Ch 8 - Cyber Final
A threat actor decides to engage in a type of attack that involves placing themself between two devices that have frequent communication. From the threat actor's perspective, what is an advantage of this type to attack? a. This is a passive attack that leaves no evidence of tampering. b. A high traffic link will provide more opportunities for success. c. Upon detection the attacker can quickly hide their tracks. d. The two devices are not aware an attacker is present.
d. The two devices are not aware an attacker is present.
A security professional is performing penetration testing that includes a variety of port scans. The security professional knows that unless network monitoring is temporarily disabled, it will unconditionally generate an alert, which for the time being is not the desired effect. What monitoring methodology should the security professional temporarily disable? a. Heuristic monitoring b. Behavioral monitoring c. Normalization monitoring d. Active detection monitoring e. Signature-based monitoring f. Heuristic monitoring g. Anomaly monitoring
a. Heuristic monitoring
A MAC cloning attack is most likely to affect what type of device and how? a. A switch with the purpose of redirecting traffic. b. A server with the purpose of redirecting traffic to other networks. c. A router with the purpose of redirecting traffic away from the default gateway. d. Entries in the content addressable memory with the purpose of flooding traffic.
a. A switch with the purpose of redirecting traffic.
A threat actor is successfully sending email messages using a forged domain to a large variety of recipients. What can the domain owner do to help mitigate the problem? a. Use a strong hashing algorithm on the email headers. b. Enable SPF on the MUAs of their employees. c. Use a spam filter in its email system. d. Use DKIM to generate private keys. e. Set a TXT record in its DNS.
e. Set a TXT record in its DNS.
A threat actor launches an attack to restrict access to a particular website. The attack targets NTP to realize a significant increase in traffic compared to the amount of traffic originally sent. Which of the following best describes the type of attack the threat actor is engaging in? Select three. a. DDoS attack b. Augmentation attack c. NTP multiplier attack d. Amplification attack e. Reflection attack
a. DDoS attack c. NTP multiplier attack e. Reflection attack
A security consulting firm is recommending you implement a system that will help protect critical data within your organization. It will require you to create rules to determine what data should be examined, as well as specific items within the data such as Social Security and credit card numbers. What type of system should you implement? a. DLP b. SCAP c. SIEM d. SOAR
a. DLP
Darius withdraws money from his online retirement account every month. A few months ago, he started using a different app on his desktop computer to access the internet. He recently noticed his account balance is being reduced by $50 every week. He runs a scan on his computer to check for viruses but finds nothing malicious. What type of attack may have compromised his system? a. MITB b. MITM c. Session replay d. Domain redirection
a. MITB
Which of the following accurately describes the activities that fall under security monitoring? Select three. a. Isolating compromised systems. b. Generating relevant documentation. c. Retaining relevant historical documents and records. d. Updating the signature databases used for monitoring. e. Ensuring SPF authentication methods have been enabled.
a. Isolating compromised systems. b. Generating relevant documentation. c. Retaining relevant historical documents and records.
Which of the following represents a benefit of using DMARC? Select two. a. It can extend SPF and DKIM. b. It acts as a proxy for the organization's email server. c. It allows the administrator to configure a secure end-to- end email tunnel. d. It allows the administrator to specify more than one mechanism when sending emails.
a. It can extend SPF and DKIM. d. It allows the administrator to specify more than one mechanism when sending emails.
Users suddenly start complaining that the network is very slow. Upon investigation, the network administrator determines some of the switches are in a failure mode that is causing them to broadcast frames to all ports. What conclusion is the network administrator most likely to draw in terms of the root cause? a. It is the result of a MAC flooding attack. b. It is the result of a MAC cloning attack. c. It is the result of an ARP poisoning attack. d. It is the result of a DDoS attack.
a. It is the result of a MAC flooding attack.
Your company has adopted a series of community-accepted security standards that are hosted in open-source online repositories. Which of the following is the company most likely to use to check their systems for vulnerabilities and misconfigurations? a. SCAP-compliant applications b. OSPM-verified applications c. SEG-approved applications d. MALW-validated applications
a. SCAP-compliant applications
An internal user installs malware on an internal system they want to target. However, the security product that is deployed in the organization was able to automatically initiate a response by placing the system into quarantine and generating an alert. Which of the following systems is capable of this type of response? a. SOAR b. SEIM c. SCAP d. Syslog
a. SOAR
Which of the following are true statements regarding session IDs? Select three. a. They can be used for a specific type of replay attack. b. They can be intercepted and used to impersonate a user. c. They are typically hashed using a secure hashing algorithm. d. They are typically encrypted with an asymmetrical encryption algorithm. e. They are appended to a client's IP addresses to uniquely identify a session.
a. They can be used for a specific type of replay attack. b. They can be intercepted and used to impersonate a user. c. They are typically hashed using a secure hashing algorithm.
A company has adopted anomaly-based monitoring and establishes a secure baseline. If the company does not maintain baselines on a timely basis, what is a potential consequence? a. Too many false positives b. Too many false negatives c. Too many true positives d. Too many true negatives
a. Too many false positives
A threat actor manages to spoof the MAC address in the cache of a computer with the goal of redirecting traffic. What type of attack is the threat actor launching? a. MAC flooding b. ARP poisoning c. MAC cloning d. MAC cache attack e. CAM spoofing
b. ARP poisoning
Two online companies sell similar products and are competing for increased market share. One of the companies is less honorable so they hire an attacker who launches an attack to make the other company appear less trustworthy and thus a less favorable option from which to buy. What type of attack did the malicious actor most likely launch? a. DDoS attack b. DNS replay attack c. DNS reflection attack d. Domain reputation attack
d. Domain reputation attack
A rogue employee had been coordinating via email with an outside threat actor to compromise an internal system containing sensitive information. Fortunately, the company has a system in place that allowed them to identify the individual and their intentions and released the individual before they were able to launch the attack. What type of system does the company have in place? a. GIMP b. UIMP c. DMARC d. SIEM e. EMXaminer
d. SIEM
In a credential relay attack, which of the following best describes how the credentials are compromised? Select two? a. Attackers try to intercept username and password information in plaintext format. b. Attackers try to intercept digests of user passwords as they are being transmitted. c. Attackers try to intercept username and password information in cleartext format. d. Attackers use their own device to set up a MITM attack to intercept credentials. e. Attackers intercept digests of passwords to crack them using a high-outcome attack.
b. Attackers try to intercept digests of user passwords as they are being transmitted. d. Attackers use their own device to set up a MITM attack to intercept credentials.
Kola is asked to implement a monitoring system that uses the normal processes and actions as the standard. It should continuously analyze processes and programs and alert the user if it detects an anomaly. What type of monitoring methodology should Kola implement? a. Normalization monitoring b. Behavioral monitoring c. Active detection monitoring d. Heuristic monitoring e. Signature-based monitoring f. Anomaly monitoring
b. Behavioral monitoring
A company has decided to use the benefits of an asymmetric algorithm and a hashing algorithm to help validate the contents of the entire email message body, among other elements of the message. What type of authentication technique is the company using? a. SEG b. DKIM c. DMARC d. EMAUTH
b. DKIM
An attacker successfully intercepts traffic from a client and then sends a fake digital certificate to the intended target. What is the attacker possibly trying to achieve? Select two. a. Intercept traffic. b. Decrypt the traffic. c. Perform a MITM attack. d. Poison DNS entries to redirect traffic.
b. Decrypt the traffic. c. Perform a MITM attack.
Amara is responsible for monitoring events from a wide variety of devices connected to the network including copiers and printers. When a new piece of networking equipment is added to the network and successfully deployed (processing and/or forwarding traffic), she uses a specific protocol to remotely query the device for information. If the device she is trying to contact does not respond, what can she do to troubleshoot the problem? a. Verify the device she is trying to query has network connectivity, using, for example, ping. b. Ensure the SNMP agent is installed and running on the device she is trying to query. c. Reinstall SCAP on the device from which she is trying to query and verify it is up and running. d. Ensure the SPF agent is installed and running on the device from which the queries are issued.
b. Ensure the SNMP agent is installed and running on the device she is trying to query.
You are unable to access google.com from your computer, so you check the local host file. You notice it has an entry that reads (without quotes) "127.0.0.1 www.google.com". How can you best remedy the situation? a. Change the address to Google's IP address. b. Remove the entry from the file. c. Remove www from the domain name. d. Add a new entry with Google's IP address.
b. Remove the entry from the file.
Which of the following actions will help mitigate the effects of malicious code attacks? a. Only download vetted Bash libraries to minimize potential exploits when they are invoked. b. Ensure Python programs are compiled in a controlled environment to prevent malware injections. c. Disable support for macros across the Microsoft Office suite because they are a key attack vector. d. Consider using PowerShell to invoke VBA apps because it uses a trusted framework.
c. Disable support for macros across the Microsoft Office suite because they are a key attack vector.
In the process of monitoring traffic, a security team has seen a significant increase in network traffic flowing outside of the network perimeter. They also noticed a particular software monitoring agent has been disabled. What should they use to prevent the threat actor from interfering with the data collection effort? a. SOAR b. SNMP c. Flow analysis d. SCAP
c. Flow analysis
Sendy is troubleshooting a new DHCP server she recently installed. Which of the following monitoring tools is she most likely to use? a. SNMP b. Netflow c. Packet capture d. DCHP replay
c. Packet capture
An administrator configures a DNS MX record to point to a server with proxy-like characteristics. Which of the following best describes what the administrator is trying to accomplish? a. Making provision for a secondary email server in case the primary email server fails. b. Redirect traffic to a SEG to ensure DMARC policies are enforced. c. Redirect traffic to a SEG to inspect email for malicious content. d. Configure a SEG to segway email traffic to a redundant server for load balancing purposes.
c. Redirect traffic to a SEG to inspect email for malicious content.
Zikomo's company uses Outlook in employee offices as part of their email framework. The email header in one of the messages Zikomo received contains an analysis of the email with an indicator of SAP. What does this mean? a. The spam aware profiler is enabled. b. The email contains spam or phishing characteristics. c. The attachment is safe. d. The attachment is suspicious. e. The email is suspicious, so the anti-malware profiler flagged it as such.
c. The attachment is safe.
Which of the following represents a disadvantage of signature-based monitoring? a. It can take up to two weeks to generate a trustworthy baseline. b. It generates more alerts than the other types of monitoring methodologies. c. The corresponding database must be constantly updated. d. It is effective at monitoring network traffic and activity but not transactions.
c. The corresponding database must be constantly updated.
An attacker tries to break into a DNS server to redirect traffic to his website. After multiple unsuccessful attempts, the attacker decides to take a more basic approach and starts by sending a request to a valid DNS server to resolve the name of his website. How can the attacker's goal of redirecting traffic be thwarted? a. Install anti-DNS hijacking software on all DNS servers under the organization's control. b. Ensure all DNS zone transfers use a tunnel to encrypt traffic between DNS servers. c. Validate DNS responses to ensure they are from an authoritative source. d. Enable DNS Guard on all internet-facing interfaces on the DNS server.
c. Validate DNS responses to ensure they are from an authoritative source.
