Sec + Questions on Network Attacks
Which of the following is BEST used to capture and analyze network traffic between hosts on the same network segment? A. Protocol analyzer B. Router C. Firewall D. HIPS
A
A corporation has experienced several media leaks of proprietary data on various web forums. The posts were made during business hours and it is believed that the culprit is posting during work hours from a corporate machine. The Chief Information Officer (CIO) wants to scan internet traffic and keep records for later use in legal proceedings once the culprit is found. Which of the following provides the BEST solution? A. Protocol analyzer B. NIPS C. Proxy server D. HIDS
A
A network analyst received a number of reports that impersonation was taking place on the network. Session tokens were deployed to mitigate this issue and defend against which of the following attacks? A. Replay B. DDoS C. Smurf D. Ping of Death
A
An attack that is using interference as its main attack to impede network traffic is which of the following? A. Introducing too much data to a targets memory allocation B. Utilizing a previously unknown security flaw against the target C. Using a similar wireless configuration of a nearby network D. Inundating a target system with SYN requests
A
Ann, a system analyst, discovered the following log. Which of the following or techniques does this indicate? {bp1@localmachine}$ Is-al Total 12 Drwxrwxr-x A. Protocol analyzer B. Port scanner C. Vulnerability D. Banner grabbing
A
During a security assessment, an administrator wishes to see which services are running on a remote server. Which of the following should the administrator use? A. Port scanner B. Network sniffer C. Protocol analyzer D. Process list
A
Which device monitors network traffic in a passive manner? A. Sniffer B. IDS C. Firewall D. Web browser
A
Which of the following attacks involves the use of previously captured network traffic? A. Replay B. Smurf C. Vishing D. DDoS
A
Which of the following would a security administrator implement in order to identify a problem between two applications that are not communicating properly? A. Protocol analyzer B. Baseline report C. Risk assessment D. Vulnerability scan
A
Which of the following would a security administrator implement in order to identify a problem between two systems that are not communicating properly? A. Protocol analyzer B. Baseline report C. Risk assessment D. Vulnerability scan
A
Which of the following attacks impact the availability of a system? (Select TWO). A. Smurf B.Phishing C. Spim D. DDoS E. Spoofing
A D
A malicious user has collected the following list of information: 192.168.1.5 OpenSSH-Server_5.8 192.168.1.7 OpenSSH-Server_5.7 192.168.1.9 OpenSSH-Server_5.7 Which of the following techniques is MOST likely to gather this type of data? A. Banner grabbing B. Port scan C. Host scan D. Ping scan
B
A network technician is trying to determine the source of an ongoing network based attack. Which of the following should the technician use to view IPv4 packet data on a particular internal network segment? A. Proxy B. Protocol analyzer C. Switch D. Firewall
B
A new security analyst is given the task of determining whether any of the company's servers are vulnerable to a recently discovered attack on an old version of SSH. Which of the following is the quickest FIRST step toward determining the version of SSH running on these servers? A. Passive scanning B. Banner grabbing C. Protocol analysis D. Penetration testing
B
An administrator is instructed to disable IP-directed broadcasts on all routers in an organization. Which of the following attacks does this prevent? A. Pharming B. Smurf C. Replay D. Xmas
B
An administrator notices an unusual spike in network traffic from many sources. The administrator suspects that: A. it is being caused by the presence of a rogue access point. B. it is the beginning of a DDoS attack. C. the IDS has been compromised. D. the internal DNS tables have been poisoned.
B
In performing an authorized penetration test of an organization's system security, a penetration tester collects information pertaining to the application versions that reside on a server. Which of the following is the best way to collect this type of information? A. Protocol analyzer B. Banner grabbing C. Port scanning D. Code review
B
Maintenance workers find an active network switch hidden above a dropped-ceiling tile in the CEO's office with various connected cables from the office. Which of the following describes the type of attack that was occurring? A. Spear phishing B. Packet sniffing C. Impersonation D. MAC flooding
B
Matt, an administrator, notices a flood fragmented packet and retransmits from an email server. After disabling the TCP offload setting on the NIC, Matt sees normal traffic with packets flowing in sequence again. Which of the following utilities was he MOST likely using to view this issue? A. Spam filter B. Protocol analyzer C. Web application firewall D. Load balancer
B
Pete, a security analyst, has been tasked with explaining the different types of malware to his colleagues. The two malware types that the group seems to be most interested in are botnets and viruses. Which of the following explains the difference between these two types of malware? A. Viruses are a subset of botnets which are used as part of SYN attacks. B. Botnets are a subset of malware which are used as part of DDoS attacks. C. Viruses are a class of malware which create hidden openings within an OS. D. Botnets are used within DR to ensure network uptime and viruses are not.
B
Which of the following BEST allows Pete, a security administrator, to determine the type, source, and flags of the packet traversing a network for troubleshooting purposes? A. Switches B. Protocol analyzers C. Routers D. Web security gateways
B
Which of the following BEST describes an attack where communications between two parties are intercepted and forwarded to each party with neither party being aware of the interception and potential modification to the communications? A. Spear phishing B. Man-in-the-middle C. URL hijacking D. Transitive access
B
Which of the following exploits either a host file on a target machine or vulnerabilities on a DNS server in order to carry out URL redirection? A. Pharming B. Spoofing C. Vishing D. Phishing
B
Which of the following will help prevent smurf attacks? A. Allowing necessary UDP packets in and out of the network B. Disabling directed broadcast on border routers C. Disabling unused services on the gateway firewall D. Flash the BIOS with the latest firmware
B
While responding to an incident on a new Windows server, the administrator needs to disable unused services. Which of the following commands can be used to see processes that are listening on a TCP port? A. IPCONFIG B. Netstat C. PSINFO D. Net session
B
Which the following flags are used to establish a TCP connection? (Select TWO). A. PSH B. ACK C. SYN D. URG E. FIN
B C
An attacker impersonates a fire marshal and demands access to the datacenter under the threat of a fine. Which of the following reasons make this effective? (Select two.) A. Consensus B. Authority C. Intimidation D. Trust E. Scarcity
B E
A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website. During the troubleshooting process, the network administrator notices that the web gateway proxy on the local network has signed all of the certificates on the local machine. Which of the following describes the type of attack the proxy has been legitimately programmed to perform? A. Transitive access B. Spoofing Correct Answer C. Man-in-the-middle D. Replay
C
An administrator is investigating a system that may potentially be compromised and sees the following log entries on the router. *Jul 15 14:47:29.779: %Router1: list 101 permitted TCP 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 3 packets. *Jul 15 14:47:38.779: %Router1: list 101 permitted TCP 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 6 packets. *Jul 15 14:47:45.779: %Router1: list 101 permitted TCP 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 8 packets. Which of the following BEST describes the compromised system? A. It is running a rogue web server B. It is being used in a man-in-the-middle attack C. It is participating in a botnet D. It is an ARP poisoning attack
C
An administrator is investigating a system that may potentially be compromised, and sees the following log entries on the router. *Jul 15 14:47:29.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 3 packets. *Jul 15 14:47:38.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 6 packets. *Jul 15 14:47:45.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 8 packets. Which of the following BEST describes the compromised system? A. It is running a rogue web server B. It is being used in a man-in-the-middle attack C. It is participating in a botnet D. It is an ARP poisoning attack
C
An attacker went to a local bank and collected disposed paper for the purpose of collecting data that could be used to steal funds and information from the bank's customers. This is an example of: A. Impersonation B. Whaling C. Dumpster diving D. Hoaxes
C
Ann is concerned that the application her team is currently developing is vulnerable to unexpected user input that could lead to issues within the memory is affected in a detrimental manner leading to potential exploitation. Which of the following describes this application threat? A. Replay attack B. Zero-day exploit Correct Answer C. Distributed denial of service D.Buffer overflow
C
In order for network monitoring to work properly, you need a PC and a network card running in what mode? A. Launch B. Exposed C. Promiscuous D. Sweep
C
Which of the following attacks could be used to initiate a subsequent man-in-the-middle attack? A. ARP poisoning B. DoS C. Replay D. Brute force
C
Which of the following attacks initiates a connection by sending specially crafted packets in which multiple TCP flags are set to 1? A. Replay B. Smurf C. Xmas D. Fraggle
C
Which of the following attacks is generally initiated from a botnet? A. Cross site scripting attack B. HTTP header injection C. Distributed denial of service D. A war driving attack
C
Which of the following software allows a network administrator to inspect the protocol header in order to troubleshoot network issues? A. URL filter B. Spam filter C. Packet sniffer D. Switch
C
Which of the following tools would a security administrator use in order to identify all running services throughout an organization? A. Architectural review B. Penetration test C. Port scanner D. Design review
C
Which of the following tools would allow Ann, the security administrator, to be able to BEST quantify all traffic on her network? A. Honeypot B. Port scanner C. Protocol analyzer D. Vulnerability scanner
C
Which statement is TRUE about the operation of a packet sniffer? A. It can only have one interface on a management network. B. They are required for firewall operation and stateful inspection. C. The Ethernet card must be placed in promiscuous mode. D. It must be placed on a single virtual LAN interface.
C
A switch is set up to allow only 2 simultaneous MAC addresses per switch port. An administrator is reviewing a log and determines that a switch ort has been deactivated in a conference room after it detected 3 or more MAC addresses on the same port. Which of the following reasons could have caused this port to be disabled? A. A pc had a NIC replaced and reconnected to the switch B. An ip telephone has been plugged in C. A rouge access point was plugged in D. An arp attack was launched from a pc on this port
D
Although a vulnerability scan report shows no vulnerabilities have been discovered, a subsequent penetration test reveals vulnerabilities on the network. Which of the following has been reported by the vulnerability scan? A. Passive scan B. Active scan C. False positive D. False negative
D
An administrator has to determine host operating systems on the network and has deployed a transparent proxy. Which of the following fingerprint types would this solution use? A. Packet B. Active C. Port D.Passive
D
An administrator is assigned to monitor servers in a data center. A web server connected to the Internet suddenly experiences a large spike in CPU activity. Which of the following is the MOST likely cause? A. Spyware B. Trojan C. Privilege escalation D. DoS
D
Joe, the security administrator, has determined that one of his web servers is under attack. Which of the following can help determine where the attack originated from? A. Capture system image B. Record time offset C. Screenshots D. Network sniffing
D
Sara, the Chief Information Officer (CIO), has requested an audit take place to determine what services and operating systems are running on the corporate network. Which of the following should be used to complete this task? A. Fingerprinting and password crackers B. Fuzzing and a port scan C. Vulnerability scan and fuzzing D. Port scan and fingerprinting
D
Timestamps and sequence numbers act as countermeasures against which of the following types of attacks? A. Smurf B. DoS C. Vishing D. Replay
D
Which of the following network devices is used to analyze traffic between various network interfaces? A. Proxies B.Firewalls C. Content inspection D. Sniffers
D
While performing surveillance activities an attacker determines that an organization is using 802.1X to secure LAN access. Which of the following attack mechanisms can the attacker utilize to bypass the identified network security controls? A. MAC spoofing B. Pharming C. Xmas attack D. ARP poisoning
D