Chapter 11: Security Assessments
Which of the following describes a man-in-the-middle attack? A person convinces an employee to reveal his or her login credentials over the phone. A false server intercepts communications from a client by impersonating the intended server. Malicious code is planted on a system, where it waits for a triggering event before activating. An IP packet is constructed that is larger than the valid size.
A false server intercepts communications from a client by impersonating the intended server.
Which of the following accurately describes what a protocol analyzer is used for? (Select two.) A device that allows you to capture, modify, and retransmit frames (to perform an attack). A device that can simulate a large number of client connections to a website, test file downloads for an FTP site, or simulate large volumes of emails. A passive device that is used to copy frames and allow you to view frame contents. A device that measures the amount of data that can be transferred through a n
A passive device that is used to copy frames and allow you to view frame contents. A device that does NOT allow you to capture, modify, and retransmit frames (to perform an attack).
In a variation of the brute force attack, an attacker may use a predefined list of common usernames and passwords to gain access to existing user accounts. Which countermeasure best addresses this issue? A strong password policy VLANs AES encryption 3DES encryption
A strong password policy
Which of the following attacks tries to associate an incorrect MAC address with a known IP address? MAC flooding ARP poisoning Null session Hijacking
ARP poisoning
Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on a network? MAC flooding Port mirroring MAC spoofing ARP poisoning
ARP poisoning
Which of the following strategies can protect against a rainbow table password attack? Add random bits to the password before hashing takes place Enforce strict password restrictions Encrypt the password file with one-way encryption Educate users to resist social engineering attacks
Add random bits to the password before hashing takes place
You are concerned about protecting your network from network-based attacks on the internet. Specifically, you are concerned about attacks that have not yet been identified or that do not have prescribed protections. Which type of device should you use? Host-based firewall Network-based firewall Signature-based IDS Anomaly-based IDS Antivirus scanner
Anomaly-based IDS An anomaly-based intrusion detection system (IDS) can recognize and respond to some unknown attacks. Signature recognition, also referred to as pattern matching or dictionary recognition, looks for patterns in network traffic and compares them to known attack patterns called signatures. Signature-based recognition cannot detect unknown attacks. This system can only detect attacks identified by published signature files.
What is the most common form of host-based IDS that employs signature or pattern-matching detection methods? Antivirus software Honeypots Firewalls Motion detectors
Antivirus software
Which of the following activities are typically associated with a penetration test? Run a vulnerability scanner on network servers. Interview employees to verify that the security policy is being followed. Attempt social engineering. Create a performance baseline.
Attempt social engineering. Penetration testing typically uses tools and methods that are available to attackers. Penetration testing might start with attempts at social engineering or other reconnaissance activities. This may be followed by more active scans of systems and actual attempts to access secure systems.
You have been hired as part of the team that manages an organization's network defense. Which security team are you working on? Red White Purple Blue
Blue This team is responsible for stopping the red team's advances.
You are using a password attack that tests every possible keystroke for each single key in a password until the correct one is found. Which of the following technical password attacks are you using? Password sniffing Brute force attack Pass-the-hash attack Keylogger
Brute force attack
As part of a special program, you have discovered a vulnerability in an organization's website and reported it to the organization. Because of the severity, you are paid a good amount of money. Which type of penetration test are you performing? Bug bounty Gray box White box Black box
Bug bounty
Which of the following are network-sniffing tools? Ettercap, Ufasoft snif, and Shark Ufasoft snif, TCPDump, and Shark WinDump, KFSensor, and Wireshark Cain and Abel, Ettercap, and TCPDump
Cain and Abel, Ettercap, and TCPDump
You are using a protocol analyzer to capture network traffic. You want to only capture the frames coming from a specific IP address. Which of the following can you use to simplify this process? NIC Capture filters Switch Display filters
Capture filters
Which SIEM component is responsible for gathering all event logs from configured devices and securely sending them to the SIEM system? SIEM alerts Collectors Security automation Data handling
Collectors
What does an IDS that uses signature recognition use to identify attacks? Comparison of current statistics to past statistics Exceeding threshold values Statistical analysis to find unusual deviations Comparisons to known attack patterns
Comparisons to known attack patterns
You are running a packet sniffer on your workstation so you can identify the types of traffic on your network. You expect to see all the traffic on the network, but the packet sniffer only seems to be capturing frames that are addressed to the network interface on your workstation. Which of the following must you configure in order to see all of the network traffic? Configure the network interface to use protocol analysis mode. Configure the network interface to use promiscuous mode. Configure
Configure the network interface to use promiscuous mode. Configure the network interface to use promiscuous mode. By default, a NIC only accepts frames addressed to itself. To enable the packet sniffer to capture frames sent to other devices, configure the NIC in promiscuous mode (sometimes called p-mode). In p-mode, the NIC processes every frame it sees.
A security administrator logs onto a Windows server on her organization's network. Then she runs a vulnerability scan on that server. Which type of scan was conducted in this scenario? Non-intrusive scan Non-credentialed scan Credentialed scan Intrusive scan
Credentialed scan
An attacker uses an exploit to push a modified hosts file to client systems. This hosts file redirects traffic from legitimate tax preparation sites to malicious sites to gather personal and financial information. Which kind of exploit has been used in this scenario? Reconnaissance Man-in-the-middle DNS poisoning Domain name kiting
DNS poisoning
Which type of denial-of-service (DoS) attack occurs when a name server receives malicious or misleading data that incorrectly maps host names and IP addresses? Spam DNS poisoning ARP poisoning SYN flood
DNS poisoning
While using the internet, you type the URL of one of your favorite sites in the browser. Instead of going to the correct site, the browser displays a completely different website. When you use the IP address of the web server, the correct site is displayed. Which type of attack has likely occurred? Man-in-the-middle DNS poisoning Hijacking Spoofing
DNS poisoning
You are cleaning your desk at work. You toss several stacks of paper in the trash, including a sticky note with your password written on it. Which of the following types of non-technical password attacks have you enabled? Dumpster diving Social engineering Shoulder surfing Password guessing
Dumpster diving
In your role as a security analyst, you ran a vulnerability scan, and several vulnerabilities were reported. Upon further inspection, none of the vulnerabilities actually existed. Which type of result is this? False negative True positive False positive True negative
False positive
Which of the following processes identifies an operating system based on its response to different types of network traffic? Social engineering Fingerprinting Firewalking Port scanning
Fingerprinting A hacker can use an analyzer to perform system fingerprinting. System fingerprinting identifies which operating system the system is running based on how it responds to different types of network traffic.
As a security precaution, you have implemented IPsec that is used between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement? Host-based IDS Protocol analyzer VPN concentrator Port scanner Network-based IDS
Host-based IDS A host-based IDS is installed on a single host and monitors all traffic coming into the host. A host-based IDS can analyze encrypted traffic because the host operating system decrypts that traffic as it is received.
You are concerned about attacks directed at your network firewall. You want to be able to identify and be notified of any attacks. In addition, you want the system to take immediate action to stop or prevent the attack, if possible. Which tool should you use? IPS IDS Packet sniffer Port scanner
IPS Use an intrusion prevention system (IPS) to both detect and respond to attacks.
Your organization uses a web server to host an e-commerce site. Because this web server handles financial transactions, you are concerned that it could become a prime target for exploits. You want to implement a network security control that analyzes the contents of each packet going to or from the web server. The security control must be able to identify malicious payloads and block them. What should you do? Implement an application-aware IPS in front of the web server Implement a packet-fil
Implement an application-aware IPS in front of the web server
You want to check a server for user accounts that have weak passwords. Which tool should you use? John the Ripper OVAL Nessus Retina
John the Ripper
Which of the following describes a false positive when using an IPS device? Malicious traffic not being identified The source address identifying a non-existent host The source address matching the destination address Malicious traffic masquerading as legitimate traffic Legitimate traffic being flagged as malicious
Legitimate traffic being flagged as malicious
Which step in the penetration testing life cycle is accomplished using rootkits or Trojan horse programs? Enumeration Maintain access Reconnaissance Gain access
Maintain access
Capturing packets as they travel from one host to another with the intent of altering the contents of the packets is a form of which type of attack? Spamming Man-in-the-middle attack DDoS Passive logging
Man-in-the-middle attack
You want to use a tool to scan a system for vulnerabilities, including open ports, running services, and missing patches. Which tool should you use? Nessus OVAL Wireshark LC4
Nessus
You want to identify all devices on a network along with a list of open ports on those devices. You want the results displayed in a graphical diagram. Which tool should you use? OVAL Port scanner Network mapper Ping scanner
Network mapper
A security administrator needs to run a vulnerability scan that analyzes a system from the perspective of a hacker attacking the organization from the outside. Which type of scan should he or she use? Port scan Non-credentialed scan Network-mapping scan Credentialed scan
Non-credentialed scan In a non-credentialed scan, the security administrator does not authenticate to the system prior to running the scan. A non-credentialed scan can be valuable because it allows the scanner to see the system from the same perspective that an attacker would see it. However, a non-credentialed scan does not typically produce the same level of detail as a credentialed scan.
Gathering as much personally identifiable information (PII) on a target as possible is a goal of which reconnaissance method? OSINT Passive Packet sniffing Active
OSINT
You are concerned about attacks directed against the firewall on your network. You would like to examine the content of individual frames sent to the firewall. Which tool should you use? Event log Throughput tester System log Load tester Packet sniffer
Packet sniffer
You want to know which protocols are being used on your network. You'd like to monitor network traffic and sort traffic by protocol. Which tool should you use? Packet sniffer Throughput tester Port scanner IDS IPS
Packet sniffer
Which type of reconnaissance is dumpster diving? Packet sniffing OSINT Passive Active
Passive
Which of the following techniques involves adding random bits of data to a password before it is stored as a hash? Keylogging Password sniffing Pass-the-hash attack Password salting
Password salting
Which of the following uses hacking techniques to proactively discover internal vulnerabilities? Penetration testing Passive reconnaissance Reverse engineering Inbound scanning
Penetration testing
Which of the following Security Orchestration, Automation, and Response (SOAR) system automation components is often used to document the processes and procedures that are to be used by a human during a manual intervention? Playbook Orchestration Runbook Response
Playbooks are linear checklists of required steps and actions that are to be taken to respond to an alert. While playbooks do support automated actions, they are often used to document the processes and procedures that are to be used by a human during a manual intervention.
You decide to use a packet sniffer to identify the type of traffic sent to a router. You run the packet sniffing software on a device that is connected to a hub with three other computers. The hub is connected to a switch that is connected to the router. When you run the software, you see frames addressed to the four workstations, but not to the router. Which feature should you configure on the switch? Spanning Tree Protocol Bonding Promiscuous mode Port mirroring
Port mirroring
You want to make sure that a set of servers only accepts traffic for specific network services. You have verified that the servers are only running the necessary services, but you also want to make sure that the servers do not accept packets sent to those services. Which tool should you use? Port scanner IPS System logs Packet sniffer IDS
Port scanner Use a port scanner to check for open ports on a system or firewall. Compare the list of open ports with the list of ports allowed by your network design and security policy. Typically, a port is open when a service starts or is configured on a device. Open ports for unused services expose the server to attacks directed at that port.
You want to identify traffic that is generated and sent through a network by a specific application running on a device. Which tool should you use? TDR Protocol analyzer Toner probe Multimeter Certifier
Protocol analyzer Use a protocol analyzer (also called a packet sniffer) to examine network traffic. You can capture or filter packets from a specific device or packets that use a specific protocol.
Which of the following password attacks uses preconfigured matrices of hashed dictionary words? Dictionary attack Hybrid attack Brute-force attack Rainbow table attack
Rainbow table attack
Which phase or step of a security assessment is a passive activity? Reconnaissance Privilege escalation Vulnerability mapping Enumeration
Reconnaissance
You have run a vulnerability scanning tool and identified several patches that need to be applied to a system. What should you do next after applying the patches? Update the vulnerability scanner definition files. Run the vulnerability assessment again. Document your actions. Use a port scanner to check for open ports.
Run the vulnerability assessment again. After fixing an identified vulnerability, you should re-run the vulnerability scan to verify that everything has been fixed and that additional issues are not present.
Which of the following systems is able to respond to low-level security events without human assistance? Firewall SIEM IDS SOAR
SOAR Security Orchestration, Automation, and Response (SOAR) systems gather and analyze data like SIEM systems, but they take the analysis to the next level. SOAR is a solution stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance.
Which of the following is a very detailed document that defines exactly what is going to be included in the penetration test? Goals and guidelines Scope of work Payment terms Rules of engagement
Scope of work
Which of the following roles would be MOST likely to use a protocol analyzer to identify frames that might cause errors? Network administrator Standard user Security operations team Malicious hacker
Security operations team
Which of the following tools can be used to see if a target has any online IoT devices without proper security? Shodan Packet sniffing scanless theHarvester
Shodan
Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database? Stateful-inspection-based IDS Signature-based IDS Heuristics-based IDS Anomaly-analysis-based IDS
Signature-based IDS
Carl received a phone call from a woman who states that she is calling from his bank. She tells him that someone has tried to access his checking account, and she needs him to confirm his account number and password to discuss further details. He gives her his account number and password. Which of the following types of non-technical password attack has occurred? Dumpster diving Social engineering Password guessing Shoulder surfing
Social engineering
Which of the following best describes shoulder surfing? Giving someone you trust your username and account password. Someone nearby watching you enter your password on your computer and recording it. Guessing someone's password because it is so common or simple. Finding someone's password in the trash can and using it to access their account.
Someone nearby watching you enter your password on your computer and recording it.
Which type of activity changes or falsifies information in order to mislead or re-direct traffic? Spoofing Sniffing Snooping Spamming
Spoofing
A router on the border of your network detects a packet with a source address that is from an internal client, but the packet was received on the internet-facing interface. This is an example of which form of attack? Snooping Spamming Sniffing Spoofing
Spoofing This is an example of spoofing. Spoofing is the act of changing or falsifying information in order to mislead or re-direct traffic. In this scenario, a packet received on the inbound interface cannot receive a valid packet with a stated source that is from the internal network.
What is the primary purpose of penetration testing? Assess the skill level of new IT security staff. Test the effectiveness of your security perimeter. Evaluate newly deployed firewalls. Infiltrate a competitor's network.
Test the effectiveness of your security perimeter.
Which of the following describes the worst possible action by an IDS? The system detected a valid attack and the appropriate alarms and notifications were generated. The system identified harmless traffic as offensive and generated an alarm. The system identified harmful traffic as harmless and allowed it to pass without generating any alerts. The system correctly deemed harmless traffic as inoffensive and let it pass.
The system identified harmful traffic as harmless and allowed it to pass without generating any alerts.
In your role as a security analyst, you need to stay up to date on the latest threats. You are currently reviewing the latest real-time updates on cyberthreats from across the world. Which of the following resources are you MOST likely using? Advisories and bulletins Intelligence fusion Threat hunting Threat feeds
Threat feeds
A user named Bob Smith has been assigned a new desktop workstation to complete his day-to-day work. When provisioning Bob's user account in your organization's domain, you assigned an account name of BSmith with an initial password of bw2Fs3d. On first login, Bob is prompted to change his password. He changes it to the name of his dog, Fido. What should you do to increase the security of Bob's account? (Select two.) Train users not to use passwords that are easy to guess. Use Group Policy to
Train users not to use passwords that are easy to guess. Use Group Policy to require strong passwords on user accounts.
An active IDS system often performs which of the following actions? (Select two.) -Traps and delays the intruder until the authorities arrive. -Updates filters to block suspect traffic. -Cannot be detected on the network because it takes no detectable actions. -Requests a second logon test for users performing abnormal activities. -Performs reverse lookups to identify an intruder.
Updates filters to block suspect traffic. Performs reverse lookups to identify an intruder.
You want to be able to identify the services running on a set of servers on your network. Which tool would BEST give you the information you need? Vulnerability scanner Network mapper Protocol analyzer Port scanner
Vulnerability scanner
The process of walking around an office building with an 802.11 signal detector is known as: Daemon dialing War dialing Driver signing War driving
War driving
You have been promoted to team lead of one of the security operations teams. Which security team are you now a part of? White Blue Red Purple
White
You have been hired to perform a penetration test for an organization. You are given full knowledge of the network before the test begins. Which type of penetration test are you performing? White box Black box Gray box Bug bounty
White box
You want to use a tool to see packets on a network, including the source and destination of each packet. Which tool should you use? nmap Wireshark Nessus OVAL
Wireshark
Which of the following tools can be used to view and modify DNS server information in Linux? tracert dig netstat route
dig
You need to enumerate the devices on your network and display the network's configuration details. Which of the following utilities should you use? dnsenum nmap scanless nslookup
nmap
You need to check network connectivity from your computer to a remote computer. Which of the following tools would be the BEST option to use? ping route tracert nmap
ping
Which passive reconnaissance tool is used to gather information from a variety of public sources? Packet sniffing theHarvester scanless Shodan
theHarvester
