? A. Turn off the connection to the ISP B. Block all attack vectors with firewall filters C. Update your anti-virus software D. Communicate with your upstream provider

D. Communicate with your upstream provider The most effective protection measure the victim of a Smurf attack can perform during an attack is to communicate with upstream providers. A simple phone call to request filtering on your behalf can weaken the effectiveness of a Smurf attack. Turning off the connection to the ISP will result in the same effect of the Smurf attack itself - denial of service. Whether you disconnect or the attack disconnects you, your network will be unable to use its internet pipeline. Blocking all attack vectors with firewall filters will usually result in a self-imposed denial of service, since most Smurf attacks produce thousands of attack vectors for the inbound flooding packets. Updating your anti-virus software will have no effect on a Smurf attack.

To tightly control the anti-malware settings on your computer, you elect to update the signature file manually. Even though you vigilantly update the signature file, the machine becomes infected with a new type of malware. Which of the following actions would best prevent this scenario from occurring again? A. Create a scheduled task to run sfc.exe daily B. Switch to a more reliable anti-virus software C. Carefully review open firewall ports and close any unnecessary ports D. Configure the software to automatically download the virus definition files as soon as they become available

D. Configure the software to automatically download the virus definition files as soon as they become available Anti-malware software is most effective against new viruses if it has the latest virus definition files installed. Instead of manually updating the signature files, you should configure the software to automatically download updated virus definition files as soon as they become available. Use sfc.exe to repair infected files after malware has caused the damage. Using a different anti-virus software might help, but will not resolve the problem if you don't get the latest definition files.

An attacker sets up 100 drone computers that flood a DNS server with invalid requests. This is an example of which kind of attack? A. Backdoor B. Replay C. Spamming D. DDoS

D. DDoS A denial of service (DoS) attack generates excessive traffic to overload communication channels or exploit software flaws. A distributed denial of service (DDoS) attack employs multiple attackers. Spamming is just a traffic generation form of attack where unrequested messages are sent to a victim. Replay and backdoor attacks are both flaw exploitation attack forms. Replay attacks exploit software flaws by capturing traffic, possibly editing it, then replaying the traffic in an attempt to gain access to a system. Backdoor attacks exploit software flaws by obtaining access codes or account credentials to bypass security. Backdoors can also be planted by hackers to allow easy re-access to a compromised system.

Which attack form either exploits a software flaw or floods a system with traffic in order to prevent legitimate activities or transactions from occurring? A. Brute force attack B. Privilege escalation C. Man-in-the-middle attack D. Denial of service attack

D. Denial of service attack A denial of service attack either exploits a software flaw or floods a system with traffic in order to prevent legitimate activities or transactions from occurring. A brute force attack tries every valid key or code sequenced in an attempt to discover a password or encryption key. Brute force attacks are always successful given enough time (although enough time could be millennia). A man-in-the-middle attack involves a third party placing themselves between two legitimate communication partners in order to intercept and possibly alter their transmissions. Privilege escalation is stealing or obtaining high-level privileges in a computer system.

Dumpster diving is a low-tech way to gathering information that may be useful in gaining unauthorized access or as a starting point for more advanced attacks. How can a company reduce the risk associated with dumpster diving? A. Secure all terminals with screensaver passwords B. Mandate the use of Integrated Windows Authentication C. Create a strong password policy D. Establish and enforce a document destruction policy

D. Establish and enforce a document destruction policy Dumpster diving is best addressed by a document destruction policy. All sensitive documents should be shredded or burned, and employees should be trained on the proper use of disposal equipment and the policies governing disposal of sensitive information. A strong password policy, authentication types, and screensaver passwords do not prevent the risk associated with dumpster diving. User name and password complexity efforts are wasted if employees are documenting and disposing of paper information in an insecure fashion.

Capturing packets as they travel from one host to another with the intent of altering the contents of the packets is a form of which attack type? A. Spamming B. DDoS C. Passive logging D. Man-in-the-middle attack

D. Man-in-the-middle attack Capturing packets between two existing communication partners is a form of a man-in-the middle attack. As this attacks type's name implies, traffic is intercepted somewhere in the middle of the communicating partners. The best way to protect against man-in-the middle attacks is to use session encryption or line encryption solutions. Passive logging is a means of recording information about network traffic or operations in a system without affecting either in any way.

A router on the border of your network detects a packet with a source address that is from an internal client, but the packet was received on the internet-facing interface. This is an example of what form of attack? A. Sniffing B. Spamming C. Snooping D. Spoofing

D. Spoofing This is an example of spoofing. Spoofing is the act of changing or falsifying information in order to mislead or re-direct traffic. In this scenario, a packet received on the inbound interface cannot receive a valid packet with a stated source that is from the internal network. Snooping is the act of spying into private information or communications. One type of snooping is sniffing. Sniffing is the act of capturing network packets in order to examine the contents of communications. Spamming is sending a victim unwanted and unrequested email messages.

In which of the following denial of service (DoS) attacks does the victim's system rebuild invalid UDP packets, causing the system to crash or reboot? A. NACK B. Deauth C. Banana D. Teardrop

D. Teardrop In a Teardrop attack, fragmented UDP packets with overlapping offsets are sent. Then, when the victim system re-builds the packets, an invalid UDP packet is created, causing the system to crash or reboot. A Negative Acknowledgment (NACK) attack denies a LAN/WAN client access to resources. A Banana attack uses a router to change the destination address of a frame. A deauthentication (Deauth) attack denies wireless clients access to resources.

Your organization uses an 802.11g wireless network. Recently, other tenants installed the following equipment in your building: • A wireless television distribution system running at 2.4 GHz • A wireless phone system running at 5.8 GHz • A wireless phone system running at 900 MHz • An 802.11n wireless network running in the 5 GHz frequency range Since this equipment was installed, your wireless network has been experiencing significant interference. Which system is to blame? A. The 900 MHz wireless phone system B. The 5.8 GHz wireless phone system C. The 802.11n wireless network D. The wireless TV system

D. The wireless TV system Because the 802.11g standard operates within the 2.4 GHz to 2.4835 GHz radio frequency range, the most likely culprit is the wireless TV distribution system.

An attacker is conducting passive reconnaissance on a targeted company. Which of the following could he be doing? A. War driving B. Social engineering C. War dialing D. Scanning ports E. Browsing the organization's website

E. Browsing the organization's website Browsing the organization's website is a form of passive reconnaissance. Other forms of passive reconnaissance include putting a sniffer on the wire or eavesdropping on employee conversations. Social engineering, war driving, war dialing, and scanning ports are all forms of active scanning.

A user named Bob Smith has been assigned a new desktop workstation to complete his day-to- day work. When provisioning Bob's user account in your organization's domain, you assigned an account name of BSmith with an initial password of bw2Fs3d. On first login, Bob is prompted to change his password, so he changes it to the name of his dog (Fido). What should you do to increase the security of Bob's account? (Select two.) A. Do no allow users to change their own passwords. B. Require him to use the initial password, which meets the complexity requirements. C. Use a stronger initial password when creating user accounts. D. Use Group Policy to require strong passwords on user accounts. E. Train users not to use passwords that are easy to guess. F. Configure user account names that are not easy to guess.

D. Use Group Policy to require strong passwords on user accounts. E. Train users not to use passwords that are easy to guess. In this scenario, a weak password that is easy to guess has been used. To prevent this type of password, you should: • Use Group Policy to require strong passwords on user accounts. In this example, Fido is a weak password because it is short and doesn't contain numbers or other non-alphabetic characters. • Train users not to use passwords that are easy to guess. In this example, the user's password could very likely be guessed using basic reconnaissance techniques on social media websites. You should allow users to set their own passwords. If you don't, then both the administrator and the user know the password, which is a poor security practice. Using a stronger initial password will not prevent the user from using a weak password if the appropriate Group Policy settings aren't in force. Creating user account names such as the one shown in this scenario is generally considered an acceptable security practice. Requiring users to use assigned passwords, even if they are complex, is not secure because passwords should not be known by anyone but the user.

Your company security policy states that wireless networks are not to be used because of the potential security risk they present to your network. One day, you find that an employee has connected a wireless access point to the network in his office. What type of security risk is this? A. Man-in-the-middle B. Social engineering C. Physical security D. Phishing E. Rogue access point

E. Rogue access point A rogue access point is an unauthorized access point added to a network or an access point that is configured to mimic a valid access point. Examples include: • An attacker or an employee with access to the wired network installs a wireless access point on a free port. The access port then provides a way to remotely access the network. • An attacker near a valid wireless access point installs an access point with the same (or similar) SSID. The access point is configured to prompt for credentials, allowing the attacker to steal those credentials or use them in a man-in-the-middle attack to connect to the valid wireless access point. • An attacker configures a wireless access point in a public location, then monitors traffic to see who connects to the access point. A man-in-the-middle attack is used to intercept information passing between two communication partners. A rogue access point might be used to initiate a man-in-the-middle attack. But in this case, the rogue access point was connected without malicious intent. Social engineering exploits human nature by convincing someone to reveal information or perform an activity. Phishing uses an email and a spoofed website to gain sensitive information.

You have just received a generic-looking email that is addressed as coming from the administrator of your company. The email says that, as part of a system upgrade, you are to go to a website and enter your user name and password at a new website so you can manage your email and spam using the new service. What should you do? A. Click on the link in the email and look for company graphics or information before entering the login information. B. Delete the email. C. Click on the link in the email and follow the directions to enter your login information. D. Open a web browser and type the URL included in the email. Follow the directions to enter your login credentials. E. Verify that the email was sent by the administrator and that this new service is legitimate.

E. Verify that the email was sent by the administrator and that this new service is legitimate. You should verify that the email is legitimate and has come from your administrator. It is possible that the network administrator has signed up for a new service. If you ignore the message or delete it, you might not get the benefits the company has signed up for. However, the email might be a phishing attack. An attacker might be trying to capture personal information. By verifying the email with the administrator, you will be able to tell if the email is legitimate.