cehv9 -1
B
1. An attacker at system A sends a SYN packet to victim at system B. 2. System B sends a SYN/ACK packet to victim A. 3. As a normal three-way handshake mechanism system A should send an ACK packet to systemB - however - system A does not send an ACK packet to system B. In this case client B is waiting for an ACK packet from client A. This status of client B is called _________________ A. "half-closed" B. "half open" C. "full-open" D. "xmas-open"
A
A common technique for luring e-mail users into opening virus-launching attachments is to send messages that would appear to be relevant or important to many of their potential recipients. One way of accomplishing this feat is to make the virus-carrying messages appear to come from some type of business entity retailing sites - UPS - FEDEX - CITIBANK or a major provider of a common service. Here is a fraudulent e-mail claiming to be from FedEx regarding a package that could not be delivered. This mail asks the receiver to open an attachment in order to obtain the FEDEX tracking number for picking up the package. The attachment contained in this type of e-mail activates a virus. How do you ensure if the e-mail is authentic and sent from fedex.com? A. Verify the digital signature attached with the mail - the fake mail will not have Digital ID at all B. Check the Sender ID against the National Spam Database (NSD) C. Fake mail will have spelling/grammatical errors D. Fake mail uses extensive images - animation and flash content
A
An attacker finds a web page for a target organization that supplies contact information for the company. Using available details to make the message seem authentic - the attacker drafts e-mail to an employee on the contact page that appears to come from an individual who might reasonably request confidential information - such as a network administrator. The email asks the employee to log into a bogus page that requests the employee's user name and password or click on a link that will download spyware or other malicious programming. What is this deadly attack called? A. Spear phishing attack B. Trojan server attack C. Javelin attack D. Social networking attack
A
Annie has just succeeded in stealing a secure cookie via a XSS attack. She is able to replay the cookie even while the session is invalid on the server. Why do you think this is possible? A. It works because encryption is performed at the application layer (single encryption key) B. The scenario is invalid as a secure cookie cannot be replayed C. It works because encryption is performed at the network layer (layer 1 encryption) D. Any cookie can be replayed irrespective of the session status
C
Dan is conducting penetration testing and has found a vulnerability in a Web Application which gave him the sessionID token via a cross site scripting vulnerability. Dan wants to replay this token. However - the session ID manager (on the server) checks the originating IP address as well. Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might not be able to get an interactive session? A. Dan cannot spoof his IP address over TCP network B. The scenario is incorrect as Dan can spoof his IP and get responses C. The server will send replies back to the spoofed IP address D. Dan can establish an interactive session only if he uses a NAT
B
How does traceroute map the route a packet travels from point A to point B? A. Uses a TCP timestamp packet that will elicit a time exceeded in transit message B. Manipulates the value of the time to live (TTL) within packet to elicit a time exceeded in transit message C. Uses a protocol that will be rejected by gateways on its way to the destination D. Manipulates the flags within packets to force gateways into generating error messages
D
How many bits encryption does SHA-1 use? A. 64 bits B. 128 bits C. 256 bits D. 160 bits
A
Google uses a unique cookie for each browser used by an individual user on a computer. This cookie contains information that allows Google to identify records about that user on its database. This cookie is submitted every time a user launches a Google search - visits a site using AdSense etc. The information stored in Google's database - identified by the cookie - includes - Everything you search for using Google - Every web page you visit that has Google Adsense ads How would you prevent Google from storing your search keywords? A. Block Google Cookie by applying Privacy and Security settings in your web browser B. Disable the Google cookie using Google Advanced Search settings on Google Search page C. Do not use Google but use another search engine Bing which will not collect and store your search keywords D. Use MAC OS X instead of Windows 7. Mac OS has higher level of privacy controls by default.
B
How do you defend against DHCP Starvation attack? A. Enable ARP-Block on the switch B. Enable DHCP snooping on the switch C. Configure DHCP-BLOCK to 1 on the switch D. Install DHCP filters on the switch to block this attack
A B C E
How do you defend against Privilege Escalation? (Choose four) A. Use encryption to protect sensitive data B. Restrict the interactive logon privileges C. Run services as unprivileged accounts D. Allow security settings of IE to zero or Low E. Run users and applications on the least privileges
D
How would you detect IP spoofing? A. Check the IPID of the spoofed packet and compare it with TLC checksum. If the numbers match then it is spoofed packet B. Probe a SYN Scan on the claimed host and look for a response SYN/FIN packet - if the connection completes then it is a spoofed packet C. Turn on 'Enable Spoofed IP Detection' in Wireshark - you will see a flag tick if the packet is spoofed D. Sending a packet to the claimed host will result in a reply. If the TTL in the reply is not the same as the packet being checked then it is a spoofed packet
C
If a competitor wants to cause damage to your organization - steal critical secrets - or put you out of business - they just have to find a job opening - prepare someone to pass the interview - have that person hired - and they will be in the organization. How would you prevent such type of attacks? A. It is impossible to block these attacks B. Hire the people through third-party job agencies who will vet them for you C. Conduct thorough background checks before you engage them D. Investigate their social networking profiles
C
In Trojan terminology - what is required to create an executable file called chess.exe that has the chess.exe file WITH an added trojan.exe file, but looks to the user as just the chess.exe file? A. Mixer B. Converter C. Wrapper D. Zipper
B
In the context of Trojans - what is the definition of a Wrapper? A. An encryption tool to protect the Trojan B. A tool used to bind the Trojan with a legitimate file C. A tool used to calculate bandwidth and CPU cycles wasted by the Trojan D. A tool used to encapsulate packets within a new header and footer
E
In what stage of Virus life does a stealth virus gets activated with the user performing certain actions such as running an infected program? A. Design B. Elimination C. Incorporation D. Replication E. Launch F. Detection
B
In which part of OSI layer - ARP Poisoning occurs? A. Transport Layer B. Datalink Layer C. Physical Layer D. Application layer
B C D
In which situations would you want to use anonymizer? (Select 3 answers) A. Increase your Web browsing bandwidth speed by using Anonymizer B. To protect your privacy and Identity on the Internet C. To bypass blocking applications that would prevent access to Web sites or parts of sites that you want to visit. D. Post negative entries in blogs without revealing your IP identity
D
Jason works in the sales and marketing department for a very large advertising agency located in Atlanta. Jason is working on a very important marketing campaign for his company's largest client. Before the project could be completed and implemented - a competing advertising company comes out with the exact same marketing materials and advertising - thus rendering all the work done for Jason's client unusable. Jason is questioned about this and says he has no idea how all the material ended up in the hands of a competitor. Jason's supervisor decides to go through his email and finds a number of emails that were sent to the competitors that ended up with the marketing material. The only items in the emails were attached jpg files - but nothing else. Jason's supervisor opens the picture files - but cannot find anything out of the ordinary with them. What technique has Jason most likely used? A. Stealth Rootkit Technique B. ADS Streams Technique C. Snow Hiding Technique D. Image Steganography Technique
D
Jayden is a network administrator for her company. Jayden wants to prevent MAC spoofing on all the Cisco switches in the network. How can she accomplish this? A. Jayden can use the commanD. ip binding set. B. Jayden can use the commanD. no ip spoofing. C. She should use the commanD. no dhcp spoofing. D. She can use the commanD. ip dhcp snooping binding.
D
Jimmy - an attacker - knows that he can take advantage of poorly designed input validation routines to create or alter SQL commands to gain access to private data or execute commands in the database. What technique does Jimmy use to compromise a database? A. Jimmy can submit user input that executes an operating system command to compromise a target system B. Jimmy can gain control of system to flood the target system with requests - preventing legitimate users from gaining access C. Jimmy can utilize an incorrect configuration that leads to access with higher-than expected privilege of the database D. Jimmy can utilize this particular database threat that is an SQL injection technique to penetrate a target system
A
Joel and her team have been going through tons of garbage - recycled paper - and other rubbish in order to find some information about the target they are attempting to penetrate. How would you call this type of activity? A. Dumpster Diving B. Scanning C. CI Gathering D. Garbage Scooping
B
Neil is a network administrator working in Istanbul. Neil wants to setup a protocol analyzer on his network that will receive a copy of every packet that passes through the main office switch. What type of port will Neil need to setup in order to accomplish this? A. Neil will have to configure a Bridged port that will copy all packets to the protocol analyzer. B. Neil will need to setup SPAN port that will copy all network traffic to the protocol analyzer. C. He will have to setup an Ether channel port to get a copy of all network traffic to the analyzer. D. He should setup a MODS port which will copy all network traffic.
A
SNMP is a connectionless protocol that uses UDP instead of TCP packets (True or False) A. true B. false
B
SYN Flood is a DOS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature of attack for SYN Flood contains: A. The source and destination address having the same value B. A large number of SYN packets appearing on a network without the corresponding reply packets C. The source and destination port numbers having the same value D. A large number of SYN packets appearing on a network with the corresponding reply packets
A
Shayla is an IT security consultant - specializing in social engineering and external penetration tests. Shayla has been hired on by Treks Avionics - a subcontractor for the Department of Defense. Shayla has been given authority to perform any and all tests necessary to audit the company's network security. No employees for the company - other than the IT director - know about Shayla's work she will be doing. Shayla's first step is to obtain a list of employees through company website contact pages. Then she befriends a female employee of the company through an online chat website. After meeting with the female employee numerous times - Shayla is able to gain her trust and they become friends. One day - Shayla steals the employee's access badge and uses it to gain unauthorized access to the Treks Avionics offices. What type of insider threat would Shayla be considered? A. She would be considered an Insider Affiliate B. Because she does not have any legal access herself - Shayla would be considered an Outside Affiliate C. Shayla is an Insider Associate since she has befriended an actual employee D. Since Shayla obtained access with a legitimate company badge - she would be considered a Pure Insider
B
Stephanie works as a records clerk in a large office building in downtown Chicago. On Monday - she went to a mandatory security awareness class (Security5) put on by her company's IT department. During the class - the IT department informed all employees that everyone's Internet activity was thenceforth going to be monitored. Stephanie uses alot of her day just browsing the web. What should Stephanie use so that she does not get in trouble for surfing the Internet? A. Stealth IE B. Stealth Anonymizer C. Stealth Firefox D. Cookie Disabler
B
TCP/IP Session Hijacking is carried out in which OSI layer? A. Datalink layer B. Transport layer C. Network layer D. Physical layer
A
The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user: The user is prompted to enter the name of a city on a Web form. If she enters Chicago - the query assembled by the script looks similar to the following: SELECT * FROM OrdersTable WHERE ShipCity = 'Chicago' How will you delete the OrdersTable from the database using SQL Injection? A. Chicago' - drop table OrdersTable -- B. Delete table'blah' - OrdersTable -- C. EXEC - SELECT * OrdersTable > DROP -- D. cmdshell' - 'del c:\sql\mydb\OrdersTable' //
C
This IDS defeating technique works by splitting a datagram (or packet) into multiple fragments and the IDS will not spot the true nature of the fully assembled datagram. The datagram is not reassembled until it reaches its final destination. It would be a processor-intensive task for IDS to reassemble all fragments itself - and on a busy system the packet will slip through the IDS onto the network. What is this technique called? A. IP Routing or Packet Dropping B. IDS Spoofing or Session Assembly C. IP Fragmentation or Session Splicing D. IP Splicing or Packet Reassembly
B
This attack technique is used when a Web application is vulnerable to an SQL Injection but the results of the Injection are not visible to the attacker. A. Unique SQL Injection B. Blind SQL Injection C. Generic SQL Injection D. Double SQL Injection
C
This attack uses social engineering techniques to trick users into accessing a fake Web site and divulging personal information. Attackers send a legitimate-looking e-mail asking users to update their information on the company's Web site - but the URLs in the e-mail actually point to a false Web site. A. Wiresharp attack B. Switch and bait attack C. Phishing attack D. Man-in-the-Middle attack
B
This type of Port Scanning technique splits TCP header into several packets so that the packet filters are not able to detect what the packets intends to do. A. UDP Scanning B. IP Fragment Scanning C. Inverse TCP flag scanning D. ACK flag scanning
D
What default port Syslog daemon listens on? A. 242 B. 312 C. 416 D. 514
B
What does FIN in TCP flag define? A. Used to abort a TCP connection abruptly B. Used to close a TCP connection C. Used to acknowledge receipt of a previous packet or transmission D. Used to indicate the beginning of a TCP connection
D
What file system vulnerability does the following command take advantage of? type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe A. HFS B. Backdoor access C. XFS D. ADS
D
What is a sniffing performed on a switched network called? A. Spoofed sniffing B. Passive sniffing C. Direct sniffing D. Active sniffing
D
What is the correct command to run Netcat on a server using port 56 that spawns command shell when connected? A. nc -port 56 -s cmd.exe B. nc -p 56 -p -e shell.exe C. nc -r 56 -c cmd.exe D. nc -L 56 -t -e cmd.exe
A
What port number is used by Kerberos protocol? A. 88 B. 44 C. 487 D. 419
D
What privilege level does a rootkit require to infect successfully on a Victim's machine? A. User level privileges B. Ring 3 Privileges C. System level privileges D. Kernel level privileges
C
What type of port scan is shown below? 192.5.2.92 --FIN/URG/PSH-->192.5.2.100:4079 192.5.2.92 <--NO RESPONSE--192.5.2.100:4079 A. Idle Scan B. FIN Scan C. XMAS Scan D. Windows Scan
C
Where can Stephanie go to see past versions and pages of a website? A. She should go to the web page Samspade.org to see web pages that might no longer be on the website B. If Stephanie navigates to Search.com - she will see old versions of the company website C. Stephanie can go to Archive.org to see past versions of the company website D. AddressPast.com would have any web pages that are no longer hosted on the company's website
A
Which Steganography technique uses Whitespace to hide secret messages? A. snow B. beetle C. magnet D. cat
A
Which of the following countermeasure can specifically protect against both the MAC Flood and MAC Spoofing attacks? A. Configure Port Security on the switch B. Configure Port Recon on the switch C. Configure Switch Mapping D. Configure Multiple Recognition on the switch
D
Which of the following statements is incorrect about vulnerability scanners? A. Vulnerability scanners attempt to identify vulnerabilities in the hosts scanned. B. Vulnerability scanners can help identify out-of-date software versions - missing patches - or system upgrades C. They can validate compliance with or deviations from the organization's security policy D. Vulnerability scanners can identify weakness and automatically fix and patch the vulnerabilities without user intervention
A
Which of the following statements would NOT be a proper definition for a Trojan Horse? A. An authorized program that has been designed to capture keyboard keystroke while the user is unaware of such activity being performed B. An unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user C. A legitimate program that has been altered by the placement of unauthorized code within it - this code performs functions unknown (and probably unwanted) by the user D. Any program that appears to perform a desirable and necessary function but that (because of unauthorized code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user
D
Which of the following type of scanning utilizes automated process of proactively identifying vulnerabilities of the computing systems present on a network? A. Port Scanning B. Single Scanning C. External Scanning D. Vulnerability Scanning
C
Which type of hacker represents the highest risk to your network? A. black hat hackers B. grey hat hackers C. disgruntled employees D. script kiddies
B
You are the Security Administrator of Xtrinity - Inc. You write security policies and conduct assessments to protect the company's network. During one of your periodic checks to see how well policy is being observed by the employees - you discover an employee has attached cell phone 3G modem to his telephone line and workstation. He has used this cell phone 3G modem to dial in to his workstation - thereby bypassing your firewall. A security breach has occurred as a direct result of this activity. The employee explains that he used the modem because he had to download software for a department project. How would you resolve this situation? A. Reconfigure the firewall B. Enforce the corporate security policy C. Install a network-based IDS D. Conduct a needs analysis
A C D E F
You just purchased the latest DELL computer - which comes pre-installed with Windows 7 - McAfee antivirus software and a host of other applications. You want to connect Ethernet wire to your cable modem and start using the computer immediately. Windows is dangerously insecure when unpacked from the box - and there are a few things that you must do before you use it. A. New installation of Windows should be patched by installing the latest service packs and hotfixes B. Key applications such as Adobe Acrobat - Macromedia Flash - Java - Winzip etc. - must have the latest security patches installed C. Install a personal firewall and lock down unused ports from connecting to your computer D. Install the latest signatures for Antivirus software E. Configure "Windows Update" to automatic F. Create a non-admin user with a complex password and logon to this account G. You can start using your computer as vendors such as DELL - HP and IBM would have already installed the latest service packs.
B
You want to hide a secret.txt document inside c:\windows\system32\tcpip.dll kernel library using ADS streams. How will you accomplish this? A. copy secret.txt c:\windows\system32\tcpip.dll kernel>secret.txt B. copy secret.txt c:\windows\system32\tcpip.dll:secret.txt C. copy secret.txt c:\windows\system32\tcpip.dll |secret.txt D. copy secret.txt >< c:\windows\system32\tcpip.dll kernel secret.txt