Chapter 7-9 Assessment
A new openSSH vulnerability has been discovered. You are tasked with finding all systems running an SSH service on the network. The nmap 192.168.122.0/24 command has been run to find all potentially vulnerable systems, and the output is shown below. Which machines on the following IP addresses will likely need their SSH software updated immediately?
192.168.122.1 192.168.122.82
How many numbering authorities comprise the CVE?
94
Vulnerability scanning has its limitations. Which answer BEST describes the concept of point in time?
A scan only obtain data for the period of time that it runs
Which BEST defines the term base in CVSS?
A vulnerability's unique characteristics
The third step in vulnerability management is to see what an organization looks like from an outsider's and insider's point of view. Which step in life cycle management does this apply to?
Baseline creation
You have just installed Nessus for auditing a network segment. Which of the following Nessus scans would be BEST suited for an initial query of hosts on a network segment?
Basic Network Scan
After a sniffing attack has been discovered on an organization's large network, Jim, a security analyst, has been asked to take steps to secure the network from future attacks. The organization has multiple buildings and departments. Which of the following is the BEST step Jim could take to make the network more secure?
Implement switched networks
Allen's company has raised concerns about network information that can be observed without a hacker being discovered. Which of the following BEST describes the type of assessment that could be used to operate in this manner?
Passive
A company decides to purchase and administer tools on their own. Which type of assessment solution are they using?
Product-based assessment
During which of the vulnerability life cycle management phases do you implement the controls and protections from your plan of action?
Remediation
You are looking for a vulnerability assessment tool that detects vulnerabilities on mobile devices and gives you a report containing a total risk score, a summary of revealed vulnerabilities, and remediation suggestions. Which of the following vulnerability assessment tools should you use?
SecurityMetrics Mobile
Which answer BEST describes the purpose of CVE?
A list of standardized identifiers for known software vulnerabilities and exposures.
Which of the following BEST describes a disassembler program?
A program that translates machine code into assembly language, or low-level language.
An attacker sends forged Address Resolution Protocol Reply packets over a LAN to a target machine. These packets include an IP address that matches the gateway's IP address but retains its own MAC address. The target machine then sends all traffic to the attacker's machine, believing it is the gateway. Which type of attack just happened?
ARP poisoning
Charles, a security analyst, needs to check his network for vulnerabilities. He wants a scan that interacts with network nodes and repairs security issues found. Which kind of scanning BEST describes Charles' requirements?
Active Scanning
Which cybersecurity approach seeks to asymmetrically put the odds in the security analyst's favor by using maneuverability of sensitive data, honeypots, and anti-malware programs?
Active defense approach
Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what Jason has done?
Active hijacking
Which of the following BEST describes a TCP session hijacking attack?
An attacker sniffs between two machines on a connection-based protocol, monitors the traffic to capture the session ID, terminates the target computer's connection, and injects packets to the server.
Which of the following BEST describes Retina CS for Mobile?
Analyzes and reports findings from a centralized data warehouse
A company is considering the purchase of a new application. During the evaluation period, a security analyst wants to make sure that all areas of the app are secure, especially input controls. Which assessment BEST meets these requirements?
Application-level assessment
John's company just purchased a new application for which they do not have the source code. Which of the following BEST describes the type of assessment John should use on this application?
Application-level assessment
Which web application scanner looks for common vulnerabilities, like cross-site scripting and SQL injections, and also scans for the OWASP Top 10?
Burp Suite
Which vulnerability scoring system uses metrics called base, temporal, and environmental?
CVSS calculator
Which of the following is a type of malware that can be purchased in a ready-to-use state, is created to be used with a variety of targets, can be integrated with other malware programs, and can be implemented in stages?
Commodity malware
Which resource can BEST be described as a site that combines diverse ideas and perspectives from professionals, academics, and government sources?
Common Weakness Enumeration
Creating a baseline is vital to managing vulnerabilities. What is the FIRST step in creating this baseline?
Conduct a pre-assessment
You have decided to configure an ARP cache poisoning on-path (man-in-the-middle) attack to test a new computer on your network to verify that it connects to required company resources securely. After defining the target hosts in Ettercap and capturing data during several login attempts, you see the following. What should your next step be in checking for a cookie hijacking attack?
Copy the user_token field value and use a cookie copy tool, such as the Google Chrome Copy Cookies extension, to attempt to access the same resource found at the URL listed.
John creates an account and creates a listing for the sale of his home. He uses HTML tags to bold important words. Chris, an attacker, spots John's listing and notices the bolded words. Chris assumes HTML tags are enabled on the user end and uses this vulnerability to insert his own script, which will send him a copy of the cookie information for any user who looks at the ad. Which type of attack method is Chris most likely using?
Cross-site scripting
In 2016, an attacker used a botnet of security cameras, DVRs, and network printers to target a cloud-based internet performance management organization that provided DNS services to large corporations. This created connectivity issues for legitimate users across the United States and Europe. Which type of attack was MOST likely used in this scenario?
DDoS attack
Which of the following would an external assessment check?
DNS zones
A suspicious program is run in a controlled environment, where a security analyst monitors the program's execution to track the effect it has on computer resources, like its operating system. The analyst can set breakpoints or pause the program for reports on memory content, storage devices, or CPU registers. Which reverse engineering tool is the analyst using?
Debugger
As a security analyst working for an accounting firm, you need to evaluate the current environment. Which of the following is the FIRST thing you should do?
Define the effectiveness of the current security policies and procedures
Which government agency sponsors five valuable resources for security analysts?
Department of Homeland Security
Mary, a security analyst, is tasked with vulnerability research as part of her company's vulnerability assessment. She discovered that their website is vulnerable to cross-site scripting. Which vulnerability type BEST describes what Mary has found? Correct Answer:
Design flaw
Which of the following attack types overflows the server, causing it to not function properly?
DoS
You have been hired by an organization that has been victimized by session hijacking. What is one of the most important steps you as a security analyst can take to prevent further session hijacking attacks?
Encrypt network traffic.
Which site MOST often shows the newest vulnerabilities before other sources?
Full Disclosure
Misconfigurations occur throughout a network. What is the primary cause of misconfigurations?
Human error
Jake, a security analyst, has been asked to examine the malware found on the company's network. He decides the best place to start is to use a tool to translate the executable files to assembly language so he can understand what the malware can do and what it can impact. Which tool is the BEST choice for Jake to use?
IDA Pro
An attacker has captured the username and password from an executive in your organization through ARP poisoning during an on-path (man-in-the-middle) attack. Which of the following will be MOST likely to stop this form of attack in the future?
Implement HTTPS
Which of the following BEST describes the Qualys Vulnerability Management assessment tool?
It is a cloud-based service that keeps all your data in a private virtual database
Which of the following is the BEST reason to choose a serviced-based assessment solution?
It provides a protection level that a professional provides through knowledge.
What is the FIRST step in vulnerability scanning penetration?
Locate the live nodes in the network. You can do this using a variety of techniques, but you must know where each live host is.
Which of the following is a method of attack that is intended to overload the memory of a network switch, forcing the switch into open-fail mode and thereby causing it to broadcast incoming data to all ports?
MAC flooding
An attacker has, through reconnaissance, discovered the MAC address to Sam Black's computer. Sam is a user in your network with admin privileges. The attacker uses a software tool that allows him or her to mimic Sam's MAC address and use it to access your network. Which type of attack has the attacker performed?
MAC spoofing
File fingerprinting, scanning, string searches, and disassembly are all used to identify malware. When these techniques are used, what is the identifying information called?
Malware signature
Which of the following is the last phase of the vulnerability management life cycle?
Monitoring
A security analyst was alerted in real time that there is unusual incoming traffic on the network. The traffic was not and could not be prevented or altered by the program. Which type of program MOST likely sent the alert to the security analyst?
NIDS
John is a security analyst, and he needs the following information about a current exploit: Fix information Impact rating Severity score What is his BEST resource?
National Vulnerability Database
Kjell wants a network scanning tool that gives remediation solutions to found vulnerabilities. He also wants to be able to create customized scan jobs that run during off hours and can scan multiple network technologies. Which application is BEST for him?
Nessus
A mailing list that often has the newest vulnerabilities listed before they show up on government-sponsored resources is operated by whom?
Nmap
Troy, a security analyst, needs a web application scanner that is extensible and that evaluates each web application individually. Which tool is BEST for his needs?
OWASP ZAP
Which web application scanner uses an on-path (man-in-the-middle) proxy design?
OWASP ZAP
A security analyst needs an infrastructure vulnerability scanner that's flexible enough for low- and high-level protocols, is updated daily with new vulnerabilities, and allows for performance tuning. The company is on a tight budget, so it needs to be open source. Which tool is the BEST option?
OpenVAS
John's company needs a product to fix found network vulnerabilities. This product needs to run inside their firewall without help from an outside professional. Which of the following BEST describes this type of assessment solution?
Product-based assessment
Some Remote Access Trojans (RATs) install a web server to allow access to the infected machine. Others use a custom application that is run on the remote machine, such as ProRAT. Once infected with this custom application, which other types of infections are possible with this tool installed? (Select two.)
Randsomeware, Rootkit
Which of the following is an attack where injected script is immediately mirrored off a web server when a user inputs data in a form or search field?
Reflected cross-site scripting
A security analyst is concerned about flaws in the operating system being used within their company. What should their FIRST step be to remedy this? Correct Answer:
Regular system patches
You are testing a compromised machine on an isolated network, and you find a web server running on an open port. When you browse to it, you see the following information. Which kind of infection does this computer have?
Remote Access Trojan
Which type of malware can infect the core of an operating system, giving an attacker complete control of the entire system remotely, including the ability to change code? Correct Answer:
Rootkit
A retail company is getting complaints from customers about how long product pages are taking to load, which is causing a decline in sales. Which of the following actions should you take first to discover the source of the problem?
Run a network bandwidth test on the company's network to determine if there are any anomalies.
Part of a penetration test is checking for malware vulnerabilities. During this process, the penetration tester needs to manually check many different areas of the system. After these checks have been completed, which of the following is the next step?
Run alti-malware scans
Tom, a security analyst, is notified by Karen, an employee, that her work iPad has some setting changes and a new app that she didn't download. What is the first step Tom should take?
Run an antivirus software scan on Karen's device and scan the entire network.
The following steps describe the process for which type of attack? Locate and sniff an active connection between a host and web server. Monitor traffic to either capture or calculate the session ID. Desynchronize the session. Remove the authenticated user. Inject packets to the server.
Session hijacking
There is strong evidence that a machine is compromised on your company network, but you have not determined which computer. You are going to try to pinpoint the host by scanning for any network devices that are in promiscuous mode. Which of the following Nmap scripts would you use?
Sniffer-detect
You configure your switches to shut down a port immediately after it being accessed by an unauthorized user. Which type of attack are you trying to prevent?
Sniffing
Which method of malware analysis includes matching signatures, analyzing code without executing it, disassembly, and string searching?
Static analysis
Which of the following frame (packet) subtrees would you expand in order to view the POST data that was captured by Wireshark?
The HTML Form URL Encoded: subtree would have the POST data.
While reviewing a machine that a user has reported for strange behavior, you decide to use ipconfig to review its network configuration. Afterward, you see the output shown below. No changes were made manually to the machine's network configuration and all IP configuration is automatic. The proper default gateway for this network segment is 10.10.10.1. Which of the following would explain the output shown?
The machine in question is being targeted by a DHCP on-path (man-in-the-middle) attack.
Which of the following BEST describes scan information?
The name of the scanning tool, its version, and the network ports that have been scanned.
While performing an audit of your company's network, you use Wireshark to sniff the network and then use the tcp contains password command to filter and see the results below. What might you conclude based on these findings?
There is a website that someone on your network logged into that has no encryption.
Which IPsec method is the most used and protects an entire packet by wrapping it with a new IP header, encrypting it, and then sending it on to the receiving host?
Tunnel mode
A machine on your network has been infected with a crude ransomware application. You have obtained a copy of the software and are reverse engineering it with Ghidra. You are hoping that the password for the software is hard-coded into the application. You are presented with the default view in Ghidra, which displays the assembly (machine) code for the application. What might you do next to locate the password?
Use a string search looking for "password" and it's variants
Which vulnerability life cycle step is BEST described as the phase in which a security analyst determines whether all the previous phases are effectively employed?
Verification
The following command and output were performed against a new web server prior to deploying it to production. Which type of security process identifies security weaknesses in an organization's infrastructure that might result in the output below?
Vulnerability assessment
A security analyst is working to discover zero-day attacks before the system is compromised. What is one method for discovering these types of attacks that the security analyst should try?
Write rules in a program like YARA that recognizes similar patterns of code found in other malware and flags them if they interact with the system.
The information below is from Wireshark. Which kind of attack is occurring?
a DDoS attack
Which of the following is a valuable resource for security analysts to find out what the newly discovered Trojan and malware risks are?
it-isac.org
Your company has just completed social engineering training for all employees. To test the training's effectiveness, you have been tasked with creating a simple computer virus that creates a file on a user's desktop. Approximately how long will you need to create the virus?
less than one day
A security analyst discovers that a system has been compromised through the building's thermostat. Which type of attack is this compromise from?
loT Trojan
A Windows machine in your office has been sending and receiving more traffic than usual, and a user is complaining that it has a slow connection. Your manager would like statistics on all protocol traffic to and from that machine over Ethernet. The netstat command can do that, but you need to know the switch that will give an output similar to what is shown below. Which command and options should you use?
netstat -e -s
You are reviewing packets captured by a co-worker. The traffic is from a Linux server that hosts private customer data, and your job is to analyze the content for potential security risks. The .pcap file appears to be a bit small for what you wanted. (It contains traffic to and from the target system during a given time period.) Some of that traffic is shown below. You suspect that only SSH traffic is represented in this capture, which was done with tcpdump. What command do you think your co-worker used to capture only SSH traffic?
tcpdump port 22
Which of the following is a dictionary of known patterns of cyberattacks used by hackers?
CAPEC
