Systems Security II
Which of the following describes a credential stuffing attack? A hacker tires to gain elevated privileges on a network. A hacker tries to get a user to click on a malicious link. A hacker tries a list of credentials on multiple sites. A hacker tries a list of passwords on a single site.
A hacker tries a list of credentials on multiple sites.
Which of the following best describes a script kiddie? A hacker willing to take more risks because the payoff is a lot higher. A hacker who uses scripts written by much more talented individuals. A hacker whose main purpose is to draw attention to their political views. A hacker who helps companies see the vulnerabilities in their security.
A hacker who uses scripts written by much more talented individuals.
Which answer BEST describes the purpose of CVE? A valuable site that belongs to a large governmental organization. A dictionary of known patterns of cyberattacks used by hackers. Strives to create commonality in descriptions of weaknesses in security software. A list of standardized identifiers for known software vulnerabilities and exposures.
A list of standardized identifiers for known software vulnerabilities and exposures.
Which of the following BEST describes Central Policy? An access management strategy where people are granted privileges based on their role in the organization. An access management strategy where an attribute is created for every element of an organization's operations. A program that checks for the correct attributes in an attribute-based system. An authentication process the requires two or more steps.
A program that checks for the correct attributes in an attribute-based system.
Which of the following are true about threats and vulnerabilities? (Select two.) A vulnerability is the magnitude of an attack. A vulnerability defines how an attacker exfiltrates information. A vulnerability is an opening for an attacker to exploit. A threat determines the dollar value of information lost. A threat is a potential opening for an attacker to exploit. A threat is a potential source of harm.
A vulnerability is an opening for an attacker to exploit. A threat is a potential source of harm.
When a host initiates a connection to a server via the TCP Protocol, a three-way handshake is used. What is the host's final reply? SYN/ACK FIN SYN ACK
ACK
An attacker sends forged Address Resolution Protocol Reply packets over a LAN to a target machine. These packets include an IP address that matches the gateway's IP address but retains its own MAC address. The target machine then sends all traffic to the attacker's machine, believing it is the gateway. Which type of attack just happened? Port mirroring MAC spoofing MAC flooding ARP poisoning
ARP poisoning
During which phase of the Kill Chain framework does an intruder extract or destroy data? Weaponization Exploitation Action on Objectives Command and Control
Action on Objectives
Charles, a security analyst, needs to check his network for vulnerabilities. He wants a scan that interacts with network nodes and repairs security issues found. Which kind of scanning BEST describes Charles' requirements? Passive scanning Internal assessment Host-based assessment Active scanning
Active scanning
Sophisticated attacks executed by highly skilled hackers with a specific target or objective in mind are classified as which type of threat? Advanced persistent threat Unknown threat Known threat Zero-day threat
Advanced persistent threat
Why should DNS zone transfers be restricted or disabled? An attacker can intercept the transfer and change information. It is not a good idea to have multiple copies of the DNS database. DNS zoning is difficult to administer and should be avoided wherever possible. Digital signatures cannot be use to ensure DNS transfers.
An attacker can intercept the transfer and change information.
Which of the following BEST describes horizontal escalation? An attacker trying a list of common passwords one after another. An attacker trying to access someone with higher privileges. An attacker trying to access a user on the same system. An attacker using a list of hacked credentials on a variety of sites.
An attacker trying to access a user on the same system.
Which of the following would the red team MOST likely use? A packet analysis tool An ethical hacker An intrusion detection system An intrusion prevention system
An ethical hacker
Which threat modeling measurement is used to describe how an attack can exploit a vulnerability? Total attack surface Impact Likelihood Attack vector
Attack vector
An organization's user data server is backed up daily. Referencing the CIA triad, this is an example of which of the following? Integrity Availability Confidentiality Continuity
Availability
You have just installed Nessus for auditing a network segment. Which of the following Nessus scans would be BEST suited for an initial query of hosts on a network segment? Basic Network Scan Advanced Dynamic Scan Bash Shellshock Detection Credentialed Patch Audit
Basic Network Scan
Which of the following SQL injection attack types uses true/false questions to perform reconnaissance? Authentication bypass attack Blind injection attack Compromised availability of data attack Compromised data integrity attack
Blind injection attack
Which of the following could you use as an LDAP countermeasure? Block port 389. Use the SNScan utility. Block ports 161 and 162. Change default passwords.
Block port 389.
Which team is responsible for defending the network against attacks in a risk training scenario? White Red Blue Grey
Blue
Which of the following is a dictionary of known patterns of cyberattacks used by hackers? CISA CAPEC CWE CVE
CAPEC
Which web application architecture layer includes the physical devices that are used to access the web application? Business Logic Client/Presentation Persistence Web Server Logic
Client/Presentation
Over time, changes in the way people use networks have complicated protecting a network against security threats. Which of the following trends has increased the need for security? (Select two.) Startup companies Multi-factor authentication Cloud computing Social networking Privilege escalation
Cloud computing Social networking
There are five phases in the security intelligence life cycle. During which phase do you gather and process information from your internal sources, such as system and application logs? Collection Dissemination Requirements Feedback
Collection
Access to a database is protected by multi-factor authentication. In the CIA triad, this is an example of which of the following? Integrity Confidentiality Authentication Availability
Confidentiality
John creates an account and creates a listing for the sale of his home. He uses HTML tags to bold important words. Chris, an attacker, spots John's listing and notices the bolded words. Chris assumes HTML tags are enabled on the user end and uses this vulnerability to insert his own script, which will send him a copy of the cookie information for any user who looks at the ad. Which type of attack method is Chris most likely using? RAT Backdoor Trojan Active session hijacking Cross-site scripting
Cross-site scripting
During the reconnaissance phase, an attacker is looking for common attack vectors. Which of the following services is MOST likely to be targeted? IIS DNS Autotimesvc UDP
DNS
Which of the following firewall evasion techniques is used to redirect a user to a malicious website? DNS poisoning Source routing Tunneling Malicious code insertion
DNS poisoning
As a security analyst working for an accounting firm, you need to evaluate the current environment. Which of the following is the FIRST thing you should do? Define the effectiveness of the current security policies and procedures. Implement remediation steps. Create reports that clearly identify problem areas to present to management. Decide the best times to test in order to limit the risk of having shutdowns during peak business hours.
Define the effectiveness of the current security policies and procedures.
Which of the following permissions would take precedence over the others? Deny Write Deny Read Allow Read Allow Full Control
Deny Read
Mary, a security analyst, is tasked with vulnerability research as part of her company's vulnerability assessment. She discovered that their website is vulnerable to cross-site scripting. Which vulnerability type BEST describes what Mary has found? Design flaw Buffer overflow Misconfigurations Unpatched servers
Design flaw
Which type of security control identifies, logs, and reports incidents as they happen? Deterrent Corrective Compensating Detective
Detective
Which of the following certification types has the lowest level of certificate assurance? Organization Extended Domain Single-Use
Domain
A hacker wants to leverage social media to glean information coming from a certain location. Which tool is BEST suited for the job? Echosec Google hacking Wayback Machine Maltego
Echosec
Which of the following validations require an extensive verification process, shows a padlock, business name, and country code? Extended Organization Alternative Domain
Extended
Which processor chip can be configured by the end user to perform the tasks he or she needs it to? SoC ASIC x86 FPGA
FPGA
Zero-day threats Continuous monitoring policy Managerial control Security control Framework
Framework
Which of the following would BEST describe a multi-domain/subject alternative certificate? Only good for one domain or subdomain Good for a domain and all its subdomains Good for multiple domains and subdomains at a time Good for multiple domains but no subdomains
Good for multiple domains and subdomains at a time
Threat actors can be divided into different types based on their methods and motivations. Which type of hacker usually targets government agencies, corporations, or other entities they are protesting? Hacktivist Criminal Nation-state Intentional
Hacktivist
Attackers often target data and intangible assets. Identify what hackers may do with the information they collect. (Select two.) Stage an on-path attack Damage or disable a firewall Hijack DNS Harm a company's reputation Sell the data to the competition
Harm a company's reputation Sell the data to the competition
Which of the following is a popular honeypot that can be used to create thousands of other honeypots? VMWare Snort Inline Sebek Honeyd
Honeyd
Which of the following is a device used by the blue team to lure an unsuspecting attacker to aimlessly explore? Wireshark Honeypot IDS IPS
Honeypot
Which items should be included in data retention standards? (Select two.) Password change requirements Who is responsible for which data How data should be destroyed Who supports user accounts How long to store data
How data should be destroyed How long to store data
Which items are included in an acceptable use policy? (Select two.) Who is responsible for closing accounts upon termination Password length requirements How systems should be monitored How information and network resources should be used Expectations for user privacy when using company resources
How information and network resources should be used Expectations for user privacy when using company resources
You are in the process of implementing policies and procedures that require employee identification. You observe employees holding a secure door for others to pass through. Which of the following training sessions should you implement to help prevent this in the future? How to prevent piggybacking and tailgating. What to do if you encounter a person without a badge. Why employees should wear their badge at all times. Why employees should never share their ID badge with anyone.
How to prevent piggybacking and tailgating.
Misconfigurations occur throughout a network. What is the primary cause of misconfigurations? Human error Poor default settings Lack of quality control by developers Network appliance incompatibility
Human error
Each user on a network must have a unique digital identity. Which of the following is this known as? Attribute-based access control (ABAC) Central Policy Identity and access management (IAM) Role-based access control (RBAC)
Identity and access management (IAM)
A hacker doesn't want to use a computer that can be tracked back to them. They decide to use a zombie computer. Which type of scan BEST describes what the hacker is doing? Covert scan Xmas tree scan Idle scan NULL scan
Idle scan
How is magnitude measured by a team of subject matter experts when using qualitative analysis? Potential vulnerability Impact Time to recovery Potential risk
Impact
After a sniffing attack has been discovered on an organization's large network, Jim, a security analyst, has been asked to take steps to secure the network from future attacks. The organization has multiple buildings and departments. Which of the following is the BEST step Jim could take to make the network more secure? Implement switched networks. Remove all wireless access points on the network. Set switches to promiscuous mode. Relocate the key organizational workstations into one central location.
Implement switched networks.
What is the primary difference between reconnaissance and enumeration? An attacker uses information gathered from enumeration to discover key personnel information for phishing and other social networking purposes. Reconnaissance is passive discovery; enumeration is active discovery. Enumeration uses publicly available resources, such as magazine articles and the internet, to gather information about an organization. Reconnaissance is active discovery; enumeration is passive discovery.
Reconnaissance is passive discovery; enumeration is active discovery.
A security analyst is concerned about flaws in the operating system being used within their company. What should their FIRST step be to remedy this? Error checking Checking ports and services regularly Logging and monitoring Regular system patches
Regular system patches
Which of the following would be considered reducing the attack surface? Open ports 161 and 162. Disable the Encrypting File System. Block port 389. Remove all unneeded programs.
Remove all unneeded programs.
A retail company is getting complaints from customers about how long product pages are taking to load, which is causing a decline in sales. Which of the following actions should you take first to discover the source of the problem? Ask customers to refresh their browsers. Run a network bandwidth test on the company's network to determine if there are any anomalies. Ask customers to reboot their computers. Contact the company's internet service provider for internet speed issues.
Run a network bandwidth test on the company's network to determine if there are any anomalies.
Tom, a security analyst, is notified by Karen, an employee, that her work iPad has some setting changes and a new app that she didn't download. What is the first step Tom should take? Search online for any new known malware threats that match the indicators of compromise (IOCs). Ask Karen to turn off the device. Run an antivirus software scan on Karen's device and scan the entire network. Look through the event log for suspicious events.
Run an antivirus software scan on Karen's device and scan the entire network.
Which of the following cyberattacks involves an attacker inserting their own code through a data entry point created for regular users in such a way that the server accepts the malicious code as legitimate? DoS Session hijacking SQL injection ARP poisoning
SQL injection
A person in a dark grey hoodie has jumped the fence at your research center. A security guard has detained this person, denying them physical access. Which of the following areas of physical security is the security guard currently in? Physical control Layered defense Security sequence Security factors
Security sequence
You are looking for a vulnerability assessment tool that detects vulnerabilities on mobile devices and gives you a report containing a total risk score, a summary of revealed vulnerabilities, and remediation suggestions. Which of the following vulnerability assessment tools should you use? Network Scanner SecurityMetrics Mobile Retina CS for Mobile Nessus Professional
SecurityMetrics Mobile
The following steps describe the process for which type of attack? Locate and sniff an active connection between a host and web server. Monitor traffic to either capture or calculate the session ID. Desynchronize the session. Remove the authenticated user. Inject packets to the server. Stored cross-site scripting Session hijacking ARP poisoning Trojan attack
Session hijacking
Any attack involving human interaction of some kind is referred to as which of the following? An authorized hacker An opportunistic attack Social engineering Attacker manipulation
Social engineering
You are instant messaging a coworker, and you get a malicious link. Which type of social engineering attack is this? Surf Hoax Spim Spam
Spim
Which of the following attacks involves modifying the IP packet header and source address to make it look like they are coming from a trusted source? Zero-day Whitelisting DNS poisoning Spoofing
Spoofing
Which of the following BEST describes a federation? Is made up of components that include a user's account name and all the other attributes needed to start a session for the user. Stores a user's credentials so that trusted third parties can authenticate using those credentials without actually seeing them. Determines the combination of attributes from users, objects, actions, and environment factors that are needed to perform any given action on a system. Is an access management strategy where an attribute is created for every element of an organization's operations, such as for time, date, and location.
Stores a user's credentials so that trusted third parties can authenticate using those credentials without actually seeing them.
An attacker may poison the DNS by making changes to an organization's DNS table. Why might an attacker take this action? The attacker can prevent users from accessing internal resources. The attacker can prevent users from accessing the internet. The attacker can redirect users to a malicious website. The attacker can deface a website.
The attacker can redirect users to a malicious website.
Which of the following BEST describes an unknown penetration test? The penetration tester simulates an insider threat. The penetration tester is given partial information about the target or network. The penetration tester is given full knowledge of the network. The penetration tester has no information regarding the target or network.
The penetration tester has no information regarding the target or network.
Which of the following BEST describes signing in without single sign-on? The website does not have to check its database for user credentials. The website uses more than one way to authenticate a user. The website must have its own database of user credentials. The website provides an extra layer of security to an account.
The website must have its own database of user credentials.
You have implemented a regular backup schedule for a Windows system, backing up data files every night and creating a system image backup once per week. For security reasons, your company has decided not to store a redundant copy of the backup media at an off-site location. Which of the following would be the best backup and storage option? Use incremental backups and store them in a drawer in your office. Use incremental backups and store them in a locked, fireproof safe. Use differential backups and store them in a locked room. Use differential backups and store them on a shelf next to the backup device.
Use incremental backups and store them in a locked, fireproof safe.
How is probability determined using quantitative analysis? Using the SLE calculation Using the ARO calculation Using the AV calculation Using the ALE calculation
Using the ARO calculation
While looking at user logs you notice a user has been accessing items they should not have rights to. After speaking to the user, you believe your system may have experienced an attack. Which type of attack has the system MOST likely experienced? Horizontal privilege escalation Password stuffing Vertical privilege escalation Brute force attack
Vertical privilege escalation
During which phase of the Kill Chain framework is malware code encapsulated into commonly used file formats, such as PDF files, image files, or Word documents? Delivery Weaponization Command and Control Exploitation
Weaponization
You are working for a company that has one domain and multiple subdomains. Which certificate type would you need? Organization Single-use Wildcard Multi-domain
Wildcard
You are looking through your network usage logs and notice logins from a variety of geographic locations that are far from where your employees usually log in. Could this be a problem and why? Yes. Logins from strange geographical locations can show that your own employees are trying to hack you. No. Logins from strange geographical locations often happen from employees working remotely. Yes. Logins from strange geographical locations can show that a hacker is trying to gain access from a remote location. No. Logins from strange geographical locations happen when data is sent to distant servers.
Yes. Logins from strange geographical locations can show that a hacker is trying to gain access from a remote location.
Threats that do not have an existing fix, do not have any security fixes, and do not have available patches are called what? Unknown threats Zero-day threats Known threats Advanced persistent threats
Zero-day threats
Troy, a security analyst, is looking for a vulnerability scanning tool for internal use. His boss has told him to find the industry standard tool. Which tool BEST fits his mandate? BeyondTrust OpenVAS Nessus Insight VM
Nessus
A mailing list that often has the newest vulnerabilities listed before they show up on government-sponsored resources is operated by whom? CISA Nmap CVE Government Resources scoring system
Nmap
Which type of information contains intellectual property? PII Information systems Operations Work product
Operations
Which of the following are considered DNS hardening techniques? Optimize resources to their full potential. Outsource all DNS inquires. Provide guidelines regarding the types of posts. Review company websites. Limit the sharing of critical information. Learn about your web server software. Clean up out-of-date zones.
Optimize resources to their full potential. Learn about your web server software. Clean up out-of-date zones.
Which of the following types of attacks are IoT devices most vulnerable to? Overflow CSRF XSS On-path
Overflow
The annual loss expectancy (ALE) calculation provides an organization's stakeholders with what information? Potential financial loss of an event based on a team of subject matter experts' expertise. Potential financial loss of an event based on how often a threat could occur. Potential financial loss of an event based on how often a threat could occur within a year. Potential financial loss of an event based on an intangible asset's real monetary value.
Potential financial loss of an event based on how often a threat could occur.
COBIT, ITIL, and ISO are examples of which type of framework? Risk-based Prescriptive Policies and procedures Testing tools
Prescriptive
Which type of framework is fairly rigid and requires that specific controls be implemented? Prescriptive Core Risk-based Policies and procedures
Prescriptive
Important aspects of physical security include which of the following? Implementing adequate lighting in parking lots and around employee entrances Preventing interruptions of computer services caused by problems such as fire Identifying what was broken into, what is missing, and the extent of the damage Influencing the target's thoughts, opinions, and emotions before something happens
Preventing interruptions of computer services caused by problems such as fire
An employee not authorized to release news to the press speaks to a reporter about upcoming management changes. Which sharing policy BEST explains why this shouldn't happen? Company social media Internet Printed materials Employee social media
Printed materials
Which of the following attacks is a SYN flood attack an example of? CSRF Application layer DDoS XSS Protocol DDoS
Protocol DDoS
You discover that your network is under a DDoS SYN flood attack. Which of the following DDoS attack methods does this fall under? Protocol DDoS Application layer DDoS DNS DDoS Amplification DDoS
Protocol DDoS
Which of the following are tactics social engineers might use? Eavesdropping, ignorance, and threatening Keylogging, shoulder surfing, and moral obligation Moral obligation, ignorance, and threatening Shoulder surfing, eavesdropping, and keylogging
Moral obligation, ignorance, and threatening
Which of the following is used to define minimum security requirements a device must meet before it can connect to a network? 802.1x Honeypot NAC IDS
NAC
Threat actors can be divided into different types based on their methods and motivations. Which type of hacker works for a government and attempts to gain top-secret information by hacking other governments' devices? Criminal Nation-state Intentional Hacktivist
Nation-state
John is a security analyst, and he needs the following information about a current exploit: Fix information Impact rating Severity score What is his BEST resource? Common Weakness Enumeration Cybersecurity Infrastructure Security Agency National Vulnerability Database Common Attack Pattern Enumeration Classification
National Vulnerability Database
Which of the following tools would you use to perform a SYN flood attack? Nmap TCPDump Metasploit Wireshark
Metasploit
Which of the following is the last phase of the vulnerability management life cycle? Risk assessment Monitoring Verification Remediation
Monitoring
Which security function reacts quickly and efficiently after an issue has been detected? Risk management Incident response Security engineering Vulnerability management
Incident response
Hackers use social networking, dumpster diving, social engineering, and web surfing during which portion of their reconnaissance? Information gathering techniques Information types Maintaining access Password cracking
Information gathering techniques
An attacker who gains access to your system can cause a lot of damage with a wide variety of malicious activities. Which of the following are malicious activities an attacker might use against your system? (Select two.) Save the event log. Install malware on the system. Steal confidential information. Access lower privilege users. Limit user privileges.
Install malware on the system. Steal confidential information.
John, a security analyst, conducted a review of a company's website. He discovered that sensitive company information was publicly available. Which of the following information sharing policies did he discover was being violated? Internet Company social media Printed materials Employee social media
Internet
A security analyst discovers that a system has been compromised through the building's thermostat. Which type of attack is this compromise from? Botnet Trojan IoT Trojan Defacement Trojan Proxy server Trojan
IoT Trojan
What seven-phase framework did Lockheed Martin develop to identify an attacker's step-by-step attack process? Diamond Model Kill Chain Attack vector Total attack
Kill Chain
Which type of testing is typically done by an internal tester who has full knowledge of the network, computer system, and infrastructure? Known Penetration Partially known Unknown
Known
What is the FIRST step in vulnerability scanning penetration? Itemize each open port and service in the network. Test each open port for known vulnerabilities. Purchasing a product and administering it from inside the network. Locate the live nodes in the network. You can do this using a variety of techniques, but you must know where each live host is.
Locate the live nodes in the network. You can do this using a variety of techniques, but you must know where each live host is.
When determining a risk's severity, which of the following are best to consider? (Select two.) Magnitude Control Vulnerability Impact Probabilty
Magnitude Probabilty
Which security control category controls system oversight? Operational Managerial Technical Preventative
Managerial
