CIS-4500-Ex2 Practice
A. When two or more plain-text entries create the same fixed-value hash result, a collision has occurred.
A hacker feeds plain-text files into a hash, eventually finding two or more that create the same fixed-value hash result. This anomaly is known as what? A. Collision B. Chosen plain text C. Hash value compromise D. Known plain text
C. The term smishing refers to the use of text messages to socially engineer mobile device users. By definition it is a mobile-based social engineering attack. As an aside, it also sounds like something a five-year-old would say about killing a bug.
A man receives a text message on his phone purporting to be from Technical Services. The text advises of a security breach and provides a web link and phone number to follow up on. When the man calls the number, he turns over sensitive information. Which social engineering attack was this? A. Phishing B. Vishing C. Smishing D. Man in the middle
D. Social engineering is designed to test the human element in the organization. Of the answers provided, it is the only real option.
A security staff is preparing for a security audit and wants to know if additional security training for the end user would be beneficial. Which of the following methods would be the best option for testing the effectiveness of user training in the environment? A. Vulnerability scanning B. Application code reviews C. Sniffing D. Social engineering
A. Amazon's EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via an API, thus fitting the definition of IaaS.
Amazon's EC2 provides virtual machines that can be controlled through a service API. Which of the following best defines this service? A. IaaS B. PaaS C. SaaS D. Public
B. In tailgating, the attacker holds a fake entry badge of some sort and follows an authorized user inside.
An attacker creates a fake ID badge and waits next to an entry door to a secured facility. An authorized user swipes a key card and opens the door. Jim follows the user inside. Which social engineering attack is in play here? A. Piggybacking B. Tailgating C. Phishing D. Shoulder surfing
C. Because he is already inside (thus rendering tailgating and piggybacking pointless), the attacker could employ shoulder surfing to gain the access credentials of a user.
An attacker has physical access to a building and wants to attain access credentials to the network using nontechnical means. Which of the following social engineering attacks is the best option? A. Tailgating B. Piggybacking C. Shoulder surfing D. Sniffing
C. Spear phishing occurs when the e-mail is being sent to a specific audience, even if that audience is one person. In this example, the attacker used recon information to craft an e-mail designed to be more realistic to the intended victim and therefore more successful.
An attacker performs a Whois search against a target organization and discovers the technical point of contact (POC) and site ownership e-mail addresses. He then crafts an e-mail to the owner from the technical POC, with instructions to click a link to see web statistics for the site. Instead, the link goes to a fake site where credentials are stolen. Which attack has taken place? A. Phishing B. Man in the middle C. Spear phishing D. Human based
B. Heartbleed takes advantage of the data-echoing acknowledgement heartbeat in SSL. OpenSSL version 1.0.1 through version 1.0.1f are vulnerable to this attack.
An attacker uses a Metasploit auxiliary exploit to send a series of small messages to a server at regular intervals. The server responds with 64 bytes of data from its memory. Which of the following best describes the attack being used? A. POODLE B. Heartbleed C. FREAK D. DROWN
A. Starting with the acknowledged sequence number of 101, the server will accept packets between 102 and 106 before sending an acknowledgment.
During a TCP data exchange, the client has offered a sequence number of 100, and the server has offered 500. During acknowledgments, the packet shows 101 and 501, respectively, as the agreed-upon sequence numbers. With a window size of 5, which sequence numbers would the server willingly accept as part of this session? A. 102 through 104 B. 102 through 501 C. 102 through 502 D. Anything above 501
D. While implementing cloud computing doesn't fully address separation of duties, of the choices provided it's the only one that makes sense. The cloud, by its nature, can separate the data owner from the data custodian (the cloud provider assumes the role).
Implementing cloud computing provides many benefits. Which of the following is the best choice of a security principle applicable to implementing cloud security? A. Need to know B. Least privilege C. Job rotation D. Separation of duties
D. The consumer is the subscriber, who engages a provider for services.
In the NIST Cloud Computing Reference Architecture, which component acquires and uses cloud products and services? A. Cloud provider B. Cloud carrier C. Cloud broker D. Cloud consumer
C. The broker "acts as the intermediate between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value added cloud services as well."
In the NIST Cloud Computing Reference Architecture, which component acts to manage use, performance, and delivery of cloud services, as well as the relationships between providers and subscribers? A. Cloud provider B. Cloud carrier C. Cloud broker D. Cloud consumer
B. Akin to the power distributor for the electric grid, the carrier is the intermediary for connectivity and transport between subscriber and provider.
In the NIST Cloud Computing Reference Architecture, which of the following has the responsibility of transmitting the data? A. Cloud provider B. Cloud carrier C. Cloud broker D. Cloud consumer
A. Physical security controls fall into three categories: physical, technical, and operational. Physical measures include lighting, fences, and guards.
Lighting, locks, fences, and guards are all examples of __________ measures within physical security. A. physical B. technical C. operational D. exterior
B. RC4 is a simple, fast, symmetric stream cipher. It can be used for almost everything you can imagine an encryption cipher could be used for (you can even find it in WEP).
RC4 is a simple, fast encryption cipher. Which of the following is not true regarding RC4? A. RC4 can be used for web encryption. B. RC4 uses block encryption. C. RC4 is a symmetric encryption cipher. D. RC4 can be used for file encryption.
D. When PKIs need to talk to one another and trust certificates from either side, the CAs need to set up a mutual trust known as cross-certification.
Two different organizations have their own public key infrastructure up and running. When the two companies merged, security personnel wanted both PKIs to validate certificates from each other. What must the CAs for both companies establish to accomplish this? A. Key exchange portal B. Key revocation portal C. Cross-site exchange D. Cross-certification
B. PaaS provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.
Which cloud computing model is geared toward software development? A. IaaS B. PaaS C. SaaS D. Private
A. SHA-1 produces a 160-bit output value.
Which hash algorithm produces a 160-bit output value? A. SHA-1 B. SHA-2 C. Diffie-Hellmann D. MD5
B. Volumetric attacks consume all available bandwidth for the system or service.
Which of the following DoS categories consume all available bandwidth for the system or service? A. Fragmentation attacks B. Volumetric attacks C. Application attacks D. TCP state-exhaustion attacks
A. In a POODLE attack, the man-in-the-middle interrupts all handshake attempts by TLS clients, forcing a degradation to a vulnerable SSL version.
Which of the following attacks acts as a man-in-the-middle, exploiting fallback mechanisms in TLS clients? A. POODLE B. Heartbleed C. FREAK D. DROWN
C. Session hijacking takes advantage of connections already in place and already authenticated.
Which of the following attacks an already-authenticated connection? A. Smurf B. Denial of service C. Session hijacking D. Phishing
D. A digital certificate contains, among other things, the sender's public key, and it can be used to identify the sender.
Which of the following is used to distribute a public key within the PKI system, verifying the user's identity to the recipient? A. Digital signature B. Hash value C. Private key D. Digital certificate
B. If untethered jailbreaking has been performed, the device is in a jailbroken state forever, with or without connection to another device.
Which of the following jailbreaking techniques will leave the phone in a jailbroken state even after a reboot? A. Tethered B. Untethered C. Semi-tethered D. Rooted
B. Much like Skynet from the Terminator movies, worms do not need us.
Which of the following propagates without human interaction? A. Trojan B. Worm C. Virus D. MITM
A. MIC provides integrity checking in WPA, verifying frames are authentic and have not been tampered with. Part of how it accomplishes this is a sequence number—if any arrive out of sequence, the whole session is dropped.
Which of the following protects against man-in-the-middle attacks in WPA? A. MIC B. CCMP C. EAP D. AES
B. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (say that three times fast) uses Message Integrity Codes (MICs) for integrity purposes.
Which of the following provides for integrity in WPA2? A. AES B. CCMP C. TKIP D. RADIUS
C. Symmetric algorithms are fast, are good for bulk encryption, but have scalability problems.
Which of the following statements is true regarding encryption algorithms? A. Symmetric algorithms are slower, are good for bulk encryption, and have no scalability problems. B. Symmetric algorithms are faster, are good for bulk encryption, and have no scalability problems. C. Symmetric algorithms are faster, are good for bulk encryption, but have scalability problems. D. Symmetric algorithms are faster but have scalability problems and are not suited for bulk encryption.
D. Automatic testing involves the use of a tool suite and generally runs faster than an all-inclusive manual test. However, it is susceptible to false negatives and false positives and can oftentimes overrun the scope boundary.
Which of the following tests is generally faster and costs less but is susceptible to more false reporting and contract violation? A. Internal B. External C. Manual D. Automatic
C, D. Core Impact and CANVAS are both automated, all-in-one test tool suites capable of performing a test for a client. Other tools may be used in conjunction with them to spot vulnerabilities, including Nessus, Retina, SAINT, and Sara.
Which of the following would be a good choice for an automated penetration test? (Choose all that apply.) A. nmap B. Netcat C. Core Impact D. CANVAS
A. A security audit is used to verify security policies and procedures in place.
Which security assessment is designed to check policies and procedures within an organization? A. Security audit B. Vulnerability assessment C. Pen test D. None of the above
C. Rivest Cipher (RC) uses variable block sizes (from 32 to 128 bits).
Which symmetric algorithm uses variable block sizes (from 32 to 128 bits)? A. DES B. 3DES C. RC D. MD5
C. Everyone recognizes insider threats as the worst type of threat, and a disgruntled employee on the inside is the single biggest threat for security professionals to plan for and deal with.
Which threat presents the highest risk to a target network or resource? A. Script kiddies B. Phishing C. A disgruntled employee D. A white-hat attacker
A. Vulnerability assessments (a.k.a. security audits) seek to discover open vulnerabilities on the client's systems but do not actively or intentionally exploit any of them.
Which type of security assessment notifies the customer of vulnerabilities but does not actively or intentionally exploit them? A. Vulnerability assessment B. Scanning assessment C. Penetration test D. None of the above
A. Sparse infector viruses only fire when a specific condition is met. For example, maybe the fifth time Calculator is run, whammo—virus execution.
Which virus type is only executed when a specific condition is met? A. Sparse infector B. Multipartite C. Metamorphic D. Cavity
B. WPA uses temporal keys, making it a much stronger encryption choice than WEP.
Which wireless encryption technology makes use of temporal keys? A. WAP B. WPA C. WEP D. EAP
C. WEP uses RC4, which is part of the reason it's so easily hacked and not considered a secure option.
Which wireless technology uses RC4 for encryption? A. WAP B. WPA C. WEP D. WPA2 E. All of the above
D. Bob's public key is used to encrypt the message. His private key is used to decrypt it.
Within a PKI system, Joe encrypts a message for Bob and sends it. Bob receives the message and decrypts the message using what? A. Joe's public key B. Joe's private key C. Bob's public key D. Bob's private key
A. A registration authority (RA) validates an applicant into the system, making sure they are real, valid, and allowed to use the system.
Within a PKI, which of the following verifies the applicant? A. Registration authority B. User authority C. Revocation authority D. Primary authority
C. AES is a symmetric algorithm, which means that the same key is used for encryption and decryption. The organization will have to find a secured means to transmit the key to both parties before any data exchange.
An organization has decided upon AES with a 256-bit key to secure data exchange. What is the primary consideration for this? A. AES is slow. B. The key size makes data exchange bulky and complex. C. It uses a shared key for encryption. D. AES is a weak cypher.
C. Operational measures are the policies and procedures you set up to enforce a security-minded operation.
Background checks on employees, risk assessments on devices, and policies regarding key management and storage are examples of __________ measures within physical security. A. physical B. technical C. operational D. None of the above
D. Reverse social engineering occurs when the attacker uses marketing, sabotage, and support to gain access credentials and other information.
Bob decides to employ social engineering during part of his pen test. He sends an unsolicited e-mail to several users on the network advising them of potential network problems and provides a phone number to call. Later that day, Bob performs a DoS on a network segment and then receives phone calls from users asking for assistance. Which social engineering practice is in play here? A. Phishing B. Impersonation C. Technical support D. Reverse social engineering
C. Software as a Service best describes this. SaaS is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
Google Docs and Salesforce CRM are two examples of which cloud computing model? A. IaaS B. PaaS C. SaaS D. Public
D. Tripwire is one of the better-known file integrity verifiers, and it can help prevent Trojans by notifying you immediately when an important file is altered.
How does Tripwire (and programs like it) help against Trojan attacks? A. Tripwire is an AV application that quarantines and removes malware immediately. B. Tripwire is an AV application that quarantines and removes malware after a scan. C. Tripwire is a file-integrity-checking application that rejects malware packets intended for the kernel. D. Tripwire is a file-integrity-checking application that notifies you when a system file has been altered, potentially indicating malware.
A, B, C. The final report for a pen test includes an executive summary, a list of the findings (usually in order of highest risk), the names of all participants, a list of all findings (in order of highest risk), analysis of findings, mitigation recommendations, and any logs or other relevant files.
In which of the following would you find in a final report from a full penetration test? (Choose all that apply.) A. Executive summary B. A list of findings from the test C. The names of all the participants D. A list of vulnerabilities patched or otherwise mitigated by the team
A. All reconnaissance efforts occur in the pre-attack phase.
In which phase of a penetration test is scanning performed? A. Pre-attack B. Attack C. Post-attack D. Reconnaissance
B. In a known plain-text attack, the hacker has both plain-text and cipher-text messages; the plain-text copies are scanned for repeatable sequences, which are then compared to the cipher-text versions. Over time, and with effort, this can be used to decipher the key.
Joe and Bob are both ethical hackers and have gained access to a folder. Joe has several encrypted files from the folder, and Bob has found one of them unencrypted. Which of the following is the best attack vector for them to follow? A. Cipher text only B. Known plain text C. Chosen cipher text D. Replay
D. Joe is on a system internal to the network and has no knowledge of the target's network. Therefore, he is performing an internal, black-box test.
Joe is part of a penetration test team and is starting a test. The client has provided him a system on one of their subnets but did not provide any authentication information, network diagrams, or other notable data concerning the systems. Which type of test is Joe performing? A. External, white box B. External, black box C. Internal, white box D. Internal, black box
C. Mobile Device Management won't mitigate all the risks associated with unending use of mobile devices on your network—but at least it's something.
Operations promotes the use of mobile devices in the enterprise. Security disagrees, noting multiple risks involved in adding mobile devices to the network. Which of the following provides some protections against the risks security is concerned about? A. Implement WPA. B. Add MAC filtering to all WAPs. C. Implement MDM. D. Ensure all WAPs are from a single vendor.
A, B, C. Phishing e-mails can be spotted by who they are from, who they are addressed to, spelling and grammar errors, and unknown or malicious embedded links.
Phishing e-mail attacks have caused severe harm to a company. The security office decides to provide training to all users in phishing prevention. Which of the following are true statements regarding identification of phishing attempts? (Choose all that apply.) A. Ensure e-mail is from a trusted, legitimate e-mail address source. B. Verify spelling and grammar is correct. C. Verify all links before clicking them. D. Ensure the last line includes a known salutation and copyright entry (if required).
B. Computer-based social engineering attacks include any measures using computers and technology.
Phishing, pop-ups, and IRC channel use are all examples of which type of social engineering attack? A. Human based B. Computer based C. Technical D. Physical
A. WPA2 is a strong encryption method, but almost everything can be hacked given time. Capturing the password pairwise master key (PMK) during the handshake is the only way to do it, and even then it's virtually impossible if it's a complicated password.
WPA2 wireless network is discovered during a pen test. Which of the following methods is the best way to crack the network key? A. Capture the WPA2 authentication traffic and crack the key. B. Capture a large amount of initialization vectors and crack the key inside. C. Use a sniffer to capture the SSID. D. WPA2 cannot be cracked.
A, B. The MAC address of the AP and the SSID are required for attempting a WEP crack.
What information is required in order to attempt to crack a WEP AP? (Choose two.) A. Network SSID B. MAC address of the AP C. IP address of the AP D. Starting sequence number in the first initialization vector
D. Pen tests always begin with an agreement with the customer that identifies the scope and activities. An ethical hacker will never proceed without written authorization.
What marks the major difference between a hacker and an ethical hacker (pen test team member)? A. Nothing. B. Ethical hackers never exploit vulnerabilities; they only point out their existence. C. The tools they use. D. The predefined scope and agreement made with the system owner.
A. The distributed reflection denial of service (DRDoS) attack is, for all intents and purposes, a botnet. Secondary systems carry out the attacks so the attacker remains hidden.
Which of the following best describes a DRDoS? A. Multiple intermediary machines send the attack at the behest of the attacker. B. The attacker sends thousands upon thousands of SYN packets to the machine with a false source IP address. C. The attacker sends thousands of SYN packets to the target but never responds to any of the return SYN/ACK packets. D. The attack involves sending a large number of garbled IP fragments with overlapping, oversized payloads to the target machine.
A. Blue teams are defense-oriented. They concentrate on preventing and mitigating attacks and efforts of the red team/bad guys.
Which of the following best describes a blue team? A. Security team members defending a network B. Security team members attacking a network C. Security team members with full knowledge of the internal network D. A performance group at Universal Studios in Orlando
B. Red teams are on offense. They are employed to go on the attack, simulating the bad guys out in the world trying to exploit anything they can find.
Which of the following best describes a red team? A. Security team members defending a network B. Security team members attacking a network C. Security team members with full knowledge of the internal network D. Security team members dedicated to policy audit review
B. In a teardrop attack, the reassembly of fragments takes down the target.
Which of the following best describes a teardrop attack? A. The attacker sends a packet with the same source and destination address. B. The attacker sends several overlapping, extremely large IP fragments. C. The attacker sends UDP Echo packets with a spoofed address. D. The attacker uses ICMP broadcast to DoS targets.
C. Wrapping attacks involve messing with SOAP messages and replaying them as legitimate.
Which of the following best describes a wrapping attack? A. CSRF-type attack against cloud computing resources. B. An attack involving leveraging a new or existing VM on a physical device against another VM. C. A SOAP message is intercepted, data in the envelope is changed, and then the data is sent/replayed. D. The virtual machine management system on the physical machine is corrupted or administrative control is gained over it.
C. Service Oriented Architecture (SOA) is all about software components delivering information to one another on a network, and this is the best available answer.
Which of the following best represents SOA? A. File server B. An application containing both the user interface and the code allowing access to the data C. An API that allows different components to communicate D. A single database accessed by multiple sources
A. Session riding is simply CSRF under a different name and deals with cloud services instead of traditional data centers.
Which of the following cloud computing attacks can be best described as a CSRF attack? A. Session riding B. Side channel C. Cross-guest VM breach D. Hypervisor attack
D. Overt channels are legitimate, and used legitimately. Everything else listed is naughty.
Which of the following doesn't define a method of transmitting data that violates a security policy? A. Backdoor channel B. Session hijacking C. Covert channel D. Overt channel
A, D. A SYN flood doesn't use ICMP at all, nor does a peer-to-peer attack.
Which of the following don't use ICMP in the attack? (Choose two.) A. SYN flood B. Ping of Death C. Smurf D. Peer to peer
B, E. Unpredictable sequence numbers make session hijacking nearly impossible, and implementing IPSec—which provides encryption and authentication services—is also probably a good idea.
Which of the following is a recommendation to protect against session hijacking? (Choose two.) A. Use only nonroutable protocols. B. Use unpredictable sequence numbers. C. Use a file verification application, such as Tripwire. D. Use a good password policy. E. Implement IPSec throughout the environment.
A. Pretty Good Privacy (PGP) is used for signing, compression, and encrypting and decrypting e-mails, files, directories, and even whole disk partitions, mainly in an effort to increase the security of e-mail communications.
Which of the following is a software application used to asymmetrically encrypt and digitally sign e-mail? A. PGP B. SSL C. PPTP D. HTTPS
B. Block encryption takes a fixed-length block of plain text and converts it to an encrypted block of the same length.
Which of the following is a symmetric encryption method that transforms a fixed length amount of plain text into an encrypted version of the same length? A. Stream B. Block C. Bit D. Hash
D. An SSID is used for nothing more than identifying the network. It is not designed as a security measure.
Which of the following is a true statement? A. Configuring a strong SSID is a vital step in securing your network. B. An SSID should always be more than eight characters in length. C. An SSID should never be a dictionary word or anything easily guessed. D. SSIDs are important for identifying networks but do little to nothing for security.
A. Positive pressure will do wonderful things to keep dust and other contaminants out of the room, but on its own it does nothing against static electricity.
Which of the following is not a method used to control or mitigate against static electricity in a computer room? A. Positive pressure B. Proper electrical grounding C. Anti-static wrist straps D. A humidity control system
B. Backing up a hard drive that's already infected makes as much sense as putting ketchup on a doughnut. The malicious files are on the drive, so backing it up does nothing but ensure you'll reinfect something later on.
Which of the following is not a recommended step in recovering from a malware infection? A. Delete system restore points. B. Back up the hard drive. C. Remove the system from the network. D. Reinstall from original media.
D. Blooover is designed for bluebugging. BBProxy and PhoneSnoop are both Blackberry tools, and btCrawler is a discovery option.
Which of the following is the best choice for performing a bluebugging attack? A. PhoneSnoop B. BBProxy C. btCrawler D. Blooover
C. This is the correct syntax for using Netcat to leave a command shell open on port 56.
Which of the following is the proper syntax on Windows systems for spawning a command shell on port 56 using Netcat? A. nc -r 56 -c cmd.exe B. nc -p 56 -o cmd.exe C. nc -L 56 -t -e cmd.exe D. nc -port 56 -s -o cmd.exe
C. MAC filtering is easily hacked by sniffing the network for a valid MAC and then spoofing it, using any number of options available.
You are discussing wireless security with your client. He tells you he feels safe with his network as he has implemented MAC filtering on all access points, allowing only MAC addresses from clients he personally configures in each list. You explain this step will not prevent a determined attacker from connecting to his network. Which of the following explains why the APs are still vulnerable? A. WEP keys are easier to crack when MAC filtering is in place. B. MAC addresses are dynamic and can be sent via DHCP. C. An attacker could sniff an existing MAC address and spoof it. D. An attacker could send a MAC flood, effectively turning the AP into a hub.
D. Turning off the broadcast of an SSID is a good step, but SSIDs do nothing in regard to security. The SSID is included in every packet, regardless of whether it's broadcast from the AP.
You are discussing wireless security with your client. He tells you he feels safe with his network because he has turned off SSID broadcasting. Which of the following is a true statement regarding his attempt at security? A. Unauthorized users will not be able to associate because they must know the SSID in order to connect. B. Unauthorized users will not be able to connect because DHCP is tied to SSID broadcast. C. Unauthorized users will still be able to connect because nonbroadcast SSID puts the AP in ad hoc mode. D. Unauthorized users will still be able to connect because the SSID is still sent in all packets, and a sniffer can easily discern the string.
C. FDE is the appropriate control for data-at-rest protection. Pre-boot Authentication provides protection against loss or theft.
You are reviewing security plans and policies, and you wish to provide protection to organization laptops. Which effort listed protects system folders, files, and MBR until valid credentials are provided at pre-boot? A. Cloud computing B. SSL/TLS C. Full disk encryption D. AES
B. SuperOneClick is designed for rooting Android. The others are jailbreaking iOS options.
You wish to gain administrative privileges over your Android device. Which of the following tools is the best option for rooting the device? A. Pangu B. SuperOneClick C. Cydia D. evasi0n7
B. Mantraps are specifically designed to prevent tailgating.
Your organization installs mantraps in the entranceway. Which of the following attacks is it attempting to protect against? A. Shoulder surfing B. Tailgating C. Dumpster diving D. Eavesdropping
