Security Exam 1
As a security professional, what should you do to address weak configurations that pose security risks to your organization? (Choose all that apply.)
A. Change default usernames and passwords. B. Remove unnecessary apps. C. Disable unnecessary services. -Every effort should be made to remove unnecessary apps, disable any unnecessary services, and change default account usernames and passwords. Opening all ports is a recipe for disaster. Unnecessary or unused ports should be closed or secured.
Which of the following best describes what CVE is?
A: A list of known vulnerabilities Common Vulnerabilities and Exposures is an enumeration or list of known vulnerabilities.
Which statement is false regarding cryptographic practices and weak encryption?
Because TLS is deprecated, SSL should be used instead. - All versions of SSL are now considered deprecated and should not be used. Everyone should switch their systems to TLS-based solutions. All other statements are true.
Covering one's tracks to prevent discovery is also known as what?
Cleanup -Cleanup involves the steps of clearing logs and other evidence to prevent one from being easily discovered.
A system that is ready for immediate use in the event of an outage is called what?
Hot Site - A hot site is one that is ready for immediate use in the event of a failure. - All of the other options are names created using distractor words.
You desire to prove a vulnerability can be a problem. The best method would be to use a(n) _____________ scan?
Intrusive Scan -An intrusive scan attempts to exercise a vulnerability. - This presents risk in that it might upset the system, but if it works, it is clear proof of the risk associated with a vulnerability.
Your network scan is showing a large number of address changes to the MAC tables and lots of ARP and RARP messages. What is happening?
MAC Flooding Attack -this is a MAC flooding attack—an attempt to overflow the MAC tables in the switches.
What is the only sure method of ensuring input is valid before use on a server?
Server-side validation -Server-side validation is the only sure validation method for inputs to the application.
Which of the following items do you as a defender have control over with respect to using threat intelligence to defend your systems?
Vectors - Vectors is the correct answer because this is the only item you have any direct control over. - The other items are real issues, just not ones you have any measure of direct control over.
A patch management process should include which of the following? (Choose all that apply.)
1. Automated management 2. automated verification of current patch levels 3. A specified period by which systems should be patched 4. Connection of the patch management process to the change control process - A good patch management process should include automated management of software assets, automated verification of current patch levels, a specified period by which systems should be patched, and connection of the patch management process to the change control process.
A user in your organization is having issues with her laptop. Every time she opens a web browser, she sees different pop-up ads every few minutes. It doesn't seem to matter which websites are being visited—the pop-ups still appear. What type of attack does this sound like?
A potentially unwanted program PUP- - This behavior is often seen in a potentially unwanted program—a type of application that has been bundled with others and is performing tasks that are undesired.
Threat hunting involves which of the following? (Choose all that apply.)
A. Analysis of adversarial actions B. Interpretation of threats to other companies D. Understanding how data flows in an enterprise -Threat hunting involves analyzing adversarial actions, interpreting the threats to other companies, and understanding how data flows in an enterprise so adversaries can be caught maneuvering.
Data protection includes all of the following topics except which ones? (Choose all that apply.)
A. Honeypots B. DNS Sinkholes - Honeypots and DNS sinkholes are part of deception and disruption activities, not data protection.
Which of the following statements concerning elasticity and scalability are true?
A. Scalability requires elasticity. B. Elasticity involves enabling software to use more processors to do more work. C. Elasticity means being prepared to take advantage of scalability. -Scalability requires elasticity to scale, elasticity involves enabling software to use more processors to do more work, and elasticity means developing software that is prepared to take advantage of scalability.
What is the purpose of deception in an enterprise? (Choose all that apply.)
A. To trick attackers into stealing fake data B. To identify misconfigured systems C. To permit easy identification of unauthorized actors Deception techniques such as honeynets and honeypots can trick attackers into stealing fake data and make them easier to find in the network. - These techniques can also help in determining systems that are misconfigured.
Why is memory management important in software development?
A: A program can grow and consume other program spaces. -Memory management failures can lead to a program growing in size when executing. - This can result in either its own failure or the diminishing of memory resources for other programs.
Which of the following is a formal approach to identifying system or network weaknesses and is open to the public?
A: Bug Bounty - Bug bounty programs can open up vulnerability discovery to the public with a set of rules that manages the disclosure process and the engaging of the systems.
How does a hypervisor enable multiple guest operating systems to run concurrently on a host computer?
A: By abstracting the hardware from the guest operating system -The hypervisor abstracts the hardware from the guest operating system to enable multiple guest operating systems to run concurrently on a host computer.
Which of the following is not a state of data in the enterprise?
A: In Storage - In storage is not a correct term used in describing the states of data. - The correct states are at rest, in transit/motion, and in processing.
Which of the following is not a term used in multifactor authentication?
A: Something You See - Something you see is neither a factor (something you know, something you have, or something you are) - nor an attribute (somewhere you are, something you can do, something you exhibit, or someone you know).
With regard to authentication, an access token falls into which factor category?
A: Something you have -An access token is a physical object that identifies specific access rights, and in authentication it falls into the "something you have" factor category.
What is the primary limitation of a credentialed scan on a network?
A: The inability to scale across multiple systems -Because a credentialed scan requires credentials for each system it is examining, and these credentials will change across a network, this type of scan is less scalable with automation.
What is the purpose of a white team?
A: To provide judges to score or rule on a test -When an exercise involves scoring and/or a competition perspective, the team of judges is called the white team. - If the exercise is such that it requires an outside set of coordinators to manage it, independent of the defending team, they are also called a white team. - White team members are there to ensure that the actual exercise stays on track and involves the desired elements of a system.
When a pen tester uses OSINT to gain information on a system, the type of environment can be changed from ______ to _______.
A: Unknown, Partially known - OSINT provides information about systems and their addresses and connections, including applications. - This takes the status of a system from a completely unknown environment to a partially known environment.
Why is VM sprawl an issue?
A: When servers are no longer physical, it can be difficult to locate a specific machine. -VM sprawl is an issue because when virtual machines proliferate, they can be easily moved and potentially easily copied to random locations. -This can make finding a specific machine difficult without a carefully constructed and consistently managed organizational structure.
A user wants to know if the network is down because she is unable to connect to anything. While troubleshooting, you notice the MAC address for her default gateway setting doesn't match the MAC address of your organization's router. What type of attack has been used against this user?
ARP Poisoning - ARP poisoning is an attack that involves sending spoofed ARP or RARP replies to a victim in an attempt to alter the ARP table on the victim's system. - If successful, an ARP poisoning attack will replace one of more MAC addresses in the victim's ARP table with the MAC address the attacker supplies in their spoofed responses.
Once an organization's security policies have been established, what is the single most effective method of countering potential social engineering attacks?
An active security awareness program - Because any employee may be the target of a social engineering attack, the best thing you can do to protect your organization from these attacks is to implement an active security awareness program to ensure that all employees are cognizant of the threat and what they can do to address it.
Which of the following is not associated typically with SIEM processes?
Applications - Applications may be all over the network and may provide data to a SIEM, but they are not typically part of the SIEM process.
While port-scanning your network for unauthorized systems, you notice one of your file servers has TCP port 31337 open. When you connect to the port with the security tool netcat, you see a prompt that reads, "Enter password for access:". Your server may be infected with what type of malware?
Backdoor: - This prompt most likely belongs to a backdoor—an alternate way of accessing the system. - The TCP service is listening for incoming connections and prompts for a password when connections are established. - - Providing the correct password would grant command-line access to the system.
You're sitting at the airport when your friend gets a message on her phone. In the text is a picture of a duck with the word "Pwnd" as the caption. Your friend doesn't know who sent the message. Your friend is a victim of what type of attack?
Bluejacking Attack This is most likely a bluejacking attack. - If a victim's phone has Bluetooth enabled and is in discoverable mode, it may be possible for an attacker to send unwanted texts, images, or audio to the victim's phone.
A web application you are reviewing has an input field for username and indicates the username should be between 6 and 12 characters. You've discovered that if you input a username that's 150 characters or more in length, the application crashes. What is this is an example of?
Buffer Overflow - This is a fairly classic example of a buffer overflow. - The input routine does not validate the provided input to ensure a maximum of 12 characters is received and processed. - In this case, the application tries to store all 150 (or more) characters of the username, resulting in areas of memory being overwritten and causing the application to crash.
While port-scanning your network for unauthorized systems, you notice one of your file servers has TCP port 61337 open. When you use Wireshark and examine the packets, you see encrypted traffic, in single packets, going back and forth every five minutes. The external connection is a server outside of your organization. What is this connection?
Command and Control- - Periodic traffic that looks like a heartbeat on high ports to an unknown server outside the network is suspicious, and this is what many command-and-control signals look like.
Your new application has multiple small processes that provide services to the network. You want to make this application run more efficiently by virtualizing it. What is the best approach for virtualization of this application?
Containerization -Containerization runs small applications on a host OS with virtually no overhead.
Problems in which phase will specifically stop continuous deployment but not necessarily continuous delivery?
Continuous Validation -Continuous validation is required to ensure error-free software, and errors will stop continuous deployment.
What is the primary downside of a private cloud model?
Cost -A private cloud model is considerably more expensive, as it is a dedicated resource, negating some of the advantages of outsourcing the infrastructure in the first place.
When you're designing and tweaking biometric systems, the point where both the accept and reject error rates are equal is known as which of the following?
Crossover Error Rate (CER) -The crossover error rate (CER) is the rate where both accept and reject error rates are equal. This is the desired state for the most efficient operation of a biometric system, and it can be managed by manipulating the threshold value used for matching.
Users at your organization are complaining about slow systems. Examining several of them, you see that CPU utilization is extremely high and a process called "btmine" is running on each of the affected systems. You also notice each of the affected systems is communicating with an IP address outside your country on UDP port 43232. If you disconnect the network connections on the affected systems, the CPU utilization drops significantly. Based on what you've observed, you suspect these systems are infected with what type of malware?
Crypto-malware: - These systems are most likely infected with crypto-malware and are now part of a botnet that's mining cryptocurrency. - The systems are running an unknown/unauthorized process, communicating with an external IP address, and using significant resources. - These are all classic signs of crypto-malware.
Your e-commerce site is crashing under an extremely high traffic volume. Looking at the traffic logs, you see tens of thousands of requests for the same URL coming from hundreds of different IP addresses around the world. What type of attack are you facing?
DDoS attack - DDoS (or distributed denial-of-service) attacks attempt to overwhelm their targets with traffic from many different sources. Botnets are quite commonly used to launch DDoS attacks.
While examining a laptop infected with malware, you notice the malware loads on startup and also loads a file called netutilities.dll each time Microsoft Word is opened. This is an example of which of the following?
DLL Injection - This is an example of DLL injection, which is the process of adding to a program, at runtime, a DLL that has a specific function vulnerability that can be capitalized upon by an attacker.
Enterprises can employ ___________ to block malicious command-and-control traffic from malware.
DNS Sinkholes - DNS sinkholes can prevent communications on command-and-control systems associated with malware and botnets by blocking the destination address through the intentional misrouting of traffic to a dead end.
Which of the following best describes the exporting of stolen data from an enterprise?
Data Exfiltration - Data exfiltration is the exporting of stolen data from an enterprise. - Data loss is when an organization actually loses information. - - Data breaches are the release of data to unauthorized parties. Identity theft is a crime where someone uses information on another party to impersonate them.
All of the wireless users on the third floor of your building are reporting issues with the network. Every 15 minutes, their devices disconnect from the network. Within a minute or so they are able to reconnect. What type of attack is most likely underway in this situation?
Disassociation Attack - Disassociation attacks against a wireless system are attacks designed to disassociate a host from the wireless access point and from the wireless network. - If the attacker has a list of MAC addresses for the wireless devices, they can spoof de-authentication frames, causing the wireless devices to disconnect from the network.
Coming into your office, you overhear a conversation between two security guards. One guard is telling the other she caught several people digging through the trash behind the building early this morning. The security guard says the people claimed to be looking for aluminum cans, but only had a bag of papers—no cans. What type of attack has this security guard witnessed?
Dumpster diving - is the process of going through a target's trash in the hopes of finding valuable information such as user lists, directories, organization charts, network maps, passwords, and so on.
You have deployed a network of Internet-connected sensors across a wide geographic area. These sensors are small, low-power IoT devices, and you need to perform temperature conversions and collect the data into a database. The calculations would be best managed by which architecture?
Edge Computing -Edge computing on the way to the cloud would be the best fit given the lightweight processing capability of the IoT devices.
Which of the following are not typically scanned during a vulnerability scan?
End Users - End users are not part of a vulnerability scan; they are air gapped from the system and are not part of the elements that are searched for vulnerabilities.
Creating fake network traffic to deceive attackers in segments of the network designed to deceive them is called what?
Fake Telemetry - Fake telemetry is the name for fake network traffic in a deception-based environment.
Anti-malware software fails to detect a ransomware attack that is supposed to be within its capabilities of detecting. What is this an example of?
False Negative - Failing to report on a known reportable event is a false negative.
If a system sends an alert that a user account is being hacked because of too many password failures, but analysis shows that the person's device had cached an old password, triggering the failures, what is this an example of?
False Positive - This is a false positive, as the report was positive that something had happened, when in fact it had not.
Your colleague is telling you a story she heard about a way to trick fingerprint scanners using gummy bears. She heard that if you press a gummy bear against an authorized user's finger, you can then use that gummy bear as their fingerprint to fool a fingerprint scanner. If this works, the result is an example of which of the following?
False Positive - This is an example of a false positive. - A false positive occurs when a biometric is scanned and allows access to someone who is not authorized.
You've spent the last week tweaking a fingerprint-scanning solution for your organization. Despite your best efforts, roughly 1 in 50 attempts will fail, even if the user is using the correct finger and their fingerprint is in the system. Your supervisor says 1 in 50 is "good enough" and tells you to move on to the next project. Your supervisor just defined which of the following for your fingerprint scanning system?
False Rejection Rate -Your supervisor just defined the false rejection rate (FRR) for your system. - The FRR is the level of false negatives, or rejections, that are going to be allowed in the system. -In this case, your supervisor is willing to accept one false rejection for every 50 attempts.
You have read about a new threat against software that is vulnerable to hacking. The vulnerability is in a Python library, and your firm uses Python for the development of many in-house projects. Where is the best source of information with respect to this threat?
File/Code Repository - File/code repositories is the correct answer because the code you are concerned about was developed in-house; hence, it will not show up in commercial databases or other sources.
Your company has had bad press concerning its support (or lack of support) for a local social issue. Which type of hacker would be the most likely threat to attack or deface your website with respect to this issue?
Hacktivist - Hacktivists are hackers that are pursuing a mission associated with a cause.
Weak configurations can include which of the following? (Choose all that apply.)
Having open ports and using unsecure protocols can both provide openings for attackers to get into a system. Lack of vendor support is a third-party risk, and firmware has a fixed configuration.
You are planning to move some applications to the cloud, including your organization's accounting application, which is highly customized and does not scale well. Which cloud deployment model is best for this application?
IaaS - Infrastructure as a Service -Infrastructure as a Service is appropriate for highly customized, poorly scaling solutions that require specific resources to run.
7. Which of the following is/are psychological tools used by social engineers to create false trust with a target?
Impersonation, urgency or scarcity, authority: - Social engineers use a wide range of psychological tricks to fool users into trusting them, including faking authority, impersonation, creating a sense of scarcity or urgency, and claiming familiarity.
You notice a new custodian in the office, working much earlier than normal, emptying trash cans, and moving slowly past people working. You ask him where the normal guy is, and in very broken English he says, "Out sick," indicating a cough. What is happening?
Impersonation: - This is a likely impersonation attack, using the cover of the janitor. - Because of the unusual circumstances, it would be wise to report to a manager for investigation.
You're reviewing a custom web application and accidentally type a number in a text field. The application returns an error message containing variable names, filenames, and the full path of the application. This is an example of which of the following?
Improper Error Handling- When an application fails to properly trap an error and generates error messages containing potentially sensitive information, this is known as improper error handling.
Common sources of vulnerability issues for systems include which of the following? (Choose all that apply.)
Improper or weak patch management and weak configurations are defined as common sources for vulnerabilities.
Which of the following is not part of SIEM processes?
Incident Investigations - Incident investigations occur after and as a result of SIEM processes but are not typically part of them.
Your threat intelligence vendor is sending out urgent messages concerning a new form of memory-resident malware. What is the likely item they are sharing with you?
Indicator of Compromise (IOC) An indicator of compromise (IoC) provides the details associated with how one can find active malware on a system.
Which of the following are specifically used to spread influence, alter perceptions, and sway people toward a position favored by those spreading it?
Influence campaigns, social media, hybrid warefare: - are used to alter perceptions and change people's minds on a topic. - They are even more powerful when used in conjunction with social media to spread influence through influencer propagation. - Nation-states often use hybrid warfare to sway people toward a position favored by those spreading it.
Proper use of separation of duties with respect to privileged users on your systems is a defense against which type of hacker?
Insider - Separation of duties is designed to provide defenses against malicious insiders. - But nation-state actors and criminal organizations have the resources and abilities to hack accounts and gain insider access. - There are no external accounts, so once a well-resourced hacker is in, they will have permissions associated with an insider.
Your organization is considering using a new ticket identifier with your current help desk system. The new identifier would be a 16-digit integer created by combining the date, time, and operator ID. Unfortunately, when you've tried using the new identifier in the "ticket number" field on your current system, the application crashes every time. The old method of using a five-digit integer works just fine. This is most likely an example of which of the following?
Integer Overflow - An integer overflow is a programming error condition that occurs when a program attempts to store a numeric value, an integer, in a variable that is too small to hold it. - In this case, the 16-digit integer is too large for the field, which is working just fine with the five-digit integer.
Which of the following is not a common form of hardware token?
Iris Scan - An iris scan would be considered a biometric technique and is not a hardware token. - A hardware token is a physical item the user must be in possession of to access their account or certain resources.
You are new to your job, new to the industry, and new to the city. Which of the following sources would be the best to connect with your peers on threat intelligence information?
Local Industry Groups - Networking between peers is a useful attribute of local industry groups.
Which process allows log files to be enriched with additional data to provide context?
Log Aggregation -During the process of aggregation, the log entries can be parsed, modified, and have key fields extracted or modified based on lookups or rules.
A disgruntled administrator is fired for negligence at your organization. Thirty days later, your organization's internal file server and backup server crash at exactly the same time. Examining the servers, you determine that critical operating system files were deleted from both systems. If the disgruntled administrator was responsible for administering those servers during her employment, this is most likely an example of what kind of malware?
Logic Bomb: - Because both servers crashed at exactly the same time, this is most likely a logic bomb. - A logic bomb is a piece of code that sits dormant for a period of time until some event or date invokes its malicious payload—in this case, 30 days after the disgruntled employee was fired.
You are seeing a bunch of PDFs flood people's inboxes with titles such as "New Tax Rates for 2021." What attack vector is most likely in use?
Macro PDFs have macro capability and can execute a variety of code bases if allowed.
When you update your browser, you get a warning about a plugin not being compatible with the new version. You do not recognize the plugin, and you aren't sure what it does. Why is it important to understand plugins? What attack vector can be involved in plugins?
Man in the Browser Attack - Man in the browser attacks are frequently carried out via browser extensions or plugins.
A user reports "odd" certificate warnings on her web browser this morning whenever she visits Google. Looking at her browser, you see these certificate warnings. Looking at the network traffic, you notice that all HTTP and HTTPS requests from that system are being routed to the same IP regardless of destination. Which of the following attack types are you seeing in this case?
Man in the Middle Attack -This is most likely some type of man in the middle attack. This attack method is usually done by routing all of the victim's traffic to the attacker's host, where the attacker can view it, modify it, or block it. The attacker inserts himself into the middle of his victim's network communications.
Your organization is having issues with a custom web application. The application seems to run fine for a while but starts to lock up or crash after seven to ten days of continuous use. Examining the server, you notice that memory usage seems to climb every day until the server runs out of memory. The application is most likely suffering from which of the following?
Memory Leak - Memory leaks are programming errors caused when a computer program does not properly handle memory resources. - Over time, while a program runs, if it does not clean up memory resources as they are no longer needed, chunks of dead memory can become scattered across the program's footprint in memory. - If a program executes for a long time, these dead memory areas can grow in size and consume resources, causing the system to crash.
The fact that there are multiple methods of representing an object in a computer system can lead to issues when logical comparisons are needed. What can be used to ensure accuracy of comparison elements?
Normalization - Normalization is the process of reducing items to a canonical form before comparisons to ensure appropriate logical matching.
To protect software from reverse engineering by attackers, developers can use which of the following?
Obfuscation -Obfuscation is the technique of hiding properties to prevent examination. -Making code hard to decompile and not storing any specific clues in the source code can make reverse engineering a challenge.
You want to get specific information on a specific threat that you have read about in your online newsfeed on your phone. Which of the following is the best source for detailed information?
Open Source Intelligence - Open source intelligence is the best answer. - Because you are looking for threat information, this eliminates vulnerability information as an answer. - The dark web may or may not have information, and you would have to find it, and predictive analysis needs the information you seek in order to function.
One of the primary resources in use at your organization is a standard database that many applications tie into. Which cloud deployment model is best for this kind of application?
PaaS- Platform as a Service -Platform as a Service is suitable for standard resources in use by many other applications.
OSINT involves which of the following?
Passive Reconnaissance - OSINT is a passive activity, so passive reconnaissance is the correct answer. - All of the other answers involve active measures.
To test your systems against weak passwords, you as an admin (with proper permissions) test all the accounts using the top 100 commonly used passwords. What is this test an example of?
Password Spraying - Using preset passwords against all accounts is an example of password spraying.
When an attacker moves to a new machine and rescans the network to look for machines not previously visible, what is this technique called?
Pivoting - The key part of the question is the rescanning. - Pivoting involves the rescanning of network connections to find unknown or previously unseen connections.
When a program is installed and needs permissions, what is this called?
Provisioning -Provisioning is the assignment of permissions or authorities to objects.
While depositing cash from a charity fundraiser at a local bank, you notice bank employees are holding up cards next to a panel near a door. A light on the panel turns green and the employees are able to open the door. The light on the panel is normally red. What type of electronic door control is this bank using?
Proximity Card - The bank employees are using proximity cards, which are contactless access cards that provide information to the electronic door control system. - Proximity cards just need to be close enough to the scanner to work—they do not need to actually touch the scanner.
Which cloud deployment model has the fewest security controls?
Public -The shared environment of a public cloud has the least amount of security controls.
Which team involves members who emulate both attackers and defenders?
Purple Teams - Purple teams have both offensive (red) and defensive (blue) personnel to provide a balanced response.
You're working with a group testing a new application. You've noticed that when three or more of you click Submit on a specific form at the same time, the application crashes every time. This is most likely an example of which of the following?
Race Condition- - This is most likely an example of a race condition. - A race condition is an error condition that occurs when the output of a function is dependent on the sequence or timing of the inputs. - In this case, the application crashes when multiple inputs are submitted at the same time because the application is not receiving the inputs or handling the inputs in the expected order.
Several desktops in your organization are displaying a red screen with the message "Your files have been encrypted. Pay 1 bitcoin to recover them." These desktops have most likely been affected by what type of malware?
Ransomware - This is quite clearly ransomware. - The malware has encrypted files on the affected systems and is demanding payment for recovery of the files.
Which of the following teams is commonly used for active pen testing?
Red Team - The red team is a team of offense actors used in penetration testing.
What is masking?
Redacting portions of data using a covering symbol such as * or x - Masking is the marking over of portions of information to prevent disclosure (for example, using x's for all but the last four numbers of a credit card).
Financial risks associated with vulnerabilities can include which of the following? (Choose all that apply.)
Regulatory fines and penalties as well as lost income because of downtime are direct financial impacts of cybersecurity problems. - Business reputation may lead to a loss of customers, but this is not a direct connection. - Loss of data may or may not have a financial impact depending upon the data and its connection to revenue.
Which of the following are characteristics of remote-access trojans?
Remote-Access Trojans: A. They can be deployed through malware such as worms. B. They allow attacks to connect to the system remotely. C. They give attackers the ability to modify files and change settings. All of these are characteristics of remote-access trojans (RATs). - RATs are often deployed through other malware, allow remote access to the affected system, and give the attacker the ability to manipulate and modify the affected system.
Your senior financial people have been attacked with a piece of malware targeting financial records. Based on talking to one of the executives, you now know this is a spear phishing attack. Which of the following is the most likely vector used?
Removeable Media - Removeable media is commonly linked to social engineering attacks such as spear phishing.
An externally facing web server in your organization keeps crashing. Looking at the server after a reboot, you notice CPU usage is pegged and memory usage is rapidly climbing. The traffic logs show a massive amount of incoming HTTP and HTTPS requests to the server. Which type of attack is this web server experiencing?
Resource Exhaustion- - Resource exhaustion is the state where a system does not have all of the resources it needs to continue to function. - In this case, the server does not have the memory or CPU capacity to handle the massive volume of incoming HTTP/HTTPS requests
During a visit to a hosting center where your organization keeps some offsite servers, you see a door with an odd-looking panel next to it. You see people approaching the panel and placing their eyes into a hooded viewer. A few seconds after they've done this, the door unlocks. What type of biometric scanner might this be?
Retinal Scanner -This is most likely a retinal scanner. - Retinal scanners examine blood vessel patterns in the back of the eye. - Retinal scanning must be done at short distances; the user has to be right at the device for it to work.
Users are reporting that the wireless network on one side of the building is broken. They can connect but can't seem to get to the Internet. While investigating, you notice all of the affected users are connecting to an access point you don't recognize. These users have fallen victim to what type of attack?
Rogue AP Attack -This is a rogue AP attack. - Attackers set up their own access points in an attempt to get wireless devices to connect to the rogue APs instead of the authorized access points.
What is the most important first step in a penetration test?
Rules of Engagement - The rules of engagement describe the scope of an engagement and provide important information regarding contacts and permissions. Obtaining these rules is essential before any pen test work begins.
Your database server is returning a large dataset to an online user, saturating the network. The normal return of records would be a couple at most. This is an example of what form of attack?
SQL Injection - Excessive records being returned from a SQL query is a sign of SQL injection.
You need to move to the cloud a specific customer service module that has a web front end. This application is highly scalable and can be provided on demand. Which cloud deployment model is best for this application?
SaaS - Software as a Service -Software as a Service is suitable for delivering highly scalable, on-demand applications without installing endpoint software.
What type of attack involves an attacker putting a layer of code between an original device driver and the operating system?
Shimming - Shimming is the process of putting a layer of code between the device driver and the operating system.
To develop secure software that prevents attackers from directly injecting attacks into computer memory and manipulating the application's process, one should employ which method?
Software Diversity -Software diversity in the form of diverse binaries will prevent direct memory attacks against known software structures.
Your boss thanks you for pictures you sent from the recent company picnic. You ask him what he is talking about, and he says he got an e-mail from you with pictures from the picnic. Knowing you have not sent him that e-mail, what type of attack do you suspect is happening?
Spear Phishing: - This is spear phishing, which is a targeted phishing attack against a specific person.
Which of the following environments is used to test compatibility against multiple target environments?
Staging - The staging environment can be used to manage software releases against different targets to ensure compatibility.
Which of the following is important to consider when specifically examining configuration management?
Standard Naming Conventions -Standard naming conventions improve the communication of critical elements, thus enabling better configuration management activities.
To ensure customers entering credentials in your website are valid and not someone with stolen credentials, your team is tasked with designing multifactor authentication. Which of the following would not be a good choice?
Static Codes -Static codes can be captured and replayed and are not well suited for systems with active users.
You use a "golden disk" to provision new machines from your vendors. As part of the incident response, you have discovered that the source of the malware you are seeing comes from this golden disk. This is an example of what vector?
Supply Chain Vector - Although the work was done in-house, the supply chain stretches from each part to functioning system, and you added the final software to create the functioning system, so your own team is part of the supply chain.
Direct third-party risks include which of the following? (Choose all that apply.)
System integration, supply chain, and vendor management are sources of third-party risk. - Financial management is related to impacts, not mainly third-party risks.
If end-to-end encryption is used, which of the following technologies facilitates security monitoring of encrypted communication channels?
TLS Inspections - TLS inspection systems allow TLS channels to be broken and re-established, permitting monitoring of secure traffic.
Understanding how an attacker operates so that you can develop a defensive posture is done through the use of which of the following?
TTPs - Adversary tactics, techniques, and procedures (TTPs) provide details on how an adversary operates.
While waiting in the lobby of your building for a guest, you notice a man in a red shirt standing close to a locked door with a large box in his hands. He waits for someone else to come along and open the locked door and then proceeds to follow her inside. What type of social engineering attack have you just witnessed?
Tailgating (or piggybacking): - is the simple tactic of following closely behind a person who has just used their own access card, key, or PIN to gain physical access to a room or building. - The large box clearly impedes the person in the red shirt's ability to open the door, so they let someone else do it for them and follow them in.
Who assumes the risk associated with a system or product after it has entered EOL status?
The Organization - . An organization that continues to use a system or product assumes all of the risk associated with issues uncovered after the product has entered end-of-life (EOL) status. - The manufacturer is in fact most often the vendor, and from their standpoint, the product reaches EOL when they stop supporting it. - The supply chain manager is a distractor answer choice.
War flying is a term to describe which of the following?
The use of aerial platforms to gain access to wireless networks -War flying is the use of drones, airplanes, and other flying means of gaining access to wireless networks that are otherwise inaccessible.
Which of the following is a type of social engineering attack in which an attacker attempts to obtain sensitive information from a user by masquerading as a trusted entity in an e-mail?
This is the definition of a phishing attack, as introduced in the chapter. - The key elements of the question are e-mail and the unsolicited nature of its sending (spam).
Which of the following algorithms uses a secret key with a current timestamp to generate a one-time password?
Time-based One-Time Password (TOTP) -The Time-based One-Time Password (TOTP) algorithm is a specific implementation of an HOTP that uses a secret key with a current timestamp to generate a one-time password. - Note that timestamp is the key clue in the question.
Which of the following can provide complete traceability to an original transaction without revealing any personal information if disclosed to an outside party?
Tokenization - Tokenization is the use of a random value to take the place of a data element that has traceable meaning. - This provides complete traceability to the original transaction, and yet if disclosed to an outside party, it reveals nothing. - Data sovereignty relates to a country's specific laws regarding the storage and transmission of personal data. - Rights management is the systematic establishment of rules and order to the various rights that users can invoke over digital objects. - A baseline configuration is originally created at system creation and is a representation of how the system is supposed to be configured.
A colleague has been urging you to download a new animated screensaver he has been using for several weeks. While he is showing you the program, the cursor on his screen moves on its own and a command prompt window opens and quickly closes. You can't tell what if anything was displayed in that command prompt window. Your colleague says, "It's been doing that for a while, but it's no big deal." Based on what you've seen, you suspect the animated screensaver is really what type of malware?
Trojan -The animated screensaver is most likely a trojan. - The software appears to do one thing, but contains hidden, additional functionality. Your colleague brought the trojan "inside the walls" when he downloaded and installed the software on his desktop.
A colleague asks you for advice on why he can't log in to his Gmail account. Looking at his browser, you see he has typed www.gmal.com in the address bar. The screen looks very similar to the Gmail login screen. Your colleague has just fallen victim to what type of attack?
Typosquatting - capitalizes on common typing errors, such as gmal instead of gmail. - The attacker registers a domain very similar to the real domain and attempts to collect credentials or other sensitive information from unsuspecting users.
You have a helpdesk ticket for a system that is acting strangely. Looking at the system remotely, you see the following in the browser cache: www.micros0ft.com/office. What type of attack are you seeing?
URL Redirection - This is a URL redirection, as the name Microsoft has a zero in place of the o character.
When doing incident response for your company, you review the forensics of several virtual servers and you see the attacker on the web server injecting code into uninitialized memory blocks. What attack is the attacker likely attempting?
VM Escape -Although all hypervisors actively try to prevent it, any flaw in memory handling could allow code that is maliciously placed in a block to be read by the hypervisor or another machine. - This is known as VM escape. -The scenario states virtual server, eliminating answers C and D, and operational code blocks in uninitialized memory would not cause a denial of service, eliminating answer A.
To manage various releases of software over time, the organization uses which of the following?
Version Control -Version control comprises the processes and procedures employed to manage different releases of software over time.
3. A user in your organization contacts you to see if there's any update to the "account compromise" that happened last week. When you ask him to explain what he means, and the user tells you he received a phone call earlier in the week from your department and was asked to verify his user ID and password. The user says he gave the caller his user ID and password. This user has fallen victim to what specific type of attack?
Vishing: - is a social engineering attack that uses voice communication technology to obtain the information the attacker is seeking. - Most often the attacker will call a victim and pretend to be someone else in an attempt to extract information from the victim.
A piece of malware is infecting the desktops in your organization. Every hour, more systems are infected. The infections are happening in different departments and in cases where the users don't share any files, programs, or even e-mails. What type of malware can cause this type of infection?
Worm- - This is most likely a worm attack. Attacks that move across the network, seemingly without user intervention, are commonly worms.
What type of threat exploits system and application vulnerabilities that are unknown to software developers and even anti-malware manufacturers?
Zero Day Attack - A zero-day attack exploits system and application vulnerabilities that are unknown to others except the person who found it. - The other answer options are not attack types. Vulnerabilities can exist on premises or be cloud based, and legacy platforms is the term used to describe systems that are no longer being marketed or supported.
When an attacker captures network traffic and retransmits it at a later time, what type of attack are they attempting?
a Replay Attack: - A replay attack occurs when the attacker captures a portion of the communication between two parties and retransmits it at a later time. - For example, an attacker might replay a series of commands and codes used in a financial transaction to cause the transaction to be conducted multiple times. - Generally, replay attacks are associated with attempts to circumvent authentication mechanisms, such as the capturing and reuse of a certificate or ticket.
