Domain 1
A user uses a file joiner to join her documents with a piece of code and sends her document to a second user. When the second user opens it, a harmful secret code executes and shuts down the system. This code is called:
A virus Explanation: A virus executes on a trigger. Worms do not require a trigger. Root kits and Trojans do not necessarily execute when opened and do not necessarily immediately create an impact. Ransomware does create an impact but in the form of money and does not bring the system down immediately.
Which of these attacks is based on the probability that two different messages using the same hash function would produce the same message digest? A. Birthday attack B. Adaptive chosen ciphertext C. Meet in the middle attack D. Man in the middle attack
A. Birthday attack Explanation: A birthday attack focuses on hashing algorithms. It is a brute-force attack in which the attacker decrypts messages until two with the same plaintext are found. This type of attack is based on the statistic that there is more than a 50% chance that two out of 23 people in a room will have the same birthday. To match a selected day, 253 people would need to be in the room.
Which of the following password attacks would be most successful against the password P93k@s63N? A. Brute force B. Dictionary C. Password guessing D. All of these
A. Brute force Explanation: In a brute-force attack, every combination of letters, numbers, and symbols is tried. Since the password is relatively complex, and does not conform to any regular words/phrases, both dictionary and guessing attacks would not be as successful.
Which of the following types of computer crimes is considered a masquerade attack? A. IP spoofing B. Data diddling C. Salami D. Wiretapping
A. IP spoofing Explanation: IP spoofing is considered a masquerade attack because the attacker pretends to be someone else by changing their IP address.
Which of the following assessment types performs a test of the system for internal threats? A. On-site infrastructure security assessment B. Application security assessment C. Auditing system security assessment D. Infrastructure security assessment
A. On-site infrastructure security assessment Explanation: The correct response is on-site infrastructure security assessment. This type of assessment is a category which covers internal threats which can be exploited from inside the organization's boundaries.
Which of the following is the most dangerous type of attack against a WLAN? A. Rogue access point B. MAC spoofing C. DNS spoofing D. Eavesdropping
A. Rogue access point Explanation: A rogue AP is the most dangerous attack on a WLAN because it may serve as an open door to the network for a hacker.
Which of these will take the longest? A. black box testing B. white box testing C. Ethical hacking D. grey box testing
A. black box testing Explanation: In a black box test we start with zero prior knowledge, requiring more time for information collecting and vulnerability discovery/exploitation.
Which of the following requires no trigger to replicate? A. worms B. viruses C. Trojans D. malware
A. worms Explanation: Worms do not require a trigger to replicate. Viruses and Trojans require human action to replicate. Malware is a broad umbrella under which virus, worms, and RAT fall. Adware are web pages that pop up advertisements, and are usually harmless.
What is the type of attack where someone uses a MITM attack to falsify an ARP entry on 2 network devices
ARP poisoning Explanation: A Man-In-The-Middle (MITM) attack is achieved when an attacker poisons the ARP cache of two devices with the (48-bit) MAC address of their Ethernet NIC (Network Interface Card). Once the ARP cache has been successfully poisoned, each of the victim devices send all their packets to the attacker when communicating to the other device. This puts the attacker in the middle of the communications path between the two victim devices; hence the name Man-In-The-Middle (MITM) attack. It allows an attacker to easily monitor all communication between victim devices. The objective of this MITM attack is to take over a session. The intent is to intercept and view the information being passed between the two victim devices.
A helpdesk employee receives a call from a person that pretends to be a high level manager and request an immediate password reset, over the phone, for his account, because he forgot the password and needs urgent access. This could be one of which of the following social engineering attack types? A. Phishing attack B. Pretexting attack C. Baiting attacks D. Authentication Attack
B. Pretexting attack Explanation: Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions. An elaborate lie, it most often involves some prior research or setup and the use of this information for impersonation to establish legitimacy in the mind of the target.
A virus which infects the key operating system files located in system's boot sector is called __________.
Boot virus Explanation: As the name suggests, such viruses are called the boot sector viruses.
Which of the following types of pen testing best simulates the perspective of a disgruntled employee who has been fired from the company? A. Internal and White Box B. External and Black Box C. External and White Box D. Internal and Black Box
C. External and White Box Explanation: A disgruntled employee will have inside knowledge of the system (white box) but since he/she has been fired from the job he no longer has access to the systems internally (external).
Which of the following approaches to security assessment would be the best to gather intelligence on how much access employees have internally? A. White box testing B. Black box testing C. Grey box testing D. All of the above
C. Grey box testing Explanation: Not all employees will have full knowledge of a system, so starting from a grey box perspective will give a better view into how much the average employees will be able to know, find out about and/or exploit the system than a white or black box test.
Which of the following are examples of computer worms? A. Code Red B. Flame C. Slammer D. Both Code Red and Slammer
D. Both Code Red and Slammer Explanation: Code Red and Slammer are pure worms examples which actively scans and infect other vulnerable systems in a chain-reaction fashion. Whereas 'I Love You' is a virus propagated through e-mail attachments.
Which of the following is the biggest risk of having the SSID broadcast of the wireless access points? A. Session hijacking B. Warchalking C. Wardriving D. Evil twin attack
D. Evil twin attack Explanation: Broadcasting an SSID allows an attacker to know and replicate the SSID as an evil twin, tricking victims into connecting to a malicious access point.
You don't need to crack a password in which of the following attacks? A. Brute force B. Dictionary C. Rainbow table D. Replay
D. Replay Replay attacks are based on resending a packet at a later time and don't involve password cracking. You could also just use the hash of a password with Pass The Hash.
Which attack commonly targets file and print, email, and directory servers?
DoS Explanation: This attack commonly targets files and print servers and e-mail servers in order to make their services unavailable to the organization.
True or False? Filename extension blacklisting in email systems is an effective way to stop malware?
FALSE Explanation: In order to keep the business running, some filename extensions will be allowed anyway - like .DOC or .PDF. Attackers will insert malicious components in those allowed file types.
In DDOS attack the botnet is controlled by the zombie? True or false.
False Explanation: DDoS stands for Distributed Denial of Service. A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet. Unlike a Denial of Service (DoS) attack, in which one computer and one internet connection is used to flood targeted resource with packets, a DDoS attack uses many computers (called zombies) and many Internet connections.
An access control attack where an attacker has stolen the users credentials and they login as the user accessing their resources is known as what?
Impersonation attack Explanation: An impersonation attack is caused by attackers with stolen credentials who use them to access the users resources. They are able to bypass authentication mechanisms and take the desired data.
How can IP spoofing attacks be prevented?
Ingress filtering Explanation: Ingress filtering in routers greatly decreases the chance of IP spoofing attacks by ensuring packets come from the IP address they are claiming to have been sent by.
An attack that is triggered by a specific event or by a date is called...
Logic bomb Explanation: Such attacks are called 'logic bombs' which trigger when some condition(s) is satisfied
What type of attack describes when e-mails look like they are coming from a legitimate business, with a link to click on to a trusted site, but are actually coming from attackers trying to get username, password, personal and/or financial information?
Phishing Explanation: Phishing is an email potentially to a large random set of people that appears to be from an individual or business that you recognize. (social engineering) But it isn't. It's from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC.
Which malware gives control to the remote hacker and controls the system in which it is installed?
RAT Explanation: Remote Access Trojan (RAT) allows the hacker to control the computer system, sometimes giving administrator-level access. Viruses impact the system for availability. Worms are designed to bring down the network. Malware is a broad umbrella under which virus, worms and RAT fall. Adware are web pages that pop up advertisements, and are usually harmless.
Katy helps a user whose system is running slow and randomly rebooting. While troubleshooting she realized that she no longer has administrative rights. What is likely to be the problem?
Rootkit Explanation: A slow-running system and random reboot problem indicates a malware infection, and changes administrative rights indicates that a process with kernel access, can only be a rootkit.
What is a common DoS (denial of service) attack?
SYN flooding Explanation: A SYN flooding attack involves having a client repeatedly send SYN packets to every port on a server, using fake IP addresses. When an attack begins, the server sees the equivalent of multiple attempts to establish communications. The server responds to each attempt with a SYN/ACK response then a rst (reset) response. As the server continues to hold/open connections, its resources are quickly depleted, resulting in a DoS.
Which attack uses IP spoofing and broadcasting to send PING requests to hosts on the network?
Smurf attack Explanation: A Smurf attack is a DDoS atack where multiple machines pretend to have the IP address of a victim. These machines spoof their IP address in a broadcast communication with the network, causing the network to send all of the responses to the victim, flooding the victim with ICMP traffic.
_________ is a phishing attack that zeros in on specific "big fish" targets.
Whaling Explanation: Whaling is a part of the social engineering attacks where an attacker targets seniors/upper level employees of the firm for potential attack
___ testing is a security method performed with complete internal knowledge of the systems.
White box Explanation: White-box testing is a security audit performed on the internal network of an organization by network administration.
Heuristic detection and behavioral blocking can sometimes detect new malwares such as _______________.
Zero-day attacks Explanation: Zero day malware have no known signatures yet