SecPlus Topic 3 - Threats and Vulnerabilities
QUESTION NO: 532 A security administrator must implement all requirements in the following corporate policy: Passwords shall be protected against offline password brute force attacks. Passwords shall be protected against online password brute force attacks. Which of the following technical controls must be implemented to enforce the corporate policy? (Select THREE). A. Account lockout B. Account expiration C. Screen locks D. Password complexity E. Minimum password lifetime F. Minimum password length
A. Account lockout D. Password complexity F. Minimum password length Explanation: F: Minimum password length. This policy specifies the minimum number of characters a password should have. For example: a minimum password length of 8 characters is regarded as good security practice. D: Password complexity determines what characters a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers. This will ensure that passwords don't consist of dictionary words which are easy to crack using brute force techniques. A: Account lockout policy: This policy ensures that a user account is locked after a number of incorrect password entries. For example, you could specify that if a wrong password is entered three times, the account will be locked for a period of time or indefinitely until the account is unlocked by an administrator.
QUESTION NO: 506 Which of the following describes a type of malware which is difficult to reverse engineer in a virtual lab? A. Armored virus B. Polymorphic malware C. Logic bomb D. Rootkit
A. Armored virus Explanation: An armored virus is a type of virus that has been designed to thwart attempts by analysts from examining its code by using various methods to make tracing, disassembling and reverse engineering more difficult. An Armored Virus may also protect itself from antivirus programs, making it more difficult to trace. To do this, the Armored Virus attempts to trick the antivirus program into believing its location is somewhere other than where it really is on the system.
QUESTION NO: 597 A security administrator examines a network session to a compromised database server with a packet analyzer. Within the session there is a repeated series of the hex character 90 (x90). Which of the following attack types has occurred? A. Buffer overflow B. Cross-site scripting C. XML injection D. SQL injection
A. Buffer overflow The hex character 90 (x90) means NOP or No Op or No Operation. In a buffer overflow attack, the buffer can be filled and overflowed with No Op commands.
QUESTION NO: 529 Which of the following is described as an attack against an application using a malicious file? A. Client side attack B. Spam C. Impersonation attack D. Phishing attack
A. Client side attack Explanation: In this question, a malicious file is used to attack an application. If the application is running on a client computer, this would be a client side attack. Attacking a service or application on a server would be a server side attack.
QUESTION NO: 539 Several bins are located throughout a building for secure disposal of sensitive information. Which of the following does this prevent? A. Dumpster diving B. War driving C. Tailgating D. War chalking
A. Dumpster diving Explanation: Dumpster diving is looking for treasure in someone else's trash.
QUESTION NO: 558 After a recent breach, the security administrator performs a wireless survey of the corporate network. The security administrator notices a problem with the following output: MACSSIDENCRYPTIONPOWERBEACONS 00:10:A1:36:12:CCMYCORPWPA2 CCMP601202 00:10:A1:49:FC:37MYCORPWPA2 CCMP709102 FB:90:11:42:FA:99MYCORPWPA2 CCMP403031 00:10:A1:AA:BB:CCMYCORPWPA2 CCMP552021 00:10:A1:FA:B1:07MYCORPWPA2 CCMP306044 Given that the corporate wireless network has been standardized, which of the following attacks is underway? A. Evil twin B. IV attack C. Rogue AP D. DDoS
A. Evil twin The question states that the corporate wireless network has been standardized. By 'standardized' it means the wireless network access points are running on hardware from the same vendor. We can see this from the MAC addresses used. The first half of a MAC address is vendor specific. The second half is network adapter specific. We have four devices with MAC addresses that start with 00:10:A1. The "odd one out" is the device with a MAC address starting FB:90:11. This device is from a different vendor. The SSID of the wireless network on this access point is the same as the other legitimate access points. Therefore, the access point with a MAC address starting FB:90:11 is impersonating the corporate access points. This is known as an Evil Twin.
QUESTION NO: 570 Sara, a security administrator, is noticing a slow down in the wireless network response. Sara launches a wireless sniffer and sees a large number of ARP packets being sent to the AP. Which of the following type of attacks is underway? A. IV attack B. Interference C. Blue jacking D. Packet sniffing
A. IV attack
QUESTION NO: 515 A network analyst received a number of reports that impersonation was taking place on the network. Session tokens were deployed to mitigate this issue and defend against which of the following attacks? A. Replay B. DDoS C. Smurf D. Ping of Death
A. Replay Explanation: A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).
QUESTION NO: 550 A computer supply company is located in a building with three wireless networks. The system security team implemented a quarterly security scan and saw the following. SSIDStateChannelLevel Computer AreUs1connected170dbm Computer AreUs2connected580dbm Computer AreUs3connected375dbm Computer AreUs4connected695dbm Which of the following is this an example of? A. Rogue access point B. Near field communication C. Jamming D. Packet sniffing
A. Rogue access point Explanation: The question states that the building has three wireless networks. However, the scan is showing four wireless networks with the SSIDs: Computer AreUs1 , Computer AreUs2 , Computer AreUs3 and Computer AreUs4. Therefore, one of these wireless networks probably shouldn't be there. This is an example of a rogue access point.
QUESTION NO: 586 Highly sensitive data is stored in a database and is accessed by an application on a DMZ server. The disk drives on all servers are fully encrypted. Communication between the application server and end-users is also encrypted. Network ACLs prevent any connections to the database server except from the application server. Which of the following can still result in exposure of the sensitive data in the database server? A. SQL Injection B. Theft of the physical database server C. Cookies D. Cross-site scripting
A. SQL Injection
QUESTION NO: 582 A security administrator looking through IDS logs notices the following entry: (where [email protected] and passwd= 'or 1==1') Which of the following attacks had the administrator discovered? A. SQL injection B. XML injection C. Cross-site script D. Header manipulation
A. SQL injection The code in the question is an example of a SQL Injection attack. The code '1==1' will always provide a value of true. This can be included in statement designed to return all rows in a SQL table.
QUESTION NO: 583 Which of the following types of application attacks would be used to specifically gain unauthorized information from databases that did not have any input validation implemented? A. SQL injection B. Session hijacking and XML injection C. Cookies and attachments D. Buffer overflow and XSS
A. SQL injection To access information in databases, you use SQL. To gain unauthorized information from databases, a SQL Injection attack is used.
QUESTION NO: 549 Users are encouraged to click on a link in an email to obtain exclusive access to the newest version of a popular Smartphone. This is an example of. A. Scarcity B. Familiarity C. Intimidation D. Trust
A. Scarcity Explanation: Scarcity, in the area of social psychology, works much like scarcity in the area of economics. Simply put, humans place a higher value on an object that is scarce, and a lower value on those that are abundant. The thought that we, as humans, want something we cannot have drives us to desire the object even more. This idea is deeply embedded in the intensely popular, "Black Friday" shopping extravaganza that U.S. consumers participate in every year on the day after Thanksgiving. More than getting a bargain on a hot gift idea, shoppers thrive on the competition itself, in obtaining the scarce product.
QUESTION NO: 536 An investigator recently discovered that an attacker placed a remotely accessible CCTV camera in a public area overlooking several Automatic Teller Machines (ATMs). It is also believed that user accounts belonging to ATM operators may have been compromised. Which of the following attacks has MOST likely taken place? A. Shoulder surfing B. Dumpster diving C. Whaling attack D. Vishing attack
A. Shoulder surfing Explanation: The CCTV camera has recorded people entering their PINs in the ATMs. This is known as shoulder surfing.
QUESTION NO: 512 A security technician at a small business is worried about the Layer 2 switches in the network suffering from a DoS style attack caused by staff incorrectly cabling network connections between switches. Which of the following will BEST mitigate the risk if implemented on the switches? A. Spanning tree B. Flood guards C. Access control lists D. Syn flood
A. Spanning tree Explanation: Spanning Tree is designed to eliminate network 'loops' from incorrect cabling between switches. The Spanning-Tree Protocol (STP) was created to overcome the problems of transparent bridging in redundant networks. The purpose of STP is to avoid and eliminate loops in the network by negotiating a loop-free path through a root bridge. This is done by determining where there are loops in the network and blocking links that are redundant.
QUESTION NO: 544 A database administrator receives a call on an outside telephone line from a person who states that they work for a well-known database vendor. The caller states there have been problems applying the newly released vulnerability patch for their database system, and asks what version is being used so that they can assist. Which of the following is the BEST action for the administrator to take? A. Thank the caller, report the contact to the manager, and contact the vendor support line to verify any reported patch issues. B. Obtain the vendor's email and phone number and call them back after identifying the number of systems affected by the patch. C. Give the caller the database version and patch level so that they can receive help applying the patch. D. Call the police to report the contact about the database systems, and then check system logs for attack attempts.
A. Thank the caller, report the contact to the manager, and contact the vendor support line to verify any reported patch issues. Explanation: Impersonation is where a person, computer, software application or service pretends to be someone or something it's not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat. In this question, the person making the call may be impersonating someone who works for a wellknown database vendor. The actions described in this answer would mitigate the risk. By not divulging information about your database system and contacting the vendor directly, you can be sure that you are talking to the right people.
QUESTION NO: 587 Which of the following BEST describes a SQL Injection attack? A. The attacker attempts to have the receiving server pass information to a back-end database from which it can compromise the stored information. B. The attacker attempts to have the receiving server run a payload using programming commonly found on web servers. C. The attacker overwhelms a system or application, causing it to crash and bring the server down to cause an outage. D. The attacker overwhelms a system or application, causing it to crash, and then redirects the memory address to read from a location holding the payload.
A. The attacker attempts to have the receiving server pass information to a back-end database from which it can compromise the stored information.
QUESTION NO: 533 A recent spike in virus detections has been attributed to end-users visiting www.compnay.com. The business has an established relationship with an organization using the URL of www.company.com but not with the site that has been causing the infections. Which of the following would BEST describe this type of attack? A. Typo squatting B. Session hijacking C. Cross-site scripting D. Spear phishing
A. Typo squatting Explanation: Typosquatting, also called URL hijacking or fake url, is a form of cybersquatting, and possibly brandjacking which relies on mistakes such as typographical errors made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to any URL (including an alternative website owned by a cybersquatter).
QUESTION NO: 577 Which of the following wireless protocols could be vulnerable to a brute-force password attack? (Select TWO). A. WPA2-PSK B. WPA - EAP - TLS C. WPA2-CCMP D. WPA -CCMP E. WPA - LEAP F. WEP
A. WPA2-PSK F. WEP A brute force attack is an attack that attempts to guess a password. WPA2-PSK and WEP both use a "Pre-Shared Key". The pre-shared key is a password and therefore is susceptible to a brute force attack.
QUESTION NO: 547 Which of the following is characterized by an attacker attempting to map out an organization's staff hierarchy in order to send targeted emails? A. Whaling B. Impersonation C. Privilege escalation D. Spear phishing
A. Whaling Explanation: A whaling attack is targeted at company executives. Mapping out an organization's staff hierarchy to determine who the people at the top are is also part of a whaling attack.
QUESTION NO: 555 Which of the following attacks would cause all mobile devices to lose their association with corporate access points while the attack is underway? A. Wireless jamming B. Evil twin C. Rogue AP D. Packet sniffing
A. Wireless jamming
QUESTION NO: 580 Pete, the security administrator, has been notified by the IDS that the company website is under attack. Analysis of the web logs show the following string, indicating a user is trying to post a comment on the public bulletin board. INSERT INTO message `<script>source=http://evilsite</script> This is an example of which of the following? A. XSS attack B. XML injection attack C. Buffer overflow attack D. SQL injection attack
A. XSS attack The <script> </script> tags indicate that script is being inserted.
QUESTION NO: 499 A trojan was recently discovered on a server. There are now concerns that there has been a security breach that allows unauthorized people to access data. The administrator should be looking for the presence of a/an: A. Logic bomb. B. Backdoor. C. Adware application. D. Rootkit.
B. Backdoor Explanation: A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing unauthorized remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice) or may subvert the system through a rootkit.
QUESTION NO: 562 Joe, an employee is taking a taxi through a busy city and starts to receive unsolicited files sent to his Smartphone. Which of the following is this an example of? A. Vishing B. Bluejacking C. War Driving D. SPIM
B. Bluejacking
QUESTION NO: 563 A user commuting to work via public transport received an offensive image on their smart phone from another commuter. Which of the following attacks MOST likely took place? A. War chalking B. Bluejacking C. War driving D. Bluesnarfing
B. Bluejacking
QUESTION NO: 561 Which of the following describes how Sara, an attacker, can send unwanted advertisements to a mobile device? A. Man-in-the-middle B. Bluejacking C. Bluesnarfing D. Packet sniffing
B. Bluejacking Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers
QUESTION NO: 504 Pete, a security analyst, has been tasked with explaining the different types of malware to his colleagues. The two malware types that the group seems to be most interested in are botnets and viruses. Which of the following explains the difference between these two types of malware? A. Viruses are a subset of botnets which are used as part of SYN attacks. B. Botnets are a subset of malware which are used as part of DDoS attacks. C. Viruses are a class of malware which create hidden openings within an OS. D. Botnets are used within DR to ensure network uptime and viruses are not.
B. Botnets are a subset of malware which are used as part of DDoS attacks. Explanation: A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation.
A server administrator notes that a legacy application often stops running due to a memory error. When reviewing the debugging logs, they notice code being run calling an internal process to exploit the machine. Which of the following attacks does this describe? A. Zero-day B. Buffer overflow C. Cross site scripting D. Malicious add-on
B. Buffer overflow
QUESTION NO: 592 Data execution prevention is a feature in most operating systems intended to protect against which type of attack? A. Cross-site scripting B. Buffer overflow C. Header manipulation D. SQL injection
B. Buffer overflow Data Execution Prevention (DEP) is a security feature included in modern operating systems. It marks areas of memory as either "executable" or "nonexecutable", and allows only data in an "executable" area to be run by programs, services, device drivers, etc. It is known to be available in Linux, OS X, Microsoft Windows, iOS and Android operating systems.
QUESTION NO: 593 Which of the following application attacks is used to gain access to SEH? A. Cookie stealing B. Buffer overflow C. Directory traversal D. XML injection
B. Buffer overflow Microsoft's implementation of Data Execution Prevention (DEP) mode explicitly protects the pointer to the Structured Exception Handler (SEH) from being overwritten.
QUESTION NO: 594 While opening an email attachment, Pete, a customer, receives an error that the application has encountered an unexpected issue and must be shut down. This could be an example of which of the following attacks? A. Cross-site scripting B. Buffer overflow C. Header manipulation D. Directory traversal
B. Buffer overflow When the user opens an attachment, the attachment is loaded into memory. The error is caused by a memory issue due to a buffer overflow attack.
QUESTION NO: 596 Which of the following was launched against a company based on the following IDS log? 122.41.15.252 - - [21/May/2012:00:17:20 +1200] "GET /index.php?username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A AAA HTTP/1.1" 200 2731 "http://www.company.com/cgibin/ forum/commentary.pl/noframes/read/209" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.7.0)" A. SQL injection B. Buffer overflow attack C. XSS attack D. Online password crack
B. Buffer overflow attack The username should be just a username; instead we can see it's a long line of text with an HTTP command in it. This is an example of a buffer overflow attack.
QUESTION NO: 578 A victim is logged onto a popular home router forum site in order to troubleshoot some router configuration issues. The router is a fairly standard configuration and has an IP address of 192.168.1.1. The victim is logged into their router administrative interface in one tab and clicks a forum link in another tab. Due to clicking the forum link, the home router reboots. Which of the following attacks MOST likely occurred? A. Brute force password attack B. Cross-site request forgery C. Cross-site scripting D. Fuzzing
B. Cross-site request forgery
QUESTION NO: 509 A server with the IP address of 10.10.2.4 has been having intermittent connection issues. The logs show repeated connection attempts from the following IPs: 10.10.3.16 10.10.3.23 212.178.24.26 217.24.94.83 These attempts are overloading the server to the point that it cannot respond to traffic. Which of the following attacks is occurring? A. XSS B. DDoS C. DoS D. Xmas
B. DDoS Explanation: A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload.
QUESTION NO: 528 Users at a company report that a popular news website keeps taking them to a web page with derogatory content. This is an example of which of the following? A. Evil twin B. DNS poisoning C. Vishing D. Session hijacking
B. DNS poisoning Explanation: DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer (or any other computer).
QUESTION NO: 526 A company's employees were victims of a spear phishing campaign impersonating the CEO. The company would now like to implement a solution to improve the overall security posture by assuring their employees that email originated from the CEO. Which of the following controls could they implement to BEST meet this goal? A. Spam filter B. Digital signatures C. Antivirus software D. Digital certificates
B. Digital signatures Explanation: A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software, or digital document.
QUESTION NO: 560 Matt, an administrator, is concerned about the wireless network being discovered by war driving. Which of the following can be done to mitigate this? A. Enforce a policy for all users to authentic through a biometric device. B. Disable all SSID broadcasting. C. Ensure all access points are running the latest firmware. D. Move all access points into public access areas.
B. Disable all SSID broadcasting.
QUESTION NO: 518 Which of the following will help prevent smurf attacks? A. Allowing necessary UDP packets in and out of the network B. Disabling directed broadcast on border routers C. Disabling unused services on the gateway firewall D. Flash the BIOS with the latest firmware
B. Disabling directed broadcast on border routers Explanation: A smurf attack involves sending PING requests to a broadcast address. Therefore, we can prevent smurf attacks by blocking broadcast packets on our external routers.
QUESTION NO: 540 Physical documents must be incinerated after a set retention period is reached. Which of the following attacks does this action remediate? A. Shoulder Surfing B. Dumpster Diving C. Phishing D. Impersonation
B. Dumpster Diving Explanation: Incinerating documents (or shredding documents) instead of throwing them into a bin will prevent people being able to read the documents to view sensitive information.
QUESTION NO: 538 Ann, an employee, is cleaning out her desk and disposes of paperwork containing confidential customer information in a recycle bin without shredding it first. This is MOST likely to increase the risk of loss from which of the following attacks? A. Shoulder surfing B. Dumpster diving C. Tailgating D. Spoofing
B. Dumpster diving
QUESTION NO: 559 Which of the following types of wireless attacks would be used specifically to impersonate another WAP in order to gain unauthorized information from mobile users? A. IV attack B. Evil twin C. War driving D. Rogue access point
B. Evil twin
QUESTION NO: 569 Which of the following types of attacks involves interception of authentication traffic in an attempt to gain unauthorized access to a wireless network? A. Near field communication B. IV attack C. Evil twin D. Replay attack
B. IV attack
QUESTION NO: 542 Pete's corporation has outsourced help desk services to a large provider. Management has published a procedure that requires all users, when receiving support, to call a special number. Users then need to enter the code provided to them by the help desk technician prior to allowing the technician to work on their PC. Which of the following does this procedure prevent? A. Collusion B. Impersonation C. Pharming D. Transitive Access
B. Impersonation Explanation: Impersonation is where a person, computer, software application or service pretends to be someone or something it's not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat.
QUESTION NO: 543 Purchasing receives a phone call from a vendor asking for a payment over the phone. The phone number displayed on the caller ID matches the vendor's number. When the purchasing agent asks to call the vendor back, they are given a different phone number with a different area code. Which of the following attack types is this? A. Hoax B. Impersonation C. Spear phishing D. Whaling
B. Impersonation Explanation: In this question, the impersonator is impersonating a vendor and asking for payment. They have managed to 'spoof' their calling number so that their caller ID matches the vendor's number.
QUESTION NO: 502 Ann, a software developer, has installed some code to reactivate her account one week after her account has been disabled. Which of the following is this an example of? (Select TWO). A. Rootkit B. Logic Bomb C. Botnet D. Backdoor E. Spyware
B. Logic Bomb D. Backdoor Explanation: This is an example of both a logic bomb and a backdoor. The logic bomb is configured to 'go off' or activate one week after her account has been disabled. The reactivated account will provide a backdoor into the system.
QUESTION NO: 503 Which of the following malware types is MOST likely to execute its payload after Jane, an employee, has left the company? A. Rootkit B. Logic bomb C. Worm D. Botnet
B. Logic bomb Explanation: This is an example of a logic bomb. The logic bomb is configured to 'go off' or when Jane has left the company.
QUESTION NO: 519 Which of the following wireless security measures can an attacker defeat by spoofing certain properties of their network interface card? A. WEP B. MAC filtering C. Disabled SSID broadcast D. TKIP
B. MAC filtering Explanation: MAC filtering is typically used in wireless networks. In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network.
QUESTION NO: 571 Maintenance workers find an active network switch hidden above a dropped-ceiling tile in the CEO's office with various connected cables from the office. Which of the following describes the type of attack that was occurring? A. Spear phishing B. Packet sniffing C. Impersonation D. MAC flooding
B. Packet sniffing packet sniffing requires a physical connection to the network. The switch hidden in the ceiling is used to provide the physical connection to the network.
QUESTION NO: 527 A user has unknowingly gone to a fraudulent site. The security analyst notices the following system change on the user's host: Old `hosts' file: 127.0.0.1 localhost New `hosts' file: 127.0.0.1 localhost 5.5.5.5 www.comptia.com Which of the following attacks has taken place? A. Spear phishing B. Pharming C. Phishing D. Vishing
B. Pharming Explanation: We can see in this question that a fraudulent entry has been added to the user's hosts file. This will point the URL: www.comptia.com to 5.5.5.5 instead of the correct IP address.
QUESTION NO: 523 A security administrator notices large amounts of traffic within the network heading out to an external website. The website seems to be a fake bank site with a phone number that when called, asks for sensitive information. After further investigation, the security administrator notices that a fake link was sent to several users. This is an example of which of the following attacks? A. Vishing B. Phishing C. Whaling D. SPAM E. SPIM
B. Phishing Explanation: Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. Phishing email will direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers, that the legitimate organization already has. The website, however, is bogus and set up only to steal the nformation the user enters on the page.
QUESTION NO: 554 Which of the following is where an unauthorized device is found allowing access to a network? A. Bluesnarfing B. Rogue access point C. Honeypot D. IV attack
B. Rogue access point
QUESTION NO: 495 A user casually browsing the Internet is redirected to a warez site where a number of pop-ups appear. After clicking on a pop-up to complete a survey, a drive-by download occurs. Which of the following is MOST likely to be contained in the download? A. Backdoor B. Spyware C. Logic bomb D. DDoS E. Smurf
B. Spyware Explanation Spyware is software that is used to gather information about a person or organization without their knowledge and sends that information to another entity. Whenever spyware is used for malicious purposes, its presence is typically hidden from the user and can be difficult to detect. Some spyware, such as keyloggers, may be installed by the owner of a shared, corporate, or public computer intentionally in order to monitor users.
QUESTION NO: 541 At the outside break area, an employee, Ann, asked another employee to let her into the building because her badge is missing. Which of the following does this describe? A. Shoulder surfing B. Tailgating C. Whaling D. Impersonation
B. Tailgating Explanation: Although Ann is an employee and therefore authorized to enter the building, she does not have her badge and therefore strictly she should not be allowed to enter the building.
QUESTION NO: 566 An administrator has advised against the use of Bluetooth phones due to bluesnarfing concerns. Which of the following is an example of this threat? A. An attacker using the phone remotely for spoofing other phone numbers B. Unauthorized intrusions into the phone to access data C. The Bluetooth enabled phone causing signal interference with the network D. An attacker using exploits that allow the phone to be disabled
B. Unauthorized intrusions into the phone to access data
QUESTION NO: 576 Which of the following protocols is vulnerable to man-in-the-middle attacks by NOT using end to end TLS encryption? A. HTTPS B. WEP C. WPA D. WPA 2
B. WEP
QUESTION NO: 568 The practice of marking open wireless access points is called which of the following? A. War dialing B. War chalking C. War driving D. Evil twin
B. War chalking
QUESTION NO: 548 Which of the following attacks targets high level executives to gain company information? A. Phishing B. Whaling C. Vishing D. Spoofing
B. Whaling Explanation: Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles.
QUESTION NO: 590 Sara, a hacker, is completing a website form to request a free coupon. The site has a field that limits the request to 3 or fewer coupons. While submitting the form, Sara runs an application on her machine to intercept the HTTP POST command and change the field from 3 coupons to 30. Which of the following was used to perform this attack? A. SQL injection B. XML injection C. Packet sniffer D. Proxy
B. XML injection
QUESTION NO: 579 A security administrator develops a web page and limits input into the fields on the web page as well as filters special characters in output. The administrator is trying to prevent which of the following attacks? A. Spoofing B. XSS C. Fuzzing D. Pharming
B. XSS By validating user input and preventing special characters, we can prevent the injection of clientside scripting code.
QUESTION NO: 511 An administrator notices an unusual spike in network traffic from many sources. The administrator suspects that: A. it is being caused by the presence of a rogue access point. B. it is the beginning of a DDoS attack. C. the IDS has been compromised. D. the internal DNS tables have been poisoned.
B. it is the beginning of a DDoS attack. Explanation: A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer.
QUESTION NO: 530 Which of the following would BEST deter an attacker trying to brute force 4-digit PIN numbers to access an account at a bank teller machine? A. Account expiration settings B. Complexity of PIN C. Account lockout settings D. PIN history requirements
C. Account lockout settings Explanation: Account lockout settings determine the number of failed login attempts before the account gets locked and how long the account will be locked out for. For example, an account can be configured to lock if three incorrect passwords (or in this case PIN's) are entered. The account can then be configured to automatically unlock after a period of time or stay locked until someone manually unlocks it.
QUESTION NO: 493 Which of the following malware types may require user interaction, does not hide itself, and is commonly identified by marketing pop-ups based on browsing habits? A. Botnet B. Rootkit C. Adware D. Virus
C. Adware
QUESTION NO: 564 Which of the following is characterized by an attack against a mobile device? A. Evil twin B. Header manipulation C. Blue jacking D. Rogue AP
C. Blue jacking
QUESTION NO: 531 Which of the following can be used by a security administrator to successfully recover a user's forgotten password on a password protected file? A. Cognitive password B. Password sniffing C. Brute force D. Social engineering
C. Brute force Explanation: One way to recover a user's forgotten password on a password protected file is to guess it. A brute force attack is an automated attempt to open the file by using many different passwords.
QUESTION NO: 591 A malicious individual is attempting to write too much data to an application's memory. Which of the following describes this type of attack? A. Zero-day B. SQL injection C. Buffer overflow D. XSRF
C. Buffer overflow A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.
QUESTION NO: 552 Users have been reporting that their wireless access point is not functioning. They state that it allows slow connections to the internet, but does not provide access to the internal network. The user provides the SSID and the technician logs into the company's access point and finds no issues. Which of the following should the technician do? A. Change the access point from WPA2 to WEP to determine if the encryption is too strong B. Clear all access logs from the AP to provide an up-to-date access list of connected users C. Check the MAC address of the AP to which the users are connecting to determine if it is an imposter D. Reconfigure the access point so that it is blocking all inbound and outbound traffic as a troubleshooting gap
C. Check the MAC address of the AP to which the users are connecting to determine if it is an imposter. The users may be connecting to a rogue access point. The rogue access point could be hosting a wireless network that has the same SSID as the corporate wireless network. The only way to tell for sure if the access point the users are connecting to is the correct one is to check the MAC address.
QUESTION NO: 557 After viewing wireless traffic, an attacker notices the following networks are being broadcasted by local access points: Corpnet Coffeeshop FreePublicWifi Using this information the attacker spoofs a response to make nearby laptops connect back to a malicious device. Which of the following has the attacker created? A. Infrastructure as a Service B. Load balancer C. Evil twin D. Virtualized network
C. Evil twin
QUESTION NO: 545 A security administrator forgets their card to access the server room. The administrator asks a coworker if they could use their card for the day. Which of the following is the administrator using to gain access to the server room? A. Man-in-the-middle B. Tailgating C. Impersonation D. Spoofing
C. Impersonation Explanation: Impersonation is where a person, computer, software application or service pretends to be someone or something it's not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat. In this question, by using the coworker's card, the security administrator is 'impersonating' the coworker. The server room locking system and any logging systems will 'think' that the coworker has entered the server room.
QUESTION NO: 546 Sara, an attacker, is recording a person typing in their ID number into a keypad to gain access to the building. Sara then calls the helpdesk and informs them that their PIN no longer works and would like to change it. Which of the following attacks occurred LAST? A. Phishing B. Shoulder surfing C. Impersonation D. Tailgating
C. Impersonation Explanation: Two attacks took place in this question. The first attack was shoulder surfing. This was the act of Sara recording a person typing in their ID number into a keypad to gain access to the building. The second attack was impersonation. Sara called the helpdesk and used the PIN to impersonate the person she recorded.
QUESTION NO: 501 The Chief Information Officer (CIO) receives an anonymous threatening message that says "beware of the 1st of the year". The CIO suspects the message may be from a former disgruntled employee planning an attack. Which of the following should the CIO be concerned with? A. Smurf Attack B. Trojan C. Logic bomb D. Virus
C. Logic bomb Explanation: A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company.
QUESTION NO: 510 A distributed denial of service attack can BEST be described as: A. Invalid characters being entered into a field in a database application. B. Users attempting to input random or invalid data into fields within a web browser application. C. Multiple computers attacking a single target in an organized attempt to deplete its resources. D. Multiple attackers attempting to gain elevated privileges on a target system.
C. Multiple computers attacking a single target in an organized attempt to deplete its resources. Explanation: A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload.
QUESTION NO: 574 Which of the following software allows a network administrator to inspect the protocol header in order to troubleshoot network issues? A. URL filter B. Spam filter C. Packet sniffer D. Switch
C. Packet sniffer
QUESTION NO: 514 Which of the following attacks could be used to initiate a subsequent man-in-the-middle attack? A. ARP poisoning B. DoS C. Replay D. Brute force
C. Replay Explanation: A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).
QUESTION NO: 584 The string: ' or 1=1-- - Represents which of the following? A. Bluejacking B. Rogue access point C. SQL Injection D. Client-side attacks
C. SQL Injection
QUESTION NO: 537 All executive officers have changed their monitor location so it cannot be easily viewed when passing by their offices. Which of the following attacks does this action remediate? A. Dumpster Diving B. Impersonation C. Shoulder Surfing D. Whaling
C. Shoulder Surfing Explanation: Viewing confidential information on someone's monitor is known as shoulder surfing. By moving their monitors so they cannot be seen, the executives are preventing users passing by 'shoulder surfing'.
QUESTION NO: 496 Which of the following malware types typically allows an attacker to monitor a user's computer, is characterized by a drive-by download, and requires no user interaction? A. Virus B. Logic bomb C. Spyware D. Adware
C. Spyware Explanation Spyware is software that is used to gather information about a person or organization without their knowledge and sends that information to another entity.
QUESTION NO: 572 Which statement is TRUE about the operation of a packet sniffer? A. It can only have one interface on a management network. B. They are required for firewall operation and stateful inspection. C. The Ethernet card must be placed in promiscuous mode. D. It must be placed on a single virtual LAN interface.
C. The Ethernet card must be placed in promiscuous mode. all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data.
QUESTION NO: 497 Sara, a user, downloads a keygen to install pirated software. After running the keygen, system performance is extremely slow and numerous antivirus alerts are displayed. Which of the following BEST describes this type of malware? A. Logic bomb B. Worm C. Trojan D. Adware
C. Trojan Explanation: In computers, a Trojan is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk. In one celebrated case, a Trojan was a program that was supposed to find and destroy computer viruses. A Trojan horse may be widely redistributed as part of a computer virus.
QUESTION NO: 581 Which of the following BEST describes a protective countermeasure for SQL injection? A. Eliminating cross-site scripting vulnerabilities B. Installing an IDS to monitor network traffic C. Validating user input in web applications D. Placing a firewall between the Internet and database servers
C. Validating user input in web applications SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
QUESTION NO: 494 A program has been discovered that infects a critical Windows system executable and stays dormant in memory. When a Windows mobile phone is connected to the host, the program infects the phone's boot loader and continues to target additional Windows PCs or phones. Which of the following malware categories BEST describes this program? A. Zero-day B. Trojan C. Virus D. Rootkit
C. Virus A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are man-made. A simple virus that can make a copy of itself over and over again is relatively easy to produce.
QUESTION NO: 525 Purchasing receives an automated phone call from a bank asking to input and verify credit card information. The phone number displayed on the caller ID matches the bank. Which of the following attack types is this? A. Hoax B. Phishing C. Vishing D. Whaling
C. Vishing Explanation: Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing but does not always occur over the Internet and is carried out using voice technology. A ishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone.
QUESTION NO: 575 A security administrator discovered that all communication over the company's encrypted wireless network is being captured by savvy employees with a wireless sniffing tool and is then being decrypted in an attempt to steal other employee's credentials. Which of the following technology is MOST likely in use on the company's wireless? A. WPA with TKIP B. VPN over open wireless C. WEP128-PSK D. WPA2-Enterprise
C. WEP128-PSK
QUESTION NO: 522 Several users' computers are no longer responding normally and sending out spam email to the users' entire contact list. This is an example of which of the following? A. Trojan virus B. Botnet C. Worm outbreak D. Logic bomb
C. Worm outbreak Explanation: A worm is similar to a virus but is typically less malicious. A virus will usually cause damage to the system or files whereas a worm will usually just spread itself either using the network or by sending emails.
QUESTION NO: 553 Ann, the network administrator, has learned from the helpdesk that employees are accessing the wireless network without entering their domain credentials upon connection. Once the connection is made, they cannot reach any internal resources, while wired network connections operate smoothly. Which of the following is MOST likely occurring? A. A user has plugged in a personal access point at their desk to connect to the network wirelessly. B. The company is currently experiencing an attack on their internal DNS servers. C. The company's WEP encryption has been compromised and WPA2 needs to be implemented instead. D. An attacker has installed an access point nearby in an attempt to capture company information.
D. An attacker has installed an access point nearby in an attempt to capture company information.
QUESTION NO: 556 The system administrator has been notified that many users are having difficulty connecting to the company's wireless network. They take a new laptop and physically go to the access point and connect with no problems. Which of the following would be the MOST likely cause? A. The certificate used to authenticate users has been compromised and revoked. B. Multiple war drivers in the parking lot have exhausted all available IPs from the pool to deny access. C. An attacker has gained access to the access point and has changed the encryption keys. D. An unauthorized access point has been configured to operate on the same channel.
D. An unauthorized access point has been configured to operate on the same channel.
QUESTION NO: 500 Two programmers write a new secure application for the human resources department to store personal identifiable information. The programmers make the application available to themselves using an uncommon port along with an ID and password only they know. This is an example of which of the following? A. Root Kit B. Spyware C. Logic Bomb D. Backdoor
D. Backdoor
QUESTION NO: 565 Which of the following attacks allows access to contact lists on cellular phones? A. War chalking B. Blue jacking C. Packet sniffing D. Bluesnarfing
D. Bluesnarfing Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection.
QUESTION NO: 513 An administrator is assigned to monitor servers in a data center. A web server connected to the Internet suddenly experiences a large spike in CPU activity. Which of the following is the MOST likely cause? A. Spyware B. Trojan C. Privilege escalation D. DoS
D. DoS Explanation: A Distributed Denial of Service (DDoS) attack is a DoS attack from multiple computers whereas a DoS attack is from a single computer. In terms of the actual method of attack, DDoS and DoS attacks are the same.
QUESTION NO: 589 Which of the following application attacks is used against a corporate directory service where there are unknown servers on the network? A. Rogue access point B. Zero day attack C. Packet sniffing D. LDAP injection
D. LDAP injection
QUESTION NO: 588 An attacker attempted to compromise a web form by inserting the following input into the username field: admin)(|(password=*)) Which of the following types of attacks was attempted? A. SQL injection B. Cross-site scripting C. Command injection D. LDAP injection
D. LDAP injection LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree.
QUESTION NO: 505 A user, Ann, is reporting to the company IT support group that her workstation screen is blank other than a window with a message requesting payment or else her hard drive will be formatted. Which of the following types of malware is on Ann's workstation? A. Trojan B. Spyware C. Adware D. Ransomware
D. Ransomware
QUESTION NO: 516 Timestamps and sequence numbers act as countermeasures against which of the following types of attacks? A. Smurf B. DoS C. Vishing D. Replay
D. Replay
QUESTION NO: 551 Pete, the security engineer, would like to prevent wireless attacks on his network. Pete has implemented a security control to limit the connecting MAC addresses to a single port. Which of the following wireless attacks would this address? A. Interference B. Man-in-the-middle C. ARP poisoning D. Rogue access point
D. Rogue access point Explanation: MAC filtering is typically used in wireless networks. In computer networking, MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists.
QUESTION NO: 498 During a server audit, a security administrator does not notice abnormal activity. However, a network security analyst notices connections to unauthorized ports from outside the corporate network. Using specialized tools, the network security analyst also notices hidden processes running. Which of the following has MOST likely been installed on the server? A. SPIM B. Backdoor C. Logic bomb D. Rootkit
D. Rootkit Explanation: A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a cracker installs a rootkit on a computer after first obtaining userlevel access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network.
QUESTION NO: 534 Using proximity card readers instead of the traditional key punch doors would help to mitigate: A. Impersonation B. Tailgating C. Dumpster diving D. Shoulder surfing
D. Shoulder surfing
QUESTION NO: 535 Ann an employee is visiting Joe, an employee in the Human Resources Department. While talking to Joe, Ann notices a spreadsheet open on Joe's computer that lists the salaries of all employees in her department. Which of the following forms of social engineering would BEST describe this situation? A. Impersonation B. Dumpster diving C. Tailgating D. Shoulder surfing
D. Shoulder surfing Explanation: Ann was able to see the Spreadsheet on Joe's computer. This direct observation is known as shoulder surfing.
QUESTION NO: 573 Which of the following network devices is used to analyze traffic between various network interfaces? A. Proxies B. Firewalls C. Content inspection D. Sniffers
D. Sniffers
QUESTION NO: 521 Mike, a user, states that he is receiving several unwanted emails about home loans. Which of the following is this an example of? A. Spear phishing B. Hoaxes C. Spoofing D. Spam
D. Spam
QUESTION NO: 524 Jane, an individual, has recently been calling various financial offices pretending to be another person to gain financial information. Which of the following attacks is being described? A. Phishing B. Tailgating C. Pharming D. Vishing
D. Vishing Explanation: Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing but does not always occur over the Internet and is carried out using voicetechnology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone.
QUESTION NO: 567 After a user performed a war driving attack, the network administrator noticed several similar markings where WiFi was available throughout the enterprise. Which of the following is the term used to describe these markings? A. IV attack B. War dialing C. Rogue access points D. War chalking
D. War chalking