Final exam
An incident response team does not respond to which of the following events?
Spam
Which of the following is a Windows-based port scanner designed to scan TCP and UDP ports, perform ping scans, run Whois queries, and use Traceroute, and hostname lookup?
SuperScan
Which of the following tools is used to perform port scanning, but can also be used to perform enumeration by using utilities designed for extracting information from a Windows-based host?
SuperScan
The process of investigating any and all security incidents and related issues pertaining to a particular situation is called:
due diligence
An attacker can deprive the system owner of the ability to detect the activities that have been carried out by:
disabling auditing
Which of the following ports does SSH operate on?
22
SMTP (Simple Mail Transfer Protocol)
A TCP/IP Protocol used in sending and receive email, either use POP3 (Post Office Protocol 3) or IMAP (Internet Message Access Protocol).
What is Brutus?
A password cracker tool
Port Scanning
A port scanner is an application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify network services running on a host and exploit vulnerabilities.
Which of the following is a form of OS fingerprinting that involves actively requesting information from the target system?
Active fingerprinting
Which of the following reveals telling information such as version and service data that will help an attacker?
Banner
Which of the following defines how the organization will maintain what is accepted as normal day-to-day business in the event of a security incident or other events disruptive to the business?
Business continuity plan
Which of the following discusses all the potential risks uncovered following an incident and their potential impact on the organization?
Business impact analysis
They replicate a disaster fairly accurately without disrupting the system.
Cold site
Which of the following should be on a security incident report form?
Contact information for the original reporting organization or person
Inserting <script>action</script> is an example of what type of Web attack?
Cross-site scripting
What is XSS?
Cross-site scripting
Identifying fixes and prevention methods occurs in which of these incident response stages?
Debriefing and feedback
Which of the following documents states how personnel and assets will be safeguarded in the event of a disaster?
Disaster recovery plan
Why are database attacks that inject data a concern for organizations?
False data might be added , malicious code could be injected, and Databases could be filled
What does OS fingerprinting allow?
Host OS identification
Which of the following are considered offline attacks?
Hybrid and precomputed attacks
Interviewing system administrators about technical details of an event most often occurs in which stage of incident response?
Incident identification
What can an insecure login system provide?
Information about the existence of a user
Installing Netcat on a remote system by using an exploit is an example of what type of attack?
Installing a back door
Which of these describes a database security problem that occurs when actions of database users are not properly tracked?
Limited audit log settings
A standard format for reporting a security incident prevents which of the following?
Missing data
The feature in the Windows operating system that is used to give access to certain types of information across the network is the:
NULL session
Which of the following best describes what occurs when a user attempts a connection to a Windows system without the standard username and password being provided?
NULL session
Through which of the following can port scans gain information about Windows IPC administrative share information?
NULL sessions
Which of the following best describes the control of information when a security incident occurs?
Need to know
Enumeration can be used to discover all but which of the following types of information?
Smartcard PINs
Which of the following options is a useful defense against database attacks?
Nonstandard ports, Firewall, OS Security
The practice of identifying the operating system of a networked device through either passive or active techniques is called:
OS identification
Which of the following are considered passive online attacks?
Packet sniffing, or man-in-the-middle and replay attacks
Which of the following is a method of identifying the OS of a targeted computer or device in which no traffic or packets are injected into the network and attackers simply listen to and analyze existing traffic?
Passive fingerprinting
Nmap's -sT command tells the application to do which of the following?
Perform a full TCP connection scan
The process of sending ping requests to a series of devices or to the entire range of networked devices is called a:
Ping Sweep
Which of the following best describes what occurs when a lower-level account is cracked in order to obtain increased access?
Privilege escalation
Which of the following is an attack that uses the rights of a low-privilege user to assume higher privileges?
Privilege escalation
NetBIOS enumeration can allow ___________.
Registry enumeration, trusted domain enumeration, and user enumeration
Which of the following refers to software designed to alter system files and utilities on a victim's system with the intention of changing the way a system behaves?
Rootkits
An attacker who adds commands to a database query has likely used
SQL injection
Which of the following user accounts is considered a super user-style account that gets nearly unlimited access to the local system and can perform actions on the local system with little or no restriction?
SYSTEM
Which of the following is a database on the local system that stores user account information?
Security Account Manager (SAM)
A XMAS scan detects packets in which all flags are active.
THC-Amap
THC-Scan
THC-Scan is a wardialer that works under DOS, Win95/98/NT/2K/XP, and usage with Scavenger Dialer and THC-Login Hacker.
Which of the following is a law originally passed to address federal computer-related offenses and the cracking of computer systems?
The Computer Fraud and Abuse Act 1986
All but which of the following is commonly included in a security policy?
The city evacuation routes and emergency shelter contact information
Shoulder Surfing
The practice of spying on the user of an ATM, computer, or other electronic device in order to obtain their personal access information.
All but which of the following constitutes a security incident?
The result is loss of power and water.
What is a characteristic of an incident response and disaster recovery simulation?
They replicate a disaster fairly accurately without disrupting the system.
Changing the content of a Web site with the intent of leaving a distinguishing mark or changing its appearance is
Web site defacement.
Which of the following is a malware program designed to replicate without attaching to or infecting other files on a host system?
Worm
A _____ scan detects packets in which all flags are active.
XMAS
Spyware is software
___that is installed on a computing device without the end user's knowledge, it can violate the end user's privacy and has the potential to be abused.
A brute force attack is___
a trial-and-error method used to obtain information such as a user password or personal identification number. In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.
A detailed plan that describes how to deal with a security incident when it occurs is called____
a(n) incident response plan.
The phase of incident response that involves determining which evidence is relevant to the investigation and which is not is called:
analysis and tracking.
A warm site relies on____
backups for recovery. As a result, it doesn't require dedicated storage but instead can take advantage of less-expensive shared storage. In other words, all components of a warm site, including storage, are shared among multiple customers. Therefore, most of the considerations of hot sites also apply for warm sites.
Cross-site Scripting (XSS) refers to ____
client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application.
The capacity of a system to keep functioning in the face of hardware or software failure is called:
fault tolerance.
Warm site recoveries were typically measured
in days, while hot site is in minutes
Freeware is software that ______
is available for use at no monetary cost. In other words, while freeware may be used without payment it is most often proprietary software, as usually modification, re-distribution or reverse-engineering without the author's permission is prohibited
Shoulder surfing, keyboard sniffing, and social engineering are considered ____
nontechnical attacks.
All of the following are active fingerprinting tools except
p0f
Privilege escalation gives the attacker the ability to____
perform actions on the system with fewer restrictions and perform tasks that are potentially more damaging.
A patch is a____
piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bug fixes, and improving the usability or performance.
Adware, or advertising-supported software, is ____
software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process.
Spyware installs itself on a____
system by deceiving the user or by exploiting software vulnerabilities. They do not transmit or copy from one software to another computer.
The second phase of incident response is to determine how seriously the incident has affected critical systems or data. This phase is called:
triagle
Which of the following should be the next step after the identification of an incident?
triagle
Banner grabbing is a technique ____
used to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. However, an intruder can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits.