Chapter 6 and 7 Exam

Which of the following are the BEST methods for protecting against rogue devices and identifying rogue devices more easily? (Select two.) Network mapping and host discovery 802.1x network access control Packet sniffing Port-based access control Traffic flow

802.1x network access control\ Port-based access control

The information below is from Wireshark. Which kind of attack is occurring? Answer A SYN flood attack An ICMP flood attack A DoS attack A DDoS attack

A DDoS attack

A password spraying attack is MOST like which of the following attack types? A directory traversal attack A privilege escalation attack A brute force attack A phishing attack

A brute force attack

The DKIM tool can provide security for your company's emails because it contains which of the following? A timestamp A digital signature A block signature A header

A digital signature

Which of the following BEST describes a rogue access point attack? A hacker getting a user or client to unintentionally connect to their access point instead of the legitimate point the user intended to use. A hacker taking advantage of an access point that has not implemented the basic techniques to protect the network. A hacker installing an unauthorized access point within a company. A hacker advertising an access point using an extremely strong signal for malicious purposes.

A hacker installing an unauthorized access point within a company.

Which of the following describes a credential stuffing attack? A hacker tires to gain elevated privileges on a network. A hacker tries a list of credentials on multiple sites. A hacker tries a list of passwords on a single site. A hacker tries to get a user to click on a malicious link.

A hacker tries a list of credentials on multiple sites.

Which of the following BEST describes a relational database? A storage bank for data that is organized in tables linked by keys and which can be searched in multiple ways through those keys. A storage bank for data in which data is stored in a format like an upside-down tree. In this format, each element can point to multiple data elements, and each record is linked to the owner at the bottom of the tree. A storage bank for data in which data is organized in a tree-type format and ranked based on how many links a record has. A storage bank for data in which data is stored as an object and is based on OOP model.

A storage bank for data that is organized in tables linked by keys and which can be searched in multiple ways through those keys.

Match each attack on the left to the appropriate defense on the right. A. Use rigid specifications to validate all headers, cookie query strings, hidden fields, and form fields. B. Perform input validation. Do not permit dangerous characters in the input. C. Log off immediately after using a web application. Clear History after using a web application, and don't allow your browser to save your login details. D. Secure remote administration and connectivity testing. Perform extensive input validation. Configure the firewall to deny ICMP traffic. Stop data processed by the attacker from being executed. E. Update web servers with security patches on a regular basis. Limit access to the secure areas of the website.

A. XSS Attack B. Injection Attack C. CSRF Attack D. DoS Attack E. Directory Traversal

Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on a network? Port mirroring MAC spoofing ARP poisoning MAC flooding

ARP Poisoning

What does a router use to protect a network from attacks and to control which types of communications are allowed on a network? Air gap Screened subnet Hardware root of trust Access control list

Access control list

While performing a password audit on a Windows machine in your organization with L0phtCrack, you receive the following results. Based on what you see below, which two accounts should worry you the most? (Select two.) DefaultAccount Administrator Mihai Brandon Guest

Administrator Mihai

On rare occasions, an individual computer contains information that is highly confidential and must remain separated from both internal and external networks. Which of the following segmentation solutions would BEST achieve this goal? Air gap VLAN Jumpbox Screened subnet

Air gap

Which of the following BEST describes a DoS fragmentation attack? A transport-level or network-level attack focused on the connection state tables of firewalls, load balancers, and application servers. An attack in which fake UDP or ICMP packets larger than the MTU are sent to exhaust the processing resources. A network-level attack focused on consuming all the bandwidth between a target and the internet by using multiple sources to flood traffic. An attack focused on exploiting vulnerabilities in protocols and broadcast networks in which intermediary computers amplify small requests into larger payloads to overwhelm a server.

An attack in which fake UDP or ICMP packets larger than the MTU are sent to exhaust the processing resources.

Which of the following BEST describes a TCP session hijacking attack? An attacker sniffs traffic between the target machine and server and then uses ARP poisoning to redirect communication through the attacker's machine. An attacker returns a response to the target before the server does. They do this on a connectionless-based protocol that does not use sequence packets. An attacker sniffs between two machines on a connection-based protocol, monitors the traffic to capture the session ID, terminates the target computer's connection, and injects packets to the server. An attacker alters the DNS server to redirect traffic to a malicious website and targets Active Directory or other DNS-reliant networks.

An attacker sniffs between two machines on a connection-based protocol, monitors the traffic to capture the session ID, terminates the target computer's connection, and injects packets to the server.

You have performed a SQL injection attack against a website using Burp Suite and see the following results. What are you looking for? Any results that have a large length Any results that show something unexpected being passed back from the server Any results that show the username and password of any users on the system Any results that show the server returning an error

Any results that show something unexpected being passed back from the server

Which security control layer involves putting in place policies that comply with industry standards, such as OWASP? Physical Application Management Network

Application

Your Intrusion Detection System (IDS) doesn't seem to be listing any new security attacks on your network. Which of the following DDoS attack methods is MOST likely being used? Application Layer DDoS Amplification DDoS Protocol DDoS TCP SYN flood attack

Application Layer DDoS

You discover that your web server is receiving a large number of HTTP requests, causing it to repeatedly load a web page. Which of the following DDoS attack methods does this fall under? Amplification DDoS Protocol DDoS Application layer DDoS DNS DDoS

Application layer DDoS

Which of the following SQL injection attack types uses true/false questions to perform reconnaissance? Compromised data integrity attack Compromised availability of data attack Blind injection attack Authentication bypass attack

Blind Injection Attack

A customer logs into their bank account and simultaneously checks their email. They see an email containing a link that, when clicked, initiates a transfer of funds from the user's bank account to an attacker's account. What type of vulnerability does this situation describe? CSRF Broken access control XSS Injection

CSRF

You have just discovered that a hacker is trying to penetrate your network using MAC spoofing. Which of the following BEST describes MAC spoofing? Configuring a network card to run in promiscuous mode, allowing MAC addresses to be captured. Driving around in a car and searching for wireless networks that allow MAC addresses to be captured. The process of sending many Ethernet frames, each containing different source MAC addresses, to a switch. Changing a hacker's network card to match a legitimate address being used on a network.

Changing a hacker's network card to match a legitimate address being used on a network.

Over time, changes in the way people use networks have complicated protecting a network against security threats. Which of the following trends has increased the need for security? (Select two.) Startup companies Cloud computing Social networking Privilege escalation Multi-factor authentication

Cloud Computing Social Networking

A security analyst discovers that an attacker is attempting to launch a distributed denial-of-service (DDoS) attack on the company's network. What action should the security analyst take to prevent the DDoS attack from succeeding? Implement a firewall to block traffic from the attacker's IP address Shut down the server until the attacker is identified Add more bandwidth to the server to handle the increased traffic Configure the router to limit the amount of traffic coming from the attacker's IP address

Configure the router to limit the amount of traffic coming from the attacker's IP address

John creates an account and creates a listing for the sale of his home. He uses HTML tags to bold important words. Kris, an attacker, spots John's listing and notices the bolded words. Kris assumes HTML tags are enabled on the user end and uses this vulnerability to insert her own script, which will send her a copy of the cookie information for any user who looks at the ad. Which type of attack method is Kris MOST likely using? RAT Cross-site scripting Backdoor Trojan Active session hijacking

Cross-site scripting

Which of the following tools can you use to prevent data exfiltration by identifying and blocking the transfer of sensitive information? WAF OneDrive FTP DLP

DLP

A cybersecurity analyst for a large financial services company reviews the company's email security controls and is concerned about the risk of phishing attacks. The analyst decides to implement Domain-based Message Authentication, Reporting and Conformance (DMARC) to better protect the company's email domain. Which of the following BEST describes the correlation between embedded links and DMARC? DMARC protects against phishing attacks that use embedded links by analyzing email headers. DMARC only applies to email messages that contain embedded links from untrusted senders DMARC prevents embedded links from being included in emails altogether. DMARC verifies the authenticity of embedded links by checking the sender's domain against the DMARC record.

DMARC verifies the authenticity of embedded links by checking the sender's domain against the DMARC record.

An artificial intelligence research corporation has tasked a cybersecurity analyst with preventing malicious or corrupted data from entering into their proprietary ML model through a data poisoning attack. Which of the following actions should the analyst take? (Select three.) Avoidance of hardcoded credentials Two-factor authentication Data diversity Input validation Anomaly detection Data validation Appropriate encryption methods

Data Diversity Anamoly detection Data validation

A security analyst at a financial institution has discovered that sensitive customer data was transferred outside of the organization's network. Which of the following is the MOST likely explanation for the data transfer? Data backup Data replication Data archiving Data exfiltration

Data exfiltration

Which security control makes a system more difficult to attack? Detective Preventive Deterrent Corrective

Deterrent

Which of the following attacks would use the following syntax? http://www.testout.com.br/../../../../ some_dir/ some_file XSS DNS poisoning SQL injection Directory traversal

Directory Traversal

As a security consultant for a conglomerate of healthcare services, you suspect that the email client being used by the hospital staff is allowing hackers to send malicious emails to employees. You have used an analyzing tool and found the following string in a from field in the email header of several suspect emails: Friendly Guy You have also found the following in the same header: [email protected] In which of the following fields in the header have you MOST likely found this information? SMTP Display from Envelope from Received from/by

Display from

A security analyst is monitoring the network traffic of a large organization. The analyst has noticed an unusual spike in network traffic and needs to determine the cause. What is the MOST likely explanation for the unusual spike in network traffic? Heightened user activity Background traffic Distributed denial-of-service (DDoS) attack Network configuration issue

Distributed denial-of-service (DDoS) attack

A security analyst performs incident response activities after a recent security incident. They need to analyze a suspicious email attachment and verify the email's authentication to determine the attack's origin. Which tool should the analyst utilize to accomplish these tasks? Security Information and Event Management (SIEM) Cuckoo Sandbox Domain-based Message Authentication, Reporting, and Conformance (DMARC) Network Access Control (NAC)

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

A security analyst is investigating a series of phishing emails that bypassed the organization's email filtering system. They need to determine the most likely method the attacker used to ensure the recipients received the phishing emails. Which of the following methods is MOST likely used by the attacker? Network Time Protocol (NTP) abuse DomainKeys Identified Mail (DKIM) exploit Address Resolution Protocol (ARP) poisoning Impossible travel

DomainKeys Identified Mail (DKIM) exploit

A government agency had a breach at one of its locations that resulted in stolen hard drives. The virtual servers on the stolen hard drives had data for only one virtual appliance replicating to the secondary virtual appliance remotely. A security investigation report showed that the agency did not set up virtual appliances with data-at-rest security features. What must the system administrators do to ensure another breach does not jeopardize the government? Encrypt the virtual server Configure high availability Setup backup targets Setup for disaster recovery

Encrypt the virtual server

Which Wi-Fi attack uses a rogue access point configured with the same SSID as the organization's SSID? Access point misconfiguration MAC spoofing Wardriving Evil twin

Evil Twin

Your company has had a problem with users getting hacked even though you have established strong password policies. What is the next logical step to increase your company's security? Revise your company's password policy. Purchase new computers for all your employees. Implement two or more methods of authentication. Train the employees on the different types of hackers.

Implement two or more methods of authentication.

A network reliability engineer for a commercial dairy company receives an alert from the sensor in refrigeration unit 7. It shows the cooler as 15 degrees higher than usual, and the backup refrigeration units are working at max capacity to control the increase in temperature. The engineer alerts the floor manager on shift to distribute inventory to nearby coolers and send a maintenance specialist to resolve the issue. What type of controls saved the company's inventory from a catastrophe? Industrial control systems (ICSs) Regulatory requirements Action Plan Security information and event management (SIEM)

Industrial control systems (ICSs)

A security administrator is testing their organization's database server, which services a publicly accessible web application server. The security administrator sends unexpected input combined with arbitrary commands to the web application to determine whether the database server is vulnerable. What kind of vulnerability is the security administrator testing? Cryptographic failures Software and data integrity failures Broken access control Injection flaws

Injection Flaws

An attacker performs a successful SQL injection attack against your employer's web application that they use for daily business. What is the MOST likely reason the web application was vulnerable to attack? The internal router was not configured with router throttling to prevent overflow issues. File fingerprinting was not being implemented. Input fields in the comment forms were not being validated. SSH was not implemented.

Input fields in the comment forms were not being validated.

Which of the following is a method of attack that is intended to overload the memory of a network switch, forcing the switch into open-fail mode and thereby causing it to broadcast incoming data to all ports? MAC flooding ARP poisoning MAC spoofing Port mirroring

MAC flooding

An email's Internet header contains address information for the recipient and sender, plus details of the servers handling the message's transmission, using the fields set out in the Simple Mail Transfer Protocol (SMTP). When an email is created, the mail user agent (MUA) creates an initial header and forwards the message to which of the following? MDA MTA MUA SMTP

MDA

Which of the following ICS components is a special network protocol that controller systems use to communicate with each other? PLC Modbus SCADA HMI

Modbus

A company's security analyst wants to identify issues such as unauthorized devices and software or misconfigured hosts on the company network. Which of the following are the most commonly used methods for detecting any rogue devices on a network? (Select two.) Network tap WAP creation Network scans Network mapping Ping sweeps

Network Scans Ping Sweeps

Which of the following BEST describes the components of an ICS network? Operational technology Information technology Manufacturing technology Performance technology

Operational technology

A company's security team needs to assess the security posture of its Amazon Web Services (AWS) environment, focusing on both the reconnaissance and exploitation phases of a penetration testing engagement. The team requires a tool that can automate various attack scenarios and validate the effectiveness of its cloud security controls. Which of the following tools is best suited for this task? Tenable.io Zed Attack Proxy (ZAP) Suricata Pacu

Pacu

An organization moves computing resources to the cloud. A team of security consultants performs penetration tests on a newly established install of AWS virtual machine instances. Which resource does the team deploy to gain unauthorized access to these cloud resources? Pacu ScoutSuite OpenVAS Immunity debugger

Pacu

A company's security team recently discovered an unknown device connected to their network, and they suspect it could be a rogue device. The team wants to conduct scans and sweeps to locate and remove any unauthorized devices on the network. Which of the following are common types of scans or sweeps the team can use to locate rogue devices in the network? (Select two.) Network tap Passive scanning Port scanning Network mapping Active scanning

Passive scanning Active scanning

A Chief Executive Officer (CEO) receives an email that appears to be from the Chief Operations Officer (COO) discussing quarterly reports. The email includes a link to a nonsuspicious-looking website that allows unauthenticated persons to leave comments at the bottom of the form. One of the comments, in non-visible text, includes a Javascript code snippet and link. What kind of attack is this? Directory traversal Reflected XSS Persistent XSS File inclusion

Persistent XSS

Which of the following types of cyberattacks include a legitimate-looking embedded link to a malicious site in an email purporting to be from a legitimate source? Phishing Brute force SQL injection Trojan horse

Phishing

Which of the following attacks sends fragmented packets that exceed 65, 535 bytes and cause a buffer overflow and system crash when reassembled? Fraggle attack Smurf attack Ping of death attack Phlashing attack

Ping of death attack

An attacker is disguising a signature by encoding the attack payload and placing a decoder in front of the payload. Every time the payload is sent, the code is rewritten so the signature changes. Which of the following obfuscation techniques is the attacker using? Encryption Insertion attack Polymorphic shellcode Unicode evasion

Polymorphic shellcode

The network IDS has sent alerts regarding malformed messages and sequencing errors. Which of the following IDS detection methods is MOST likely being used? Trend Protocol Anomaly Signature

Protocol

An organization moves computing resources to the cloud. A team of security consultants reviews the new configurations and reports on the details from an external perspective. As part of the investigation, the team takes advantage of regulatory compliance features of what tool? Pacu ScoutSuite Prowler GNU debugger (GDB)

Prowler

Which of the following describes an attack where injected script is immediately mirrored off a web server when a user inputs data in a form or search field? Reflected cross-site scripting Stored cross-site scripting Port mirroring MAC spoofing

Reflected cross-site scripting

A large-scale business needs a system to control field devices with embedded PLCs on multiple sites spread over a large geographical area. What system should an Information Security Program Manager choose to BEST suit the coverage needed for this business? SCADA DCS HMI ICS

SCADA

Many industries use automated systems to manage the control of machinery and equipment, which is critical to a company's safety, productivity, and efficiency. What technology governs whole process automation system? SCADA PLC ICSs DCS

SCADA

What system manages large-scale, multiple-site devices and equipment spread over geographically large areas from a housed server to field devices? ICS PLC SCADA HMI

SCADA

Which of the following is used to monitor and control PLC systems? DCS SCADA HMI Modbus

SCADA

A power plant's operational technology specialist routinely inspects all operational controls. Which of the following are examples of operational technologies (OT)? (Select three.) LOIC SCADA systems ICSs PlugBot SaaS PLCs Trinoo

SCADA systems ICSs PLCs

A cybersecurity analyst for a small company ensures the company's email security by configuring Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). The analyst needs to explain to other employees how SPF and DKIM work together. Which of the following statements correctly explain the role of SPF and DKIM in securing email communications? (Select two.) SPF and DKIM work together to scan for malware. SPF and DKIM allows the recipient to report back to the sender emails that failed the security measures. SPF and DKIM together prevent email spoofing and ensure message authenticity. SPF verifies the message content while DKIM verifies the source IP address of incoming messages. SPF verifies the source IP address of incoming messages while DKIM verifies the message content.

SPF and DKIM together prevent email spoofing and ensure message authenticity. SPF verifies the source IP address of incoming messages while DKIM verifies the message content.

The field in the image below is supposed to return just the username associated with the user ID (a number). The output in the image, however, includes more information, including the username running the database. What is being exploited here? SQL cross-site scripting User enumeration with SQL SQL injection PHP remote file inclusion

SQL Injection

Which of the following cyberattacks involves an attacker inserting their own code through a data entry point created for regular users in such a way that the server accepts the malicious code as legitimate? ARP poisoning SQL injection DoS Session hijacking

SQL Injection

Which of the following types of attacks involves constructing malicious commands with the goal of modifying a database? Overflow attack SQL injection Directory traversal DDoS

SQL Injection

A monster truck forum permit users to upload URLs of their favorite monster truck videos for their friends to view. An attacker submits a specially crafted URL that includes a call for the forum's internal network resources, and the web application processes the request without proper validation. The internal network, trusting the forum server, complies with the malicious call, permitting the attacker to steal payment information from the internal database. What vulnerability does this situation describe? Cryptographic failures CSRF SSRF XSS

SSRF

A security consultant uses a software tool to perform security tests for an organization's cloud presence. Which tool will the consultant use in an attempt to gain a list of all virtual machine and storage container instances? Nessus Scout Suite OpenVAS Arachni

Scout Suite

A coworker has run Scout Suite against your Microsoft Azure environment. What were they looking for? Scout Suite scans cloud deployments for viruses. Scout Suite is used to determine software version risks on cloud deployments. Scout Suite is used to show potential security risks on cloud deployments. Scout Suite is used to help increase efficiency of cloud resources.

Scout Suite is used to show potential security risks on cloud deployments.

It is important to be prepared for a DoS attack, as these attacks are becoming more common. Which of the following BEST describes the response you should take for a service degradation? Add extra services, such as load balancing and excess bandwidth. Set services to throttle or shut down. Include a checklist of all threat assessment tools. Have more than one upstream connection to use as a failover.

Set services to throttle or shut down.

Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database? Heuristics-based IDS Anomaly-analysis-based IDS Stateful-inspection-based IDS Signature-based IDS

Signature based IDS

An attack targets ICMP protocol vulnerabilities and is conducted by creating ICMP echo request packets using the spoofed IP address of the target machine. It then sends packets to the broadcast address network, which results in numerous devices responding with replies to the target's IP address, disabling it. Which type of attack is this? Land DDoS attack MAC flooding attack Smurf DDoS attack TCP fragmentation attack

Smurf DDoS attack

You configure your switches to shut down a port immediately after it being accessed by an unauthorized user. Which type of attack are you trying to prevent? Sniffing Ransomware Trojans Rootkits

Sniffing

DDoS attacks are successful when they use all available bandwidth. What is the method an attacker normally uses to consume all available bandwidth to a targeted server? Sending fake UDP or ICMP packets larger than the MTU which cannot be reassembled, causing the server to crash. Focusing on the connection state tables of firewalls, load balances, and application servers. Spoofing a target IP address by opening connections with multiple servers, then directing all SYN/ACK responses to the target server. Using intermediary computers to amplify small requests into larger payloads to overwhelm the server.

Spoofing a target IP address by opening connections with multiple servers, then directing all SYN/ACK responses to the target server.

You are currently attempting to establish a baseline of regular network traffic to detect potential DDoS attacks. At the moment, you are choosing a representative period for data collection. Which step in establishing a baseline are you currently working on? Step 2 Step 4 Step 1 Step 3

Step 1

Business email compromise attacks have been increasingly waged against corporations' email systems. Attackers exploit an auto-forwarding email vulnerability to set emails that contain keywords to be redirected to their own inboxes. Which of the following BEST helps protect against this form of attack? Screen block signatures in emails. Configure firewalls to deny ICMP traffic. Extract a kernel memory dump. Sync email accounts settings.

Sync email accounts settings.

An analyst reviews an alert detecting a rogue backend server being deployed behind the company's load balancer. The analyst attempts multiple map scans in hopes of identifying the possible threat but fails to reach the destination. What problem is presented in this instance? The screened subnet firewall is blocking the scans. The load balancer's enumerations processes are causing the attempts to fail. The analyst did not prepare the scan correctly. The analyst does not have enough permissions.

The screened subnet firewall is blocking the scans.

While performing an audit of your company's network, you use Wireshark to sniff the network and then use the tcp contains password command to filter and see the results below. What might you conclude based on these findings? No conclusions can be made based on the information given. Someone is using a very weak password for their login to an HTTPS site. There is a field on a website that someone on your network logged in to that is named "password". There is a website that someone on your network logged in to that has no encryption.

There is a website that someone on your network logged in to that has no encryption.

Which of the following are uses for the sqlmap utility? (Select two.) To detect vulnerable web apps To rework SQL structures in existing databases for greater security To map SQL structures for MySQL databases To determine SQL server parameters, including version, usernames, operating systems, etc. To define structures for a properly secure SQL implementation

To detect vulnerable web apps To determine SQL server parameters, including version, usernames, operating systems, etc.

Which of the following BEST describes the purpose of the wireless attack type known as wardriving? To capture user's critical information, such as passwords or bank account numbers. To trick a user into using the hacker's access point. To find information that will help breach a victim's wireless network. To block a company's authorized wireless communications using radio noise or signals.

To find information that will help breach a victim's wireless network.

Which of the following analysis methods involves looking at data over a period of time and then uses those patterns to make predictions about future events? Heuristic Trend Anomaly-based Signature detection

Trend

Which of the following statements are true when describing Heuristic analysis? (Select two.) Involves security teams analyzing logs and data. Looks at frequency, volume, and statistical deviations data. Triggers an alert when any activity falls outside a baseline. Requires little human interaction. Analyzes data over a period of time to establish patterns.

Triggers an alert when any activity falls outside a baseline. Requires little human interaction.

A company assigns a security analyst to monitor the network traffic and identify any potential security breaches. The analyst is debating between using Wireshark or tcpdump to analyze the network packets for unusual network activity. Which of the following statements about Wireshark and tcpdump is true? tcpdump is a graphical user interface tool, while Wireshark is a command line tool. Wireshark and tcpdump are both command line tools an analyst can use for network analysis. Wireshark is a graphical user interface tool, while tcpdump is a command line tool. Wireshark and tcpdump are both graphical user interface tools an analyst can use for network analysis.

Wireshark is a graphical user interface tool, while tcpdump is a command line tool.

You are monitoring your network's traffic, looking for signs of strange activity. After looking at the logs, you see that there was a recent spike in database read volume. Could this be a problem and why? Yes. A spike in database read volume can show that a hacker has downloaded a great deal of information from the database. No. A spike in database read volume is a normal occurrence that is not suspicious. No. A spike in database read volume is only a problem if it happens multiple times in a short period. Yes. A spike in database read volume can show that someone is trying to use a brute force attack.

Yes. A spike in database read volume can show that a hacker has downloaded a great deal of information from the database.

You are looking through your network usage logs and notice logins from a variety of geographic locations that are far from where your employees usually log in. Could this be a problem and why? Yes. Logins from strange geographical locations can show that a hacker is trying to gain access from a remote location. No. Logins from strange geographical locations happen when data is sent to distant servers. Yes. Logins from strange geographical locations can show that your own employees are trying to hack you. No. Logins from strange geographical locations often happen from employees working remotely.

Yes. Logins from strange geographical locations can show that a hacker is trying to gain access from a remote location.

You are reviewing packets captured by a co-worker. The traffic is from a Linux server that hosts private customer data, and your job is to analyze the content for potential security risks. The .pcap file appears to be a bit small for what you wanted. (It contains traffic to and from the target system during a given time period.) Some of that traffic is shown below. You suspect that only SSH traffic is represented in this capture, which was done with tcpdump. What command do you think your co-worker used to capture only SSH traffic? tcpdump port 22 tcpdump -i eth0 tcpdump port 21 tcpdump -p 21

tcpdump port 22

A security analyst is testing to find SQL injection vulnerabilities. She uses automation of a large volume of random data inserted into the web application's input fields in order to check the output. Which type of testing was done? Dynamic testing Fuzz testing Static testing Function testing

Fuzz testing

Which of the following ICS components allows an operator in a manufacturing plant to make configuration changes in the ICS system? Modbus SCADA HMI PLC

HMI

Which of the following can contain a wealth of information that can be used to determine the authenticity of an email? Signature block Content block Header block From line

Header block

You are the security analyst for your organization. During a vulnerability analysis, you have noticed the following: File attributes being altered Unknown .ozd files Files that do not match the existing naming scheme Changes to the log files Which of the following do these signs indicate has occurred? Host-based intrusion Protocol-based attack Network-based intrusion Blacklisting

Host Based Intrusion

Which of the following handles the workflow and automation processes for all sorts of machinery? ECU CAN FPGA ICS

ICS

Which of the following is a security service that monitors network traffic in real time or reviews the audit logs on servers looking for security violations? Firewall Padded cell IDS Switch

IDS

After a sniffing attack has been discovered on an organization's large network, Jim, a security analyst, has been asked to take steps to secure the network from future attacks. The organization has multiple buildings and departments. Which of the following is the BEST step Jim could take to make the network more secure? Set switches to promiscuous mode. Implement switched networks. Relocate the key organizational workstations into one central location. Remove all wireless access points on the network.

Implement switched networks

A company has recently discovered that its network has become slow and unreliable, with frequent outages and disruptions. An IT staff member suspects that rogue devices on the network could be causing these issues. What are the BEST ways to identify rogue devices on a network? (Select three.) Install endpoint security software on all devices connected to the network to monitor and control device access. Conduct network scans using tools like Nmap to identify active devices on the network. Use intrusion detection systems (IDS) to monitor network traffic and identify devices that do not belong on the network. Implement 802.1x network access control. Implement port security on network switches to limit the number of devices connected to the network. Perform network scans and ping sweeps. Perform packet sniffing and traffic flow analysis.

Install endpoint security software on all devices connected to the network to monitor and control device access. Conduct network scans using tools like Nmap to identify active devices on the network. Use intrusion detection systems (IDS) to monitor network traffic and identify devices that do not belong on the network.

There are several types of signature evasion techniques. Which of the following BEST describes the obfuscated code technique? Can be used to represent a SQL query Uses the CHAR function to represent a character Is a SQL statement that is hard to read and understand Inserts in-line comments between SQL keywords

Is a SQL statement that is hard to read and understand

Which of the following BEST describes the countermeasures you would take against a cross-site request forgery attack? Avoid using redirects and forwards. If you must use them, be sure that the supplies values are valid and the user has appropriate authorization. Use SSL for all authenticated parts of an application. Verify whether user information is stored in a hashed format. Do not submit session data as part of a GET or POST. Set the secure flag on all sensitive cookies. Ensure that certificates are valid and are not expired. All non-SSL web page requests should be directed to the SSL page. Log off immediately after using a web application. Clear the history after using a web application, and don't allow your browser to save your login details.

Log off immediately after using a web application. Clear the history after using a web application, and don't allow your browser to save your login details.

As a security analyst, you want to evade an IDS system while testing for SQL injection vulnerabilities. Which of the following actions will help you avoid detection? Use a hijacked session ID to not be recognized. Limit the number of MAC addresses a switch port can learn and accept. Use in-line comments in strings. Use switched networks to segment traffic to create isolation.

Use in-line comments in strings.

Which of the scenarios below might justify using a MAC address spoofing tool when connecting to your company's network? (Select two.) Your IT director has banned all personal devices from accessing the wireless network, but you use your own laptop for work. Getting an exception for your device, however, is taking too long. You want to test the list of banned MAC addresses on your network. A new web server that is for internal-only use has a firewall that only allows a list of six devices to access resources. You need to verify all other MAC addresses are blocked. You set up the rules for blocking MAC addresses but got a new laptop and haven't had time to update the allowed list to include its wireless card. Your personal Android phone is used by you to accept forwarded phone calls from your desk. You need to spoof a MAC address on the device since only devices on the list of allowed MACs have access according to

You want to test the list of banned MAC addresses on your network. A new web server that is for internal-only use has a firewall that only allows a list of six devices to access resources. You need to verify all other MAC addresses are blocked.

Which set of tools is often used to intercept the four-way handshake? inSSIDer Plus Reaver WiFi Explorer aircrack-ng

aircrack-ng

The IT director has requested that you verify that traffic to a new server from her machine goes only where it is supposed to and can't be redirected to another IP address. You decide to attempt to manipulate traffic on the network to see if things are really secure. You have pulled up Ettercap and plan on using one of the plug-ins for testing. Which of the displayed plug-ins should you use? isolate scan_poisoner dns_spoof remote_browser

dns_spoof

When it comes to obfuscation mechanisms, nmap has the ability to generate decoys, meaning that detection of the actual scanning system becomes much more difficult. Which of the following is the proper nmap command used to generate decoys? nmap -D RND:10 target_IP_address nmap -S RND:20 target_IP_address nmap -D RND:01 target_IP_address nmap -S RND:11 target_IP_address

nmap -D RND:10 target_IP_address

There is strong evidence that a machine is compromised on your company network, but you have not determined which computer. You are going to try to pinpoint the host by scanning for any network devices that are in promiscuous mode. Which of the following Nmap scripts would you use? sniffer-detect icap-info vulners finger

sniffer-detect