SEC+ 501 - CHAPTER ONE REVIEW QUESTION

The correct answer is a boot sector virus, which is one that will affect the boot sector of the hard drive. Thus, what operating system you boot to is irrelevant. Option A is incorrect. There is no element of ransom in the description of this attack. Option C is incorrect. A rootkit can sometimes also affect the boot sector, but in this case the boot sector virus is the most accurate description. Option D is incorrect. Nothing in this description indicates key logging.

1. John is analyzing strange behavior on computers in his network. He believes there is malware on the machines. The symptoms include strange behavior that persists, even if he boots the machine to a Linux Live CD. What is the most likely cause? A. Ransomware B. Boot sector virus C. Rootkit D. Key logger

C. A backdoor is a method for bypassing normal security and directly accessing the system. Option A is incorrect. A logic bomb is malware that performs its misdeeds when some condition is met. Option B is incorrect. A Trojan horse wraps a malicious program to a legitimate program. When the user downloads and installs the legitimate program, they get the malware. Option D is incorrect. A rootkit is malware that gets root or administrative privileges.

10. Your company outsourced the development of an accounting application to a local programming firm. After three months of using the product, one of your accountants accidentally discovers a way to log in and bypass all security and authentication. What best describes this? A. Logic bomb B. Trojan horse C. Backdoor D. Rootkit

100. D. This scenario is the definition of passing the hash. Option A is incorrect. A real hash was provided; it was not spoofed. Option B is incorrect. Evil twin is a wireless attack. Option C is incorrect. Shimming is inserting malicious code between an application and a library.

100. You are responsible for incident response at Acme Corporation. You have discovered that someone has been able to circumvent the Windows authentication process for a specific network application. It appears that the attacker took the stored hash of the password and sent it directly to the backend authentication service, bypassing the application. What type of attack is this? A. Hash spoofing B. Evil twin C. Shimming D. Pass the hash

101. B. Claiming to be from tech support is claiming authority, and the story the caller gave indicates urgency. Option A is incorrect. Yes, this caller used urgency (the virus spread) but did not attempt intimidation. Option C is incorrect. Authority and trust are closely related, and in this case urgency was the second major factor. Option D is incorrect. This caller used urgency but not intimidation.

101. A user in your company reports that she received a call from someone claiming to be from the company technical support team. The caller stated that there was a virus spreading through the company and he needed immediate access to the employee's computer to stop it from being infected. What social-engineering principles did the caller use to try to trick the employee? A. Urgency and intimidation B. Urgency and authority C. Authority and trust D. Intimidation and authority

102. A. This is the definition of ARP poisoning. Option B is incorrect. In DNS poisoning domain name to IP address entries in a DNS server are altered. Option C is incorrect. This attack did not involve a man-in-the-middle. Option D is incorrect. A backdoor provides access to the attacker, which circumvents normal authentication.

102. Ahmed has discovered that someone has manipulated tables in one of the company's switches. The manipulation has changed the tables so that data destined for one specific MAC address will now be routed elsewhere. What type of attack is this? A. ARP poisoning B. DNS poisoning C. Man-in-the-middle D. Backdoor

103. A. This is a classic multipartite virus. It infects the boot sector, as well as an operating system file. Option B is incorrect. This infects the boot sector, but also infects an operating system file as well. Option C is incorrect. A macro virus is embedded, as a macro, into a document. Option D is incorrect. A polymorphic virus changes periodically

103. You are investigating incidents at Acme Corporation and have discovered malware on several machines. It appears that this malware infects system files in the Windows/System32/ directory and also affects the boot sector. What type of malware is this? A. Multipartite B. Boot sector C. Macro virus D. Polymorphic virus

104. C. Bluesnarfing accesses data on the cell phone. Option A is incorrect. Phonejacking is not a term used in the industry. Option B is incorrect. Bluejacking sends unwanted text messages to the phone. Option D is incorrect. Evil twin is a WiFi attack.

104. What type of attack uses Bluetooth to access the data from a cell phone when in range? A. Phonejacking B. Bluejacking C. Bluesnarfing D. Evil twin

105. D. A rainbow table is a table of precomputed hashes. Option A is incorrect. A dictionary attack is a table of common words used to guess the password. Option B is incorrect. Brute force involves trying every random possibility. Option C is incorrect. In pass the hash, the attacker has the hash and bypasses the application, passing the hash directly to the backend service.

105. An attacker is using a table of precomputed hashes in order to try to get a Windows password. What type of technique is being used? A. Dictionary B. Brute force C. Pass the hash D. Rainbow table

106. C. The fact that the attack is coming from multiple sources makes this a distributed denial of service. Option A is incorrect. A Smurf attack involves sending spoofed broadcast packets to the target network's router. Option B is incorrect. Yes, this is a denial-of-service attack, but it is distributed. Option D is incorrect. A SYN flood involves lots of half-open connections.

106. Carlos works in incident response for a mid-sized bank. Users inform him that internal network connections are fine, but connecting to the outside world is very slow. Carlos reviews logs on the external firewall and discovers tens of thousands of ICMP packets coming from a wide range of different IP addresses. What type of attack is occurring? A. Smurf B. DoS C. DDoS D. SYN flood

107. A. A downgrade attack is often used against secure communications such as TLS in an attempt to get the user to shift to less secure modes. Option B is incorrect. A brute-force attack tries either all possible passwords or all possible cryptography keys to gain access. Option C is incorrect. A rainbow table is a table of precomputed hashes used to retrieve passwords. Option D is incorrect. Bluesnarfing is a Bluetooth attack on cell phones.

107. What type of attack is it when the attacker attempts to get the victim's communication to abandon a high-quality/secure mode in favor of a lower-quality/less secure mode? A. Downgrade B. Brute force C. Rainbow table D. Bluesnarfing

108. A. In a white-box test, the tester is given extensive knowledge of the target network. Option B is incorrect. This is not a term used to describe testing. Option C is incorrect. Black-box testing involves only very minimal information being given to the tester. Option D is incorrect. A red team test simulates a particular type of attacker, such as a nation-state attacker, an insider, or other type of attacker.

108. What type of penetration test is being done when the tester is given extensive knowledge of the target network? A. White-box B. Full disclosure C. Black-box D. Red team

109. C. Social engineering is about using people skills to get information you would not otherwise have access to. Option A is incorrect. Despite the word engineering, this has nothing to do with technical means. Option B is incorrect. This would be dumpster diving. Option D is incorrect. Yes, phishing emails use some social engineering, but that is one example of social engineering, not a definition.

109. Your company is instituting a new security awareness program. You are responsible for educating end users on a variety of threats, including social engineering. Which of the following best defines social engineering? A. Illegal copying of software B. Gathering information from discarded manuals and printouts C. Using people skills to obtain proprietary information D. Phishing emails

C. The machines in her network are being used as bots, and the users are not aware that they are part of a DDoS attack. Option A is incorrect. Social engineering is when someone tries to manipulate you into giving information. Techniques involved in social engineering attacks include consensus, scarcity, and familiarity. Option B is incorrect. There is a slight chance that all computers could have a backdoor, but that is very unlikely, and attackers normally don't manually log into each machine to do a distributed denial of service (DDoS)—it would be automated, as through a bot. Option D is incorrect. Crypto-viruses are not related to DDoS attacks.

11. Teresa is the security manager for a mid-sized insurance company. She receives a call from law enforcement, telling her that some computers on her network participated in a massive denial-of-service (DoS) attack. Teresa is certain that none of the employees at her company would be involved in a cybercrime. What would best explain this scenario? A. It is a result of social engineering. B. The machines all have backdoors C. The machines are bots. D. The machines are infected with crypto-viruses.

110. C. Shoulder surfing involves literally looking over someone's shoulder in a public place and gathering information, perhaps login passwords. Option A is incorrect. ARP poisoning alters the address resolution protocol tables in the switch. Option B is incorrect. Phishing is an attempt to gather information, often via email, or to convince a user to click a link to, and/or download, an attachment. Option D is incorrect. Smurf is a type of denial-of-service attack.

110. Which of the following attacks can be caused by a user being unaware of their physical surroundings? A. ARP poisoning B. Phishing C. Shoulder surfing D. Smurf attack

111. D. The sending of spoofed broadcast messages to the target network router is a Smurf attack. Option A is incorrect. In a SYN flood, a large number of SYN packets are sent but not responded to. This leads to a large number of half-open connections. Option B is incorrect. An ICMP flood is a large amount of ICMP (such as ping) packets sent to the target. Option C is incorrect. In a buffer overflow attack, more data is sent to a variable than it was designed to hold.

111. Francine is a network administrator for Acme Corporation. She has noticed that one of the servers is now unreachable. After carefully reviewing various logs, she discovers that a large number of broadcast packets were sent to the network router, spoofing the server's IP address. What type of attack is this? A. SYN flood B. ICMP flood C. Buffer overflow D. Smurf attack

112. C. Cross-site scripting involves entering code (script) into a text field that will be displayed to other users. Option A is incorrect. In SQL injection, malformed SQL statements are entered into a text box in an attempt to circumvent the website's security. Option B is incorrect. A logic bomb is software that performs its malicious activity when some condition is met. Option D is incorrect. Session hijacking involves taking over an authenticated session.

112. An attacker enters code into a text box on a website. That text box is used for product reviews. The attacker wants his code to execute the next time a visitor visits that page. What is this attack called? A. SQL injection B. Logic bomb C. Cross-site scripting D. Session hijacking

113. A. Putting false entries into the DNS records of a DNS server is DNS poisoning. Option B is incorrect. A denial-of-service attack attempts to overwhelm a server or service and render it inaccessible to legitimate users. Option C is incorrect. DNS caching is a method of normal DNS operations. Option D is incorrect. A Smurf attack is a type of denial of service.

113. A user is redirected to a different website when the user requests the DNS record www.xyz.com. Which of the following is this an example of? A. DNS poisoning B. DoS C. DNS caching D. Smurf attack

114. D. IP addresses in the range of 169.254 are automatic private IP addresses (APIPA) and indicate the system could not get a dynamic IP address from the DHCP server. This is a typical symptom of DHCP starvation. Option A is incorrect. Smurf attacks involve sending spoofed broadcast messages to the target network's router. Option B is incorrect. Nothing in this scenario describes a man-in-the-middle attack. Option C is incorrect. Nothing in this scenario indicates a distributed denial-of-service attack.

114. Tom is the network administrator for a small accounting firm. As soon as he comes in to work, users report to him that they cannot connect to the network. After investigating, Tom discovers that none of the workstations can connect to the network and all have an IP address in the form of 169.254.x.x. What has occurred? A. Smurf attack B. Man-in-the-middle attack C. DDoS D. DHCP starvation

115. B. Distributed denial-of-service (DDoS) attacks often use bots in a botnet to perform the attack. Option A is incorrect. Denial of service (DoS) is too broad a category and does not adequately match the scenario description. Option C is incorrect. A buffer overflow attempts to put more data into a variable than it is designed to accept. Option D is incorrect. A Trojan horse links a malware program to a legitimate program

115. Which of the following would most likely use a group of bots to stop a web server from accepting new requests? A. DoS B. DDoS C. Buffer overflow D. Trojan horse

116. B. A logic bomb will perform its malicious activity when some condition is met, often a date or time. This is commonly done by disgruntled exiting employees. Options A, C, and D are all incorrect. It is certainly possible that any of these could be left by an exiting employee, but logic bombs are far more common. The reason is that the other three would execute their malicious activity immediately, making an obvious connection to the exiting employee.

116. Which of the following would a former employee most likely plant on a server before leaving to cause disruption to the network? A. Worm B. Logic bomb C. Trojan D. Virus

116. B. A logic bomb will perform its malicious activity when some condition is met, often a date or time. This is commonly done by disgruntled exiting employees. Options A, C, and D are all incorrect. It is certainly possible that any of these could be left by an exiting employee, but logic bombs are far more common. The reason is that the other three would execute their malicious activity immediately, making an obvious connection to the exiting employee.

116. Which of the following would a former employee most likely plant on a server before leaving to cause disruption to the network? A. Worm B. Logic bomb C. Trojan D. Virus

117. C. A correct three-way handshake involves the client sending a SYN packet, the server responding with SYN and ACK, and the client completing the handshake with an ACK. If you see a large number SYN packets without the corresponding ACK, that is likely to be a SYN flood. Options A and B are incorrect. Address and port numbers have nothing to do with SYN flood attacks. Option D is incorrect. RST is not the appropriate response to a SYN, and you should not expect to see RSTs in response to a SYN.

117. A SYN flood is a DoS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature of a SYN flood attack is: A. The source and destination address having the same value B. The source and destination port numbers having the same value C. A large number of SYN packets appearing on a network without the corresponding ACK packets D. A large number of SYN packets appearing on a network with the corresponding reply RST

118. A. In a white-box test, the tester has full or very nearly full knowledge of the system. Option B is incorrect. No knowledge is a black-box test. Options C and D are incorrect. In any test, the tester should have permission to access the system.

118. What does white-box testing mean? A. The tester has full knowledge of the environment. B. The tester has no knowledge of the environment. C. The tester has permission to access the system. D. The tester has no permission to access the system

119. A. Passive information gathering involves using methods other than directly accessing the network to gather information. Social media and newsgroups are commonly used. Option B is incorrect. Active information gathering involves tasks such as port scanning that actually do connect to the target network. Option C is incorrect. The initial exploit is when the tester tries to gain some access to some aspect of the system. Option D is incorrect. Vulnerability scanning involves automated and semiautomated processes to find known vulnerabilities in a system.

119. Ahmed has been hired to perform a penetration test of Acme Corporation. He begins by looking at IP address ranges owned by the company and details of domain name registration. He also visits social media and newsgroups to see if they contain any sensitive information or have any technical details online. Within the context of penetration-examining methodology, what phase is Ahmed conducting? A. Passive information gathering B. Active information gathering C. Initial exploitation D. Vulnerability scanning

B. This is a classic example of ransomware. Option A is incorrect. A rootkit provides access to administrator/root privileges. Option C is incorrect. A logic bomb executes its malicious activity when some condition is met. Option D is incorrect. This scenario does not describe whaling.

12. Mike is a network administrator with a small financial services company. He has received a popup window that states his files are now encrypted and he must pay .5 bitcoins to get them decrypted. He tries to check the files in question, but their extensions have changed, and he cannot open them. What best describes this situation? A. Mike's machine has a rootkit. B. Mike's machine has ransomware. C. Mike's machine has a logic bomb. D. Mike's machine has been the target of whaling.

120. B. This is the definition of session hijacking. Option A is incorrect. Man-in-the-middle involves having some process between the two ends of communication in order to compromise passwords or cryptography keys. Option C is incorrect. A backdoor is some means for accessing a system that circumvents normal authentication. Option D is incorrect. A Smurf attack is a specific type of denial-of-service attack.

120. Mary works for a large insurance company, on their cybersecurity team. She is investigating a recent incident and discovers that a server was breached using an authorized user's account. After investigating the incident further, Mary believes that the authorized user logged on, and then someone else took over their session. What best describes this attack? A. Man-in-the-middle B. Session hijacking C. Backdoor D. Smurf attack

121. B. Vulnerability scans use automated and semiautomated processes to identify known vulnerabilities. Option A is incorrect. Audits usually involve document checks. Options C and D are incorrect. These are both types of penetration tests.

121. Which of the following type of testing utilizes an automated process of proactively identifying vulnerabilities of the computing systems present on a network? A. Security audit B. Vulnerability scanning C. White-box test D. Black-box test

122. A. Near-field communication (NFC) can be susceptible to eavesdropping. Smartphones with NFC can be used as payment methods and should utilize biometric/pin to avoid information being stolen. Option B is incorrect. Man-in-the-middle involves having some process between the two ends of communication in order to compromise passwords or cryptography keys. Option C is incorrect. A buffer overflow attack attempts to put more data in a variable than the variable is designed to hold. This is improper input handling is the root cause to many buffer overflow. Option D is incorrect. A Smurf attack is a type of denial of service.

122. What type of attack is an NFC most susceptible to? A. Eavesdropping B. Man-in-the-middle C. Buffer overflow D. Smurf attack

23. A. A gray-box test involves the tester being given partial information about the network. Option B is incorrect. A white-box test involves the tester being given full or nearly full information about the target network. Options C and D are incorrect. Neither of these is a testing term.

123. John has been asked to do a penetration test of a company. He has been given general information but no details about the network. What kind of test is this? A. Gray-box B. White-box C. Partial D. Masked

D. In the man-in-the-middle attack, the attacker is between the client and the server, and to either end, the attacker appears like the legitimate other end. Option A is incorrect. This does not describe any denial-of-service attack. Option B is incorrect. A replay attack involves resending login information. Option C is incorrect. Although a man-in-the-middle can be used to perform eavesdropping, in this scenario the best answer is man-in-the-middle.

124. Under which type of attack does an attacker's system appear to be the server to the real client and appear to be the client to the real server? A. Denial of service B. Replay C. Eavesdropping D. Man-in-the-middle

125. A. In a man-in-the-browser attack, the malware intercepts calls from the browser to the system, such as system libraries. Option B is incorrect. Man-in-the-middle involves having some process between the two ends of communication in order to compromise passwords or cryptography keys. Option C is incorrect. In a buffer overflow attack, more data is put into a variable than the variable was intended to hold. Option D is incorrect. Session hijacking involves taking over an authenticated session.

125. You are a security administrator for Acme Corporation. You have discovered malware on some of your company's machines. This malware seems to intercept calls from the web browser to libraries, and then manipulates the browser calls. What type of attack is this? A. Man-in-the-browser B. Man-in-the-middle C. Buffer overflow D. Session hijacking

126. B. This is the initial exploit, which involves getting initial access to the system. Option A is incorrect. Vulnerability scanning is an automated process that checks for the presence of known vulnerabilities. Options C and D are incorrect. These both refer to how much information about the network the tester is given. In both black-box and white-box tests, there will still be an initial exploit.

126. Your company has hired a penetration testing firm to test the company network security. The penetration tester has just been able to achieve guest-level privileges on one lowsecurity system. What best describes this phase of the test? A. Vulnerability scanning B. Initial exploit C. Black-box testing D. White-box testing

127. C. When a vendor no longer supports software, there won't be patches for vulnerabilities or other issues. Option A is incorrect. Although this may be true, it is not a security issue. Option B is incorrect. Again, this may be true, but this is not the primary risk. Option D is incorrect. This may or may not be true.

127. What is the primary risk from using outdated software? A. It may not have all the features you need. B. It may not have the most modern security features. C. It may no longer be supported by the vendor. D. It may be easier to break into than newer software.

128. D. Placing a larger integer value into a smaller integer variable is an integer overflow. Option A is incorrect. Memory overflow is not a term used, and memory leak is about allocating memory and not deallocating it. Option B is incorrect. Buffer overflows usually involve arrays. Option C is incorrect. Variable overflow is not a term used in the industry.

128. You are responsible for software testing at Acme Corporation. You want to check all software for bugs that might be used by an attacker to gain entrance into the software or your network. You have discovered a web application that would allow a user to attempt to put a 64-bit value into a 4-byte integer variable. What is this type of flaw? A. Memory overflow B. Buffer overflow C. Variable overflow D. Integer overflow

C. Armoring can be as simple as very trivial encryption, but any process that makes it difficult to reverse-engineer a virus is armoring. Option A is incorrect. A polymorphic virus periodically changes itself. Option B is incorrect. A macro virus is embedded, as a macro, into a document. Option D is incorrect. A boot sector virus infects the boot sector of a hard drive.

129. Which type of virus is most difficult to analyze by reverse engineering? A. Polymorphic B. Macro C. Armored D. Boot sector

D. The primary method for stopping both cross-site scripting and SQL injection is to check or filter user input. Option A is incorrect. A web application firewall might help, but a basic SPI firewall won't prevent this. Option B is incorrect. Most IDSs/IPSs won't detect cross-site scripting, and even if one will, option A is still the best way to prevent cross-site scripting. Option C is incorrect. This is not a buffer overflow, and checking buffer boundaries won't help.

13. Terrance is examining logs for the company e-commerce web server. He discovers a number of redirects that cannot be explained. After carefully examining the website, he finds some attacker performed a watering hole attack by placing JavaScript in the website and is redirecting users to a phishing website. Which of the following techniques would be best at preventing this in the future? A. An SPI firewall B. An active IDS/IPS C. Checking buffer boundaries D. Checking user input

130. A. Deauthorizing users from a resource is called disassociation. Option B is incorrect. Session hijacking involves taking over an authenticated session. Option C is incorrect. In the man-in-the-middle attack, the attacker is between the client and the server, and to either end, the attacker appears like the legitimate other end. Option D is incorrect. Smurf is a type of denial-of-service attack where the attacker attempts to exhaust the resources and prevent users from accessing necessary system

130. What type of attack attempts to deauthorize users from a resource, such as a wireless access point (WAP)? A. Disassociation B. Session hijacking C. Man-in-the-middle D. Smurf attack

131. A. Sending fake DNS requests that are overly large is called an amplification attack. It is a highly specialized type of denial of service. Option B is incorrect. DNS poisoning seeks to put fake DNS records in a DNS server. Option C is incorrect. DNS spoofing is using fake DNS information. Option D is incorrect. The Smurf attack is a denial of service.

131. John is a network administrator for a large retail chain. He has discovered that his DNS server is being attacked. The attack involves false DNS requests from spoofed IP addresses. The requests are far larger than normal. What type of attack is this? A. Amplification B. DNS poisoning C. DNS spoofing D. Smurf attack

132. B. In this scenario, no technical issues are mentioned—just people seeing information. So shoulder surfing best fits the scenario. Option A is incorrect. No social engineering is involved in this scenario. Option C is incorrect. Although a man-in-the-middle attack on the wireless access point (WAP) could compromise data, that's not what is described in this scenario. Option D is incorrect. Cross-site request forgery is a website attack.

132. Heidi is a security officer for an investment firm. Many of the employees in her firm travel frequently and access the company intranet from remote locations. Heidi is concerned about users logging in from public WiFi, as well as other people seeing information such as login credentials or customer data. Which of the following is Heidi's most significant concern? A. Social engineering B. Shoulder surfing C. Man-in-the-middle attack D. CSRF

133. A. Cross-site scripting is an attack on the user that is based on the user trusting the website. Options B, C, and D are incorrect.

133. Cross-site scripting is an attack on the_______ that is based on the__________ trusting the_________ . A. user, user, website B. user, website, user C. website, website, user D. user, website, website

134. A. Targeting a specific group is the definition of spear phishing. Option B is incorrect. In the man-in-the-middle attack, the attacker is between the client and the server, and to either end, the attacker appears like the legitimate other end. Option C is incorrect. Target phishing is not an industry term. Option D is incorrect. Vishing is phishing via voice over IP (VoIP).

134. You are a security officer for a large investment firm. Some of your stock traders handle very valuable accounts with large amounts of money. You are concerned about someone targeting these specific traders to get their login credentials and access account information. Which of the following best describes the attack you are concerned about? A. Spear phishing B. Man-in-the-middle C. Target phishing D. Vishing

135. A. Encryption is one method for armored viruses. Option B is incorrect. Ransomware encrypts files but is not encrypted itself. Option C is incorrect. A polymorphic virus periodically changes itself. Option D is incorrect. A Trojan horse combines malware with a legitimate program.

135. You lead an incident response team for a large retail chain store. You have discovered what you believe is spyware on the point-of-sale systems. But the malware in question is encrypted, preventing you from analyzing it. What best describes this? A. An armored virus B. Ransomware C. Polymorphic virus D. Trojan horse

136. D. This is the definition of a rootkit. Option A is incorrect. A Trojan horse combines malware with a legitimate program. Option B is incorrect. A logic bomb performs its malicious activity when some condition is met. Option C is incorrect. A multipartite virus infects the boot sector and a file.

136. Jared has discovered malware on the workstations of several users. This particular malware provides administrative privileges for the workstation to an external hacker. What best describes this malware? A. Trojan horse B. Logic bomb C. Multipartite virus D. Rootkit

137. B. This is vishing, or using voice calls for phishing. Option A is incorrect. Spear phishing is targeting a small, specific group. Option C is incorrect. War dialing is dialing numbers hoping a computer modem answers. Option D is incorrect. Robocalling is used to place unsolicited telemarketing calls.

137. Users in your company report someone has been calling their extension and claiming to be doing a survey for a large vendor. Based on the questions asked in the survey, you suspect that this is a scam to elicit information from your company's employees. What best describes this? A. Spear phishing B. Vishing C. War dialing D. Robocalling

138. A. Cross-site request forgery is an attack on the website that is based on the website trusting the user. Options B, C, and D are all incorrect.

138. Cross-site request forgery is an attack on the___________ that is based on the___________ trusting the . A. website, website, user B. user, user website C. website, user, website D. user, website, user

139. A. This is the definition of a multipartite virus. Option B is incorrect. A rootkit gets admin or root privileges. Option C is incorrect. Ransomware encrypts files and demands a ransom. Option D is incorrect. A worm is a fast-spreading virus

139. What type of virus can infect both a file in the operating system and the boot sector? A. Multipartite B. Rootkit C. Ransomware D. Worm

B. This is the description of a buffer overflow. Option A is incorrect. Bluesnarfing is a Bluetooth attack. Option C is incorrect. Bluejacking is a Bluetooth attack. Option D is incorrect. This is not a distributed denial of service

14. What type of attack is based on sending more data to a target variable than the data can actually hold? A. Bluesnarfing B. Buffer overflow C. Bluejacking D. DDoS

140. A. This is the definition of a worm. Option B is incorrect. A virus is software that self-replicates. Option C is incorrect. A logic bomb executes its malicious activity when some condition is met. Option D is incorrect. A Trojan horse combines malware with a legitimate program.

140. John is analyzing a recent malware infection on his company network. He discovers malware that can spread rapidly and does not require any interaction from the user. What best describes this malware? A. Worm B. Virus C. Logic bomb D. Trojan horse

B. Dumpster diving is the process of going through the trash to find documents. Option A is incorrect. Phishing is often done via email or phone, and is an attempt to elicit information or convince a user to click a link or open an attachment. Option C is incorrect. Shoulder surfing is literally looking over someone's shoulder. Option D is incorrect. In the man-in-the-middle attack the attacker is between the client and the server, and to either end, the attacker appears like the legitimate other end.

141. Your company has issued some new security directives. One of these new directives is that all documents must be shredded before being thrown out. What type of attack is this trying to prevent? A. Phishing B. Dumpster diving C. Shoulder surfing D. Man-in-the-middle

142. D. This is the definition of a macro virus. Option A is incorrect. A logic bomb executes its malicious activity when some condition is met. Option B is incorrect. A rootkit obtains administrative or root access. Option C is incorrect. A Trojan horse connects malware to a legitimate program.

142. What type of attack embeds malicious code into a document or spreadsheet? A. Logic bomb B. Rootkit C. Trojan horse D. Macro virus

143. A. URL hijacking or typosquatting is done by naming a phishing URL very similar to an actual URL. Option B is incorrect. DNS poisoning would be entering fake entries into a DNS server. Option C is incorrect. Cross-site scripting would show as a breach of the website. Option D is incorrect. In the man-in-the-middle attack, the attacker is between the client and the server, and to either end, the attacker appears like the legitimate other end.

143. You are a network security analyst for an online retail website. Users report that they have visited your site and had their credit cards stolen. You cannot find any evidence of any breach of your website. You begin to suspect that these users were lured to a fake site. You have found a website that is spelled exactly like your company site, with one letter different. What is this attack called? A. URL hijacking B. DNS poisoning C. Cross-site scripting D. Man-in-the-middle

144. C. The dictionary attack uses common passwords. Option A is incorrect. Rainbow tables are tables of precomputed hashes. Option B is incorrect. The birthday attack is a method for generating collisions of hashes. Option D is incorrect. No spoofing is indicated in this scenario.

144. You have discovered that someone has been trying to log on to your web server. The person has tried a wide range of likely passwords. What type of attack is this? A. Rainbow table B. Birthday attack C. Dictionary attack D. Spoofing

145. A. This is the definition of a replay attack. Option B is incorrect. IP spoofing is the process of faking an IP address. Option C is incorrect. This is not a term used in the industry. Option D is incorrect. Session hijacking is done by taking over an authenticated session.

145. You have just started a new job as a security administrator for Acme Corporation. You discover they have weak authentication protocols. You are concerned that an attacker might simply capture and re-send a user's login credentials. What type of attack is this? A. Replay attack B. IP spoofing C. Login spoofing D. Session hijacking

146. D. Active reconnaissance actually connects to the network using techniques such as port scanning. Option A is incorrect. Either can be done manually or with tools. Option B is incorrect. Black-box and white-box refer to the amount of information the tester is given. Option C is incorrect. Attackers and testers use both types of reconnaissance.

146. What is the primary difference between active and passive reconnaissance? A. Active will be done manually, passive with tools. B. Active is done with black-box tests and passive with white-box tests. C. Active is usually done by attackers and passive by testers. D. Active will actually connect to the network and could be detected; passive won't.

147. C. Vulnerability scans identify known vulnerabilities. Penetration tests actually exploit those vulnerabilities in order to breach the system. Option A is incorrect. Either insiders or outsiders can do both vulnerability scans and penetration tests. Option B is incorrect. Both vulnerability scans and penetration tests can use automated tools and manual techniques. Option D is incorrect. Black-box and white-box refer to the amount of information the tester is given.

147. What is the primary difference between a vulnerability scan and a penetration test? A. Vulnerability scans are done by employees and penetration tests by outside teams. B. Vulnerability scans only use tools; penetration tests are manual. C. Vulnerability scans just identify issues; penetration tests attempt to exploit them. D. Vulnerability scans are usually white-box tests; penetration tests are black-box tests.

148. B. This is the definition of a pivot. Option A is incorrect. In the man-in-the-middle attack, the attacker is between the client and the server, and to either end, the attacker appears like the legitimate other end. Option C is incorrect. Shimming involves inserting code between a program and a library. Option D is incorrect. Vishing is phishing over the phone line, often VoIP.

148. When an attacker breaches one system and uses that as a base to attack a related system, what is this called? A. Man-in-the-middle B. Pivot C. Shimming D. Vishing

149. C. Active scanning actually connects to the target network. Option A is incorrect. Passive scanning does not actually connect to the target network. Options B and D are incorrect. Black-box and white-box refer to the amount of information the tester is given

149. Terrance is conducting a penetration test for a client. The client is a major e-commerce company and is primarily concerned about security for their web server. He has just finished running Nmap and OWASP Zap on the target web server. What is this activity called? A. Passive scanning B. Black-box testing C. Active scanning D. White-box testing

A. Vulnerability scan uses automated tools such as Nessus and Microsoft Baseline Security Analyzer to find known vulnerabilities. Option B is incorrect. Penetration tests seek to actually exploit the vulnerabilities and break into systems. Option C is incorrect. Security audits usually focus on checking policies, incident reports, and other documents. Option D is incorrect. Security test is a generic term for any sort of test.

15. You have been asked to test your company network for security issues. The specific test you are conducting involves primarily using automated and semiautomated tools to look for known vulnerabilities with the various systems on your network. Which of the following best describes this type of test? A. Vulnerability scan B. Penetration test C. Security audit D. Security test

150. D. A firewall not running is not a configuration issue. Options A, B, and C are all incorrect. These are all common security misconfiguration issues.

150. You have just taken over as the CISO for a large bank. You are concerned about making sure all systems are secure. One major concern you have is security misconfiguration. Which of the following is not a common security misconfiguration? A. Unpatched operating system B. Default accounts with passwords C. Unneeded services running D. No firewall running

A. Credentials the WAP shipped with are an example of default configuration. Option B is incorrect. Race conditions involve multithreaded applications accessing shared variables. Option C is incorrect. Patches won't change the default password. Option D is incorrect. Encryption does not affect logging into the administrative screen.

16. Jared discovers that attackers have breached his WiFi network. They have gained access via the wireless access point (WAP) administrative panel, and have logged on with the credentials the WAP shipped with. What best describes this issue? A. Default configuration B. Race conditions C. Failure to patch D. Weak encryption

C. Social engineering can only be countered by user training and education. Options A and B are incorrect. No technology can prevent social engineering. Option D is incorrect. Strong policies can only help if users are well trained in the policies.

17. Joanne is concerned about social engineering. She is particularly concerned that this technique could be used by an attacker to obtain information about the network, including possibly even passwords. What countermeasure would be most effective in combating social engineering? A. SPI firewall B. An IPS C. User training D. Strong policies

C. ARP poisoning is used to change the ARP tables routing data to a different MAC address, which would explain why there were no entries. Option A is incorrect. A backdoor would not explain that the log entries were sent, but not received. Option B is incorrect. A buffer overflow would not explain that the log entries were sent but not received. Option D is incorrect. An IDS would not stop log entries even if it was malfunctioning.

18. You are responsible for incident response at a mid-sized bank. You have discovered that someone was able to successfully breach your network and steal data from your database server. All servers are configured to forward logs to a central logging server. However, when you examine that central log, there are no entries after 2:13 a.m. two days ago. You check the servers, and they are sending logs to the right server, but they are not getting there. Which of the following would be most likely to explain this? A. Your log server has a backdoor. B. Your log server has been hit with a buffer overflow attack. C. Your switches have been hit with ARP poisoning. D. Your IDS is malfunctioning and blocking log transmissions.

19. A. From the description it appears that they are not logging into the real web server but rather a fake server. That indicates typosquatting: have a URL that is named very similarly to a real site so that when users mistype the real site's URL they will go to the fake site. Options B, C, and D are all incorrect. These are all methods of attacking a website, but in this case, the actual website was not attacked. Instead, some users are visiting a fake site.

19. Coleen is the web security administrator for an online auction website. A small number of users are complaining that when they visit the website and log in, they are told the service is down and to try again later. Coleen checks and she can visit the site without any problem, even from computers outside the network. She also checks the webserver log and there is no record of those users ever connecting. Which of the following might best explain this? A. Typosquatting B. SQL injection C. Cross-site scripting D. Cross-site request forgery

D. The term for low-skilled hackers is script kiddie. Option A is incorrect. Nothing indicates this is being done for ideological reasons. Option B is incorrect. "Amateur" may be an appropriate description, but the correct term is script kiddie. Option C is incorrect. Nothing in this scenario indicates an insider threat.

20. Mahmoud is responsible for managing security at a large university. He has just performed a threat analysis for the network, and based on past incidents and studies of similar networks, he has determined that the most prevalent threat to his network is low-skilled attackers who wish to breach the system, simply to prove they can or for some low-level crime, such as changing a grade. Which term best describes this type of attacker? A. Hacktivist B. Amateur C. Insider D. Script kiddie

B. The term for this is botnet, usually spelled as one word. Options A, C, and D are all incorrect. Although these terms might sound the same, they are simply not the terms used in the industry.

21. Which of the following best describes a collection of computers that have been compromised and are being controlled from one central point? A. Zombienet B. Botnet C. Nullnet D. Attacknet

B. Passive reconnaissance is any reconnaissance that is done without actually connecting to the target. Option A is incorrect. Active reconnaissance involves communicating with the target network, such as doing a port scan. Option C is incorrect. The initial exploitation is not information gathering; it is actually breaking into the target network. Option D is incorrect. A pivot is when you have breached one system and use that to move to another system.

22. John is conducting a penetration test of a client's network. He is currently gathering information from sources such as archive.org, netcraft.com, social media, and information websites. What best describes this stage? A. Active reconnaissance B. Passive reconnaissance C. Initial exploitation D. Pivot

23. C. Some spyware takes screen captures of the system, and it is common for such spyware to hide them in the temp folder. Option A is incorrect. There is no evidence of any corporate data, just screenshots from the salesperson's own machine. And if he was stealing data, he would not draw attention to his computer by reporting a problem. Option B is incorrect. Nothing in this scenario indicates a backdoor. Option D is incorrect. Updates won't affect this.

23. One of the salespeople in your company reports that his computer is behaving sluggishly. You check but don't see any obvious malware. However, in his temp folder you find JPEGs that look like screenshots of his desktop. Which of the following is the most likely cause? A. He is stealing data from the company. B. There is a backdoor on his computer. C. There is spyware on his computer. D. He needs to update his Windows

A. This is an exact description of DNS poisoning or domain hijacking. Option B is incorrect. ARP poisoning involves altering the MAC-IP tables in a switch. Options C and D are incorrect. These are both Bluetooth attacks.

24. What type of attack is based on entering fake entries into a target network's domain name server? A. DNS poisoning B. ARP poisoning C. Bluesnarfing D. Bluejacking

C. A black-box test involves absolutely minimal information. Option A is incorrect. A white-box test involves very complete information being given to the tester. Option B is incorrect. This scenario is probably done from outside the network, but external test is not the correct terminology. Option D is incorrect. Threat test is not a term used in penetration testing.

25. Frank has been asked to conduct a penetration test of a small bookkeeping firm. For the test, he has only been given the company name, the domain name for their website, and the IP address of their gateway router. What best describes this type of test? A. White-box test B. External test C. Black-box test D. Threat test

26. D. A pivot occurs when you exploit one machine and use that as a basis to attack other systems. Option A is incorrect. Pivots can be done from internal or external tests. Options B and C are incorrect. These describe how much information the tester is given in advance, not how the tester performs the test.

26. You work for a security company that performs penetration testing for clients. You are conducting a test of an e-commerce company. You discover that after compromising the web server, you can use the web server to launch a second attack into the company's internal network. What best describes this? A. Internal attack B. White-box testing C. Black-box testing D. A pivot

27. A. Shimming is when the attacker places some malware between an application and some other file, and intercepts the communication to that file (usually to a library or system API). Option B is incorrect. A Trojan horse might be used to get the shim onto the system, but that is not described in this scenario. Option C is incorrect. A backdoor is a means to circumvent system authorization and get direct access to the system. Option D is incorrect. Refactoring is the process of changing names of variables, functions, etc. in a program.

27. While investigating a malware outbreak on your company network, you discover something very odd. There is a file that has the same name as a Windows system DLL, and even has the same API interface, but handles input very differently, in a manner to help compromise the system, and it appears that applications have been attaching to this file, rather than the real system DLL. What best describes this? A. Shimming B. Trojan horse C. Backdoor D. Refactoring

28. A. A white-box test involves providing extensive information, as described in this scenario. Option B is incorrect. A white-box test could be internal or external. Option C is incorrect. This is the opposite of a black-box test. Option D is incorrect. Threat test is not a term used in penetration testing.

28. Your company has hired a penetration testing firm to test the network. For the test, you have given the company details on operating systems you use, applications you run, and network devices. What best describes this type of test? A. White-box test B. External test C. Black-box test D. Threat test

B. His machines are part of a distributed denial-of-service attack. Option A is incorrect. This scenario describes a generic DDoS, not a specific one like SYN flood. Option C is incorrect. These machines could be part of a botnet, or just have a trigger that causes them to launch the attack at a specific time. The real key in this scenario is the DDoS attack. Option D is incorrect. A backdoor gives an attacker access to the target system.

29. Frank is a network administrator for a small college. He discovers that several machines on his network are infected with malware. That malware is sending a flood of packets to a target external to the network. What best describes this attack? A. SYN flood B. DDoS C. Botnet D. Backdoor

30. D. This is a textbook example of how ransomware works. Option A is incorrect. A rootkit gives administrative, or root, access. Option B is incorrect. A logic bomb executes its malicious activity when some specific condition is met. Option C is incorrect. A boot sector virus, as the name suggests, infects the boot sector of the target computer.

30. John is a salesman for an automobile company. He recently downloaded a program from an unknown website, and now his client files have their file extensions changed, and he cannot open them. He has received a popup window that states his files are now encrypted and he must pay .5 bitcoins to get them decrypted. What has happened? A. His machine has a rootkit. B. His machine has a logic bomb. C. His machine has a boot sector virus. D. His machine has ransomware

31. D. Whaling is targeting a specific individual. Option A is incorrect. Spear phishing targets a small group. Option B is incorrect. Targeted phishing is not a term used in the industry. Option C is incorrect. Phishing is the generic term for a wide range of related attacks.

31. When phishing attacks are so focused that they target a specific individual, they are called what? A. Spear phishing B. Targeted phishing C. Phishing D. Whaling

32. C. You are concerned about buffer overflows, and thus checking buffer boundaries is the best defense. Options A and B are incorrect. While these technological solutions can always be a benefit for security, they are unlikely to address buffer overflow attacks effectively. Option D is incorrect. Checking user input helps defend against SQL injection and crosssite scripting.

32. You are concerned about a wide range of attacks that could affect your company's web server. You have recently read about an attack wherein the attacker sends more data to the target than the target is expecting. If done properly, this could cause the target to crash. What would best prevent this type of attack? A. An SPI firewall B. An active IDS/IPS C. Checking buffer boundaries D. Checking user input

33. C. Security audits typically focus on checking policies, documents, and so forth. Option A is incorrect. Vulnerability scans use automated and semiautomated processes to check for known vulnerabilities. Option B is incorrect. Penetration tests attempt to actually exploit vulnerabilities and breach systems. Option D is incorrect. Security test is too general a term.

33. You work for a large retail company that processes credit card purchases. You have been asked to test your company network for security issues. The specific test you are conducting involves primarily checking policies, documentation, and past incident reports. Which of the following best describes this type of test? A. Vulnerability scan B. Penetration test C. Security audit D. Security test

34. A. Although many things could explain what she is experiencing, the scenario most closely matches connecting to a rogue access point where her login credentials were stolen. Options B and C are incorrect. Both involve malware, and the scenario states no sign of malware was found. Option D is incorrect. This does not match the symptoms of a buffer overflow attack.

34. Maria is a salesperson with your company. After a recent sales trip, she discovers that many of her logins have been compromised. You carefully scan her laptop and cannot find any sign of any malware. You do notice that she had recently connected to a public WiFi at a coffee shop, and it is only since that connection that she noticed her logins had been compromised. What would most likely explain what has occurred? A. She connected to a rogue AP. B. She downloaded a Trojan horse. C. She downloaded spyware. D. She is the victim of a buffer overflow attack.

35. D. This is a classic example of an attacker using social engineering on the accountant, in order to gain access to his system. Options A and B are incorrect. This scenario does not describe either IP or MAC spoofing. Option C is incorrect. A man-in-the-middle attack would require an attacker to get in between a source and destination for some sort of electronic communication. That is not described in this scenario.

35. You are the manager for network operations at your company. One of the accountants sees you in the hall and thanks you for your team keeping his antivirus software up to date. When you ask him what he means, he mentions that one of your staff, named Mike, called him and remotely connected to update the antivirus. You don't have an employee named Mike. What has occurred? A. IP spoofing B. MAC spoofing C. Man-in-the-middle attack D. Social engineering

36. D. An intrusion detection system will simply report issues, and not block the traffic. Option A is incorrect. An intrusion prevention system will stop suspected traffic, and in the event of a false positive, will shut down legitimate traffic. Option B is incorrect. A web application firewall (WAF), as the name suggests, primarily protects a web server against external attacks. Option C is incorrect. SIEMs aggregate logs for analysis

36. You are a security administrator for a bank. You are very interested in detecting any breaches or even attempted breaches of your network, including those from internal personnel. But you don't want false positives to disrupt work. Which of the following devices would be the best choice in this scenario? A. IPS B. WAF C. SIEM D. IDS

37. A. A rainbow table is a table of precomputed hashes, used to retrieve passwords. Option B is incorrect. A backdoor is used to gain access to a system, not recover passwords. Options C and D are incorrect. While both of these can be used to gain access to passwords, they are not tables of precomputed hashes.

37. One of your users cannot recall the password for their laptop. You want to recover that password for them. You intend to use a tool/technique that is popular with hackers, and it consists of searching tables of precomputed hashes to recover the password. What best describes this? A. Rainbow table B. Backdoor C. Social engineering D. Dictionary attack

38. A. Bluejacking involves sending unsolicited messages to Bluetooth devices when they are in range. Option B is incorrect. Bluesnarfing involves getting data from the Bluetooth device. Options C and D are incorrect. Evil twin uses a rogue access point whose name is similar or identical to that of a legitimate access point.

38. You have noticed that when in a crowded area, you sometimes get a stream of unwanted text messages. The messages end when you leave the area. What describes this attack? A. Bluejacking B. Bluesnarfing C. Evil twin D. Rogue access point

39. A. This is the term for rummaging through the waste/trash. Options B and D are incorrect. These terms, though grammatically correct, are simply not the terms used in the industry. Option C is incorrect. Nothing in this scenario describes social engineering.

39. Someone has been rummaging through your company's trash bins seeking to find documents, diagrams, or other sensitive information that has been thrown out. What is this called? A. Dumpster diving B. Trash diving C. Social engineering D. Trash engineering

40. B. Bluesnarfing involves accessing data from a Bluetooth device when it is in range. Option A is incorrect. Bluejacking involves sending unsolicited messages to Bluetooth devices when they are in range. Option C is incorrect. Evil twin uses a rogue access point whose name is similar or identical to that of a legitimate access point. Option D is incorrect. A RAT is a remote-access Trojan. Nothing in this scenario points to a RAT being the cause of the stolen data.

40. You have noticed that when in a crowded area, data from your cell phone is stolen. Later investigation shows a Bluetooth connection to your phone, one that you cannot explain. What describes this attack? A. Bluejacking B. Bluesnarfing C. Evil twin D. RAT

41. A. This is a remote-access Trojan (RAT), malware that opens access for someone to remotely access the system. Option B is incorrect. A backdoor does provide access but it is usually in the system due to programmers putting it there, not due to malware on the system. Option C is incorrect. A logic bomb executes its misdeeds when some logical condition is met. Option D is incorrect. A rootkit provides root or administrative access to the system.

41. Louis is investigating a malware incident on one of the computers on his network. He has discovered unknown software that seems to be opening a port, allowing someone to remotely connect to the computer. This software seems to have been installed at the same time as a small shareware application. Which of the following best describes this malware? A. RAT B. Backdoor C. Logic bomb D. Rootkit

42. D. The term used in the industry is excessive privileges, and it is the opposite of good security practice, which states that each user should have least privileges (i.e., just enough privileges to do his or her job). Options A through C are incorrect. While these are grammatically correct, they are not the terms used in the industry.

42. This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and privileges than what is required for the tasks the user needs to perform. What best describes this scenario? A. Excessive rights B. Excessive access C. Excessive permissions D. Excessive privileges

43. Option B is correct; zero-day exploits are new, and they are not in the virus definitions for the antivirus programs. This makes them difficult to detect, except by their behavior. Options A, C, and D are incorrect. These are all forms of malware, but should be picked up by at least one of the antivirus programs.

43. Jared is responsible for network security at his company. He has discovered behavior on one computer that certainly appears to be a virus. He has even identified a file he thinks might be the virus. However, using three separate antivirus programs, he finds that none can detect the file. Which of the following is most likely to be occurring? A. The computer has a RAT. B. The computer has a zero-day exploit. C. The computer has a logic bomb. D. The computer has a rootkit.

44. Option B is correct. When using products the vendor no longer supports, also known as end-of-life, one major concern is that there won't be patches available for any issues or vulnerabilities. Option A is incorrect; this is certainly not normal. Option C is incorrect. SIEMs aggregate logs and are operating system agnostic. Option D is incorrect. An older system is not necessarily more susceptible to denial-ofservice (DoS) attacks.

44. There are some computers on your network that use Windows XP. They have to stay on Windows XP due to a specific application they are running. That application won't run on newer operating systems. What security concerns does this situation give you? A. No special concerns; this is normal. B. The machines cannot be patched; XP is no longer supported. C. The machines cannot coordinate with an SIEM since XP won't support that. D. The machines are more vulnerable to DoS attacks.

45. D. WiFi protected setup (WPS) uses a PIN to connect to the wireless access point (WAP). The WPS attack attempts to intercept that PIN in transmission, connect to the WAP, and then steal the WPA2 password. Options A and B are incorrect. Nothing in this scenario requires or describes a rogue access point/evil twin. Option C is incorrect. An IV attack is an obscure cryptographic attack.

45. Farès has discovered that attackers have breached his wireless network. They seem to have used a brute-force attack on the WiFi-protected setup PIN to exploit the WAP and recover the WPA2 password. What is this attack called? A. Evil twin B. Rogue WAP C. IV attack D. WPS Attack

46. C. Initialization vectors are used with stream ciphers. An IV attack attempts to exploit a flaw to use the IV to expose encrypted data. Options A and B are incorrect. Nothing in this scenario requires or describes a rogue access point/evil twin. Option D is incorrect. WiFi protected setup (WPS) uses a PIN to connect to the wireless access point (WAP). The WPS attack attempts to intercept that PIN in transmission, connect to the WAP, and then steal the WPA2 password.

46. Your wireless network has been breached. It appears the attacker modified a portion of data used with the stream cipher and utilized this to expose wirelessly encrypted data. What is this attack called? A. Evil twin B. Rogue WAP C. IV attack D. WPS Attack

A. Any of these systems could help with detecting malicious activity by an insider, but the intrusion prevention system will block such activity, if detected. Option B is incorrect. SIEMs simply aggregate logs. Option C is incorrect. A honeypot can be useful in trapping a malicious actor but not in stopping data exfiltration. Option D is incorrect. Firewalls can block traffic, but normally data exfiltration looks like normal traffic and is hard for a firewall to block.

47. John is concerned about disgruntled employees stealing company documents and exfiltrating them from the network. He is looking for a solution that will detect likely exfiltration and block it. What type of system is John looking for? A. IPS B. SIEM C. Honeypot D. Firewall

48. D. This appears to be a situation where your network's DNS server is compromised and sending people to a fake site. Option A is incorrect. A Trojan horse is malware tied to a legitimate program. Option B is incorrect. IP spoofing would be using a fake IP address, but that is not described in this scenario. In fact, the users are not even typing in IP addresses—they are typing in URLs. Option C is incorrect. Clickjacking involves tricking users into clicking something other than what they intended.

48. Some users on your network use Acme Bank for their personal banking. Those users have all recently been the victim of an attack, wherein they visited a fake Acme Bank website and their logins were compromised. They all visited the bank website from your network, and all of them insist they typed in the correct URL. What is the most likely explanation for this situation? A. Trojan horse B. IP spoofing C. Clickjacking D. DNS poisoning

49. B. This is a classic description of jamming. Option A is incorrect. IV attacks are obscure cryptographic attacks on stream ciphers. Option C is incorrect. WiFi protected setup (WPS) uses a PIN to connect to the wireless access point (WAP). The WPS attack attempts to intercept that PIN in transmission, connect to the WAP, and then steal the WPA2 password. Option D is incorrect. A botnet is a group of machines that are being used, without their consent, as part of an attack.

49. Users are complaining that they cannot connect to the wireless network. You discover that the WAPs are being subjected to a wireless attack designed to block their WiFi signals. Which of the following is the best label for this attack? A. IV attack B. Jamming C. WPS attack D. Botnet

50. A. This is the classic description of clickjacking. Options B and C are incorrect. These are Bluetooth attacks. Option D is incorrect. Nothing in this scenario requires or describes an evil twin.

50. What type of attack involves users clicking on something different on a website than what they intended to click on? A. Clickjacking B. Bluesnarfing C. Bluejacking D. Evil twin

51. B. Cross-site request forgery sends fake requests to a website that purport to be from a trusted, authenticated user. Option A is incorrect. Cross-site scripting exploits the trust the user has for the website and embeds scripts into that website. Option C is incorrect. Bluejacking is a Bluetooth attack. Option D is incorrect. Nothing in this scenario requires or describes an evil twin.

51. What type of attack exploits the trust that a website has for an authenticated user to attack that website by spoofing requests from the trusted user? A. Cross-site scripting B. Cross-site request forgery C. Bluejacking D. Evil twin

52. C. This is a classic example of typosquatting. The website is off by only one or two letters, hoping that when users to the real website mistype the URL they will go to the fake website. Option A is incorrect. Session hijacking is taking over an authenticated session. Option B is incorrect. Cross-site request forgery sends fake requests to a website that purport to be from a trusted, authenticated user. Option D is incorrect. Clickjacking attempts to trick users into clicking on something other than what they intended.

52. John is a network administrator for Acme Company. He has discovered that someone has registered a domain name that is spelled just one letter different than his company's domain. The website with the misspelled URL is a phishing site. What best describes this attack? A. Session hijacking B. Cross-site request forgery C. Typosquatting D. Clickjacking

53. A. Bluesnarfing uses Bluetooth to extract data from a Bluetooth device. Option B is incorrect. Session hijacking is taking over an authenticated session. Option C is incorrect. Backdoors are built-in methods to circumvent authentication. Option D is incorrect. Cross-site request forgery sends fake requests to a website that purport to be from a trusted, authenticated user.

53. Frank has discovered that someone was able to get information from his smartphone using a Bluetooth connection. The attacker was able to get his contact list and some emails he had received. What is this type of attack called? A. Bluesnarfing B. Session hijacking C. Backdoor attack D. CSRF

54. B. This is a classic example of a disassociation attack. The attacker tricks users into disassociating from the device. Option A is incorrect. Misconfiguration won't cause authenticated users to de-authenticate. Option C is incorrect. Session hijacking involves taking over an authenticated session. Option D is incorrect. Backdoors are built-in methods to circumvent authentication.

54. Juanita is a network administrator for Acme Company. Some users complain that they keep getting dropped from the network. When Juanita checks the logs for the wireless access point (WAP), she finds that a deauthentication packet has been sent to the WAP from the users' IP addresses. What seems to be happening here? A. Problem with users' WiFi configuration B. Disassociation attack C. Session hijacking D. Backdoor attack

55. A. This is an example of a dictionary attack. The attacker uses a list of words that are believed to be likely passwords. Option B is incorrect. A rainbow table is a precomputed table of hashes. Option C is incorrect. Brute force tries every possible random combination. If attacker has the original plaintext and ciphertext for a message, they can determine the key space used through brute force attempts targeting the keyspace. Option D is incorrect. Session hijacking is when the attacker takes over an authenticated session.

55. John has discovered that an attacker is trying to get network passwords by using software that attempts a number of passwords from a list of common passwords. What type of attack is this? A. Dictionary B. Rainbow table C. Brute force D. Session hijacking

56. B. This is a classic example of a downgrade attack. Option A is incorrect. In a disassociation attack, the attacker attempts to force the victim into disassociating from a resource. Option C is incorrect. Session hijacking is when the attacker takes over an authenticated session. Option D is incorrect. Brute force attempts every possible random combination to get the password or encryption key.

56. You are a network security administrator for a bank. You discover that an attacker has exploited a flaw in OpenSSL and forced some connections to move to a weak cipher suite version of TLS, which the attacker could breach. What type of attack was this? A. Disassociation attack B. Downgrade attack C. Session hijacking D. Brute force

57. D. A collision is when two different inputs produce the same hash. Option A is incorrect. A rainbow table is a table of precomputed hashes. Option B is incorrect. Brute force attempts every possible random combination to get the password or encryption key. Option C is incorrect. Session hijacking is when the attacker takes over an authenticated session.

57. When an attacker tries to find an input value that will produce the same hash as a password, what type of attack is this? A. Rainbow table B. Brute force C. Session hijacking D. Collision attack

58. C. An advanced persistent threat (APT) involves sophisticated (i.e., advanced) attacks over a period of time (i.e., persistent) Option A is incorrect. A distributed denial of service could be a part of an APT, but in and of itself is unlikely to be an APT. Option B is incorrect. Brute force attempts every possible random combination to get the password or encryption key. Option D is incorrect. In a disassociation attack, the attacker attempts to force the victim into disassociating from a resource.

58. Farès is the network security administrator for a company that creates advanced routers and switches. He has discovered that his company's networks have been subjected to a series of advanced attacks over a period of time. What best describes this attack? A. DDoS B. Brute force C. APT D. Disassociation attack

59. D. Whether the attacker is an organized criminal, hacktivist, nation-state attacker, or script kiddie, the amount of data stolen could be large or small. Options A, B, and C are all incorrect. These are exactly the attributes of an attack you do examine to determine the most likely attacker

59. You are responsible for incident response at Acme Company. One of your jobs is to attempt to attribute attacks to a specific type of attacker. Which of the following would not be one of the attributes you consider in attributing the attack? A. Level of sophistication B. Resources/funding C. Intent/motivation D. Amount of data stolen

60. A. When an IDS or antivirus mistakes legitimate traffic for an attack, this is called a false positive. Option B is incorrect. A false negative is when the IDS mistakes an attack for legitimate traffic. It is the opposite of a false positive. Options C and D are both incorrect. While these may be grammatically correct, these are not the terms used in the industry.

60. John is running an IDS on his network. Users sometimes report that the IDS flags legitimate traffic as an attack. What describes this? A. False positive B. False negative C. False trigger D. False flag

61. A. The term for attempting to gain any privileges beyond what you have is privilege escalation. Option B is incorrect. Session hijacking is taking over an authenticated session. Options C and D are incorrect. These are not terms used in the industry.

61. You are performing a penetration test of your company's network. As part of the test, you will be given a login with minimal access and will attempt to gain administrative access with this account. What is this called? A. Privilege escalation B. Session hijacking C. Root grabbing D. Climbing

62. C. This is a classic definition of a race condition: when multiple threads in an application are using the same variable and the situation is not properly handled. Option A is incorrect. A buffer overflow is attempting to put more data in a buffer than it is designed to hold. Option B is incorrect. A logic bomb is malware that performs its misdeed when some logical condition is met. Option D is incorrect. As the name suggests, improper error handling is the lack of adequate or appropriate error handling mechanisms within software.

62. Mary has discovered that a web application used by her company does not always handle multithreading properly, particularly when multiple threads access the same variable. This could allow an attacker who discovered this vulnerability to exploit it and crash the server. What type of error has Mary discovered? A. Buffer overflow B. Logic bomb C. Race conditions D. Improper error handling

63. B. This is a classic example of a Trojan horse. Option A is incorrect. A rootkit gives root or administrative access. Option C is incorrect. Spyware is malware that records user activities. Option D is incorrect. A boot sector virus is a virus that infects the boot sector of the hard drive.

63. An attacker is trying to get access to your network. He is sending users on your network a link to a freeware stock-monitoring program. However, that stock-monitoring program has attached to it software that will give the attacker access to any machine that it is installed on. What type of attack is this? A. Rootkit B. Trojan horse C. Spyware D. Boot sector virus

64. A. If a certificate is revoked, it can be used until the new certificate revocation list is published. Options B, C, and D are all incorrect. They do not accurately describe the scenario given.

64. Acme Company uses its own internal certificate server for all internal encryption. However, their certificate authority only publishes a CRL once per week. Does this pose a danger, and if so what? A. Yes, this means a revoked certificate could be used for up to seven days. B. No, this is standard for all certificate authorities. C. Yes, this means it would be easy to fake a certificate. D. No, since this is being used only internally.

65. C. A buffer overflow is possible when boundaries are not checked and the attacker tries to put in more data than the variable can hold. Option A is incorrect. Cross-site scripting is a web page attack. Option B is incorrect. Cross-site request forgery is a web page attack. Option D is incorrect. A logic bomb is malware that performs its misdeed when some condition is met.

65. When a program has variables, especially arrays, and does not check the boundary values before inputting data, what attack is the program vulnerable to? A. XSS B. CRSF C. Buffer overflow D. Logic bomb

66. B. This is the definition of a logic bomb. Option A is incorrect. A boot sector virus infects the boot sector of the hard drive. Option C is incorrect. A buffer overflow occurs when the attacker attempts to put more data in a variable than it can hold. Option D is incorrect. A sparse infector virus performs its malicious activity intermittently to make it harder to detect.

66. Which of the following best describes malware that will execute some malicious activity when a particular condition is met (i.e., if condition is met, then execute)? A. Boot sector virus B. Logic bomb C. Buffer overflow D. Sparse infector virus

67. D. A polymorphic virus changes from time to time, and that would explain the different behavior on different computers. Option A is incorrect. The scenario is about malware. Option B is incorrect. A boot sector virus infects the boot sector of the hard drive. Option C is incorrect. A macro virus is embedded into a document as a macro.

67. Gerald is a network administrator for Acme Company. Users are reporting odd behavior on their computers. He believes this may be due to malware, but the behavior is different on different computers. What might best explain this? A. It is not malware, but hardware failure. B. It is a boot sector virus. C. It is a macro virus. D. It is a polymorphic virus.

68. A. This is the definition of a Smurf attack. Option B is incorrect. The scenario does not state if this attack is coming from multiple sources, thus being distributed (i.e., distributed denial of service). Option C is incorrect. A hijacking attack attempts to take over an authenticated session. Option D is incorrect. The signature of a SYN flood is multiple half-open connections.

68. Teresa is a security officer at ACME Inc. She has discovered an attack where the attacker sent multiple broadcast messages to the network routers, spoofing an IP address of one of the network servers. This caused the network to send a flood of packets to that server and it is no longer responding. What is this attack called? A. Smurf attack B. DDoS attack C. TCP hijacking attack D. TCP SYN flood attack

69. C. Polymorphic viruses periodically change their signature or even their code. Option A is incorrect. A boot sector virus infects the boot sector of the hard drive. Option B is incorrect. This is not a hoax—it is an actual virus. Option D is incorrect. The category of stealth virus is very broad and might include polymorphic as well as armored and sparse infectors, but the scenario is more specific, pointing to polymorphic.

69. Which type of virus is able to alter its own code to avoid being detected by antivirus software? A. Boot sector B. Hoax C. Polymorphic D. Stealth

70. A. This is the definition of a macro virus. Option B is incorrect. A boot sector virus infects the boot sector of the hard drive. Option C is incorrect. A Trojan horse is malware that is tied to a legitimate program. In this scenario, the malware is actually embedded in an Office document. The two are similar, but not the same. Option D is incorrect. A remote access Trojan (RAT) is a Trojan horse that gives the attacker remote access to the machine.

70. Gerald is a network administrator for a small financial services company. Users are reporting odd behavior that appears to be caused by a virus on their machines. After isolating the machines that he believes are infected, Gerald analyzes them. He finds that all the infected machines received an email purporting to be from accounting, with an Excel spreadsheet, and the users opened the spreadsheet. What is the most likely issue on these machines? A. A macro virus B. A boot sector virus C. A Trojan horse D. A RAT

71. C. The intermittent burst of malicious activity is the definition of a sparse infector virus. Option A is incorrect. A macro virus is embedded in a document as a macro. Option B is incorrect. A logic bomb executes its misdeeds when a specific condition is met. Option D is incorrect. A polymorphic virus changes its signature, or even its code, periodically

71. Fred is on the incident response team for a major insurance company. His specialty is malware analysis. He is studying a file that is suspected of being a virus that infected the company network last month. The file seems to intermittently have bursts of malicious activity, interspersed with periods of being dormant. What best describes this malware? A. A macro virus B. A logic bomb C. A sparse infector virus D. A polymorphic virus

72. B. Multipartite viruses combine boot sector with file infection. Option A is incorrect. Polymorphic viruses periodically change their signature or even their code. Option C is incorrect. Stealth viruses use one or more techniques to make them harder to find. Option D is incorrect. This is not an industry term for any sort of virus.

72. What is the term used to describe a virus that can infect both program files and boot sectors? A. Polymorphic B. Multipartite C. Stealth D. Multiple encrypting

73. C. By giving the tester logins, you are allowing him to conduct a privileged scan (i.e., a scan with some privileges). Options A and B are incorrect. These describe the level of knowledge the tester is given of the network. A privilege scan cannot be a black-box test, but it could be either white-box or gray-box. Option D is incorrect. While this is grammatically correct, it is not the term used in the industry.

73. Your company has hired an outside security firm to perform various tests of your network. During the vulnerability scan you will provide that company with logins for various systems (i.e., database server, application server, web server, etc.) to aid in their scan. What best describes this? A. A white-box test B. A gray-box test C. A privileged scan D. An authenticated user scan

74. C. Botnets are often used to launch DDoS attacks, with the attack coming from all the computers in the botnet simultaneously. Option A is incorrect. Phishing attacks attempt to get the user to give up information, click on a link, or open an attachment. Option B is incorrect. Adware consists of unwanted pop-up ads. Option D is incorrect. A Trojan horse attaches malware to a legitimate program.

74. Which of the following is commonly used in a distributed denial of service (DDoS) attack? A. Phishing B. Adware C. Botnet D. Trojan

75. A. Accounts should be configured to expire. If this had occurred, then the account would no longer be active. Option B is incorrect. While properly trained users are important, that is not what caused this issue. Options C and D are incorrect. These are unrelated to an old account still being active.

75. You are investigating a recent breach at Acme Company. You discover that the attacker used an old account of someone no longer at the company. The account was still active. Which of the following best describes what caused this vulnerability to exist? A. Improperly configured accounts B. Untrained users C. Using default configuration D. Failure to patch systems

76. C. This is a classic example of the problem with default configurations. Option A is incorrect. Configuring the accounts is not the issue; changing default passwords and settings is. Option B is incorrect. Yes, training users is important, but that's not the issue in this scenario. Option D is incorrect. Patching systems is important, but that won't change default settings.

76. Juan is responsible for incident response at a large financial institution. He discovers that the company WiFi has been breached. The attacker used the same login credentials that ship with the wireless access point (WAP). The attacker was able to use those credentials to access the WAP administrative console and make changes. Which of the following best describes what caused this vulnerability to exist? A. Improperly configured accounts B. Untrained users C. Using default configuration D. Failure to patch systems

77. D. In a DLL injection, the malware attempts to inject code into the process of some library. This is a rather advanced attack. Option A is incorrect. A logic bomb executes its misdeed when some condition is met. Option B is incorrect. Session hijacking is taking over an authenticated session. Option C is incorrect. Buffer overflows are done by sending more data to a variable than it can hold.

77. Elizabeth is investigating a network breach at her company. She discovers a program that was able to execute code within the address space of another process by using the target process to load a specific library. What best describes this attack? A. Logic bomb B. Session hijacking C. Buffer overflow D. DLL injection

78. D. This is the definition of pointer dereferencing. It is a somewhat obscure and sophisticated attack on a target program. Option A is incorrect. In a DLL injection, the malware tries to inject code into the memory process space of a library. Option B is incorrect. In a buffer overflow, the attacker sends more data to a variable than it can hold. Option C is incorrect. A memory leak occurs when memory is allocated in some programming function but not deallocated. Each time the function is called, more system memory is used up.

78. Zackary is a malware investigator with a cybersecurity firm. He is investigating malware that is able to compromise a target program by finding null references in the target program and dereferencing them, causing an exception to be generated. What best describes this type of attack? A. DLL injection B. Buffer overflow C. Memory leak D. Pointer dereference

79. B. System sprawl occurs when a system grows and there are devices on the system that are not documented. Options A, C, and D are all incorrect. While these are all serious security issues, they are unrelated to the scenario presented.

79. Frank has just taken over as CIO of a mid-sized insurance company. One of the first things he does is order a thorough inventory of all network equipment. He discovers two routers that are not documented. He is concerned that if they are not documented, they might not be securely configured, tested, and safe. What best describes this situation? A. Poor user training B. System sprawl C. Failure to patch systems D. Default configuration

80. C. An intrusive scan could possibly cause some disruption of operations. For this reason, it should be conducted outside normal business hours. Option A is incorrect. A penetration test actually attempts to breach the network by exploiting vulnerabilities. Option B is incorrect. An audit is primarily a document check. Option D is incorrect. Both intrusive and non-intrusive vulnerability scans can be effective at finding vulnerabilities.

80. What is the primary difference between an intrusive and a nonintrusive vulnerability scan? A. An intrusive scan is a penetration test. B. A nonintrusive scan is just a document check. C. An intrusive scan could potentially disrupt operations. D. A nonintrusive scan won't find most vulnerabilities.

81. D. The fact that the website is defaced in a manner related to the company's public policies is the definition of hacktivism. Options A, B, and C are incorrect. None of these account for the statements adverse to the company's policies, which is why hacktivism is the real cause.

81. Daryl is investigating a recent breach of his company's web server. The attacker used sophisticated techniques and then defaced the website, leaving messages that were denouncing the company's public policies. He and his team are trying to determine the type of actor who most likely committed the breach. Based on the information provided, who was the most likely threat actor? A. A script B. A nation-state C. Organized crime D. Hacktivists

82. C. While you might suppose that a nation-state attacker (the usual attacker behind an advanced persistent threat) would attack from a foreign IP address, they often use a compromised address in the target country as a base for attacks. Options A, B, and D are all incorrect. These are actually signs of an advanced persistent threat.

82. When investigating breaches and attempting to attribute them to specific threat actors, which of the following is not one of the indicators of an APT? A. Long-term access to the target B. Sophisticated attacks C. The attack comes from a foreign IP address. D. The attack is sustained over time.

83. A. The terms evil twin and rogue access point both refer to fake access points that broadcast what appear to be legitimate SSIDs. Options B, C, and D are incorrect. They do not adequately explain this attack.

83. What type of attack uses a second wireless access point (WAP) that broadcasts the same SSID as a legitimate access point, in an attempt to get users to connect to the attacker's WAP? A. Evil twin B. IP spoofing C. Trojan horse D. MAC spoofing

84. A. The fact that the IP addresses are within your country might make you discard the nation-state attacker, but it is common for nation-state attackers to use compromised IP addresses in the target country from which to attack. The other symptoms—a sophisticated attack, over time—are hallmarks of nation-state attackers. Option B is incorrect. Nothing in the scenario indicates an ideological motive. Option C is incorrect. In fact, this attack is the antithesis of the simple attack of a script kiddie. Option D is incorrect. A lone attacker, no matter how skilled, would have difficulty maintaining sustained attacks over a year.

84. You are investigating a breach of a large technical company. You discover that there have been several different attacks over a period of a year. The attacks were sustained, each lasting several weeks of continuous attack. The attacks were somewhat sophisticated and originated from a variety of IP addresses, but all the IP addresses are within your country. Which threat actor would you most suspect of being involved in this attack? A. Nation-state B. Hacktivist C. Script kiddie D. A lone highly skilled hacker

85. A. This is the definition of a zero-day attack. Options B, C, and D are incorrect. These do not adequately describe a zero-day attack.

85. Which of the following best describes a zero-day vulnerability? A. A vulnerability that has been known to the vendor for zero days B. A vulnerability that has not yet been breached C. A vulnerability that can be quickly exploited (i.e., in zero days) D. A vulnerability that will give the attacker brief access (i.e., zero days)

86. C. This is the definition of DNS poisoning. Option A is incorrect. A backdoor provides access to the system by circumventing normal authentication. Option B is incorrect. An APT is an advanced persistent threat. Option D is incorrect. A Trojan horse ties a malicious program to a legitimate program.

86. You have discovered that there are entries in your network's domain name server that point legitimate domains to unknown and potentially harmful IP addresses. What best describes this type of attack? A. A backdoor B. An APT C. DNS poisoning D. A Trojan horse

87. B. This is, in fact, the definition of a Trojan horse. Options A, C, and D are incorrect. These are all possible attacks, but do not match what is described in the question scenario.

87. What best describes an attack that attaches some malware to a legitimate program so that when the user installs the legitimate program, they inadvertently install the malware? A. Backdoor B. Trojan horse C. RAT D. Polymorphic virus

88. A. A remote access Trojan (RAT) is malware that gives the attacker remote access to the victim's machine. Option B is incorrect. While a backdoor will give access, it is usually something in the system put there by programmers, not introduced by malware. Option C is incorrect. A RAT is a type of Trojan horse, but a Trojan horse is more general than what is described in the scenario. Option D is incorrect. A macro virus is a virus embedded in a document.

88. Which of the following best describes software that will provide the attacker with remote access to the victim's machine, but that is wrapped with a legitimate program in an attempt to trick the victim into installing it? A. RAT B. Backdoor C. Trojan horse D. Macro virus

89. B. Cross-site request forgery sends forged requests to a website, supposedly from a trusted user. Option A is incorrect. Cross-site scripting is the injection of scripts into a website to exploit the users. Option C is incorrect. A buffer overflow tries to put more data in a variable than the variable can hold. Option D is incorrect. A remote-access Trojan (RAT) is malware that gives the attacker access to the system.

89. Which of the following is an attack that seeks to attack a website, based on the website's trust of an authenticated user? A. XSS B. CSRF C. Buffer overflow D. RAT

90. C. Sparse infector viruses perform their malicious activity sporadically. Option A is incorrect. This does not describe an advanced persistent threat. Option B is incorrect. A boot sector virus infects the boot sector of the hard drive. Option D is incorrect. A keylogger is spyware that records keystrokes.

90. John is analyzing what he believes is a malware outbreak on his network. Many users report their machines are behaving strangely. The anomalous behavior seems to occur sporadically and John cannot find a pattern. What is the most likely cause? A. APT B. Boot sector virus C. Sparse infector virus D. Key logger

91. D. This is a classic example of whaling, phishing that targets a specific individual. Option A is incorrect. Clickjacking is an attack that tries to trick users into clicking on something other than what they believe they are clicking on. Option B is incorrect. While all phishing uses some social engineering, whaling is the most accurate description of this attack. Option C is incorrect. Spear phishing targets a group, not a single individual.

91. Farès is the CISO of a bank. He has received an email that is encouraging him to click on a link and fill out a survey. Being security conscious, he normally does not click on links. However, this email calls him by name and claims to be a follow-up to a recent conference he attended. Which of the following best describes this attack? A. Clickjacking B. Social engineering C. Spear phishing D. Whaling

92. B. Large, half-open connections are the hallmark of a SYN flood. Option A is incorrect. These are all coming from a single IP address, so they cannot be a distributed denial-of-service attack. Option C is incorrect. A buffer overflow seeks to put more data in a variable than it is designed to hold. Option D is incorrect. ARP poisoning poisons the address resolution table of a switch.

92. You are responsible for technical support at your company. Users are all complaining of very slow Internet connectivity. When you examine the firewall, you find a large number of incoming connections that are not completed, all packets coming from a single IP address. What best describes this attack? A. DDoS B. SYN flood C. Buffer overflow D. ARP poisoning

93. A. SQL injection places malformed SQL into text boxes. Option B is incorrect. Clickjacking attempts to trick the user into clicking on something other than what he or she intended. Option C is incorrect. Cross-site scripting puts scripts into text fields that will be viewed by other users. Option D is incorrect. Bluejacking is a Bluetooth attack.

93. An attacker is trying to get malformed queries sent to the backend database to circumvent the web page's security. What type of attack depends on the attacker entering text into text boxes on a web page that is not normal text, but rather odd-looking commands that are designed to be inserted into database queries? A. SQL injection B. Clickjacking C. Cross-site scripting D. Bluejacking

94. C. The user-selected password is always a weak link in hard drive encryption. Option A is incorrect. Yes, it is good system, but there is a weakness. Option B is incorrect. 128-bit AES is more than adequate for corporate purposes. Option D is incorrect. DES is outdated, and AES should be used.

94. Tyrell is responsible for selecting cryptographic products for his company. The company wants to encrypt the drives of all laptops. The product they have selected uses 128-bit AES encryption for full disk encryption, and users select a password to decrypt the drive. What, if any, would be the major weakness in this system? A. None; this is a good system. B. The 128-bit AES key is too short. C. The passwords users select are the weak link. D. The AES algorithm is the problem; they should use DES.

95. Valerie is responsible for security testing applications in her company. She has discovered that a web application, under certain conditions, can generate a memory leak. What, type of attack would this leave the application vulnerable to? A. DoS B. Backdoor C. SQL injection D. Buffer overflow

95. Valerie is responsible for security testing applications in her company. She has discovered that a web application, under certain conditions, can generate a memory leak. What, type of attack would this leave the application vulnerable to? A. DoS B. Backdoor C. SQL injection D. Buffer overflow

96. D. This is the definition of a race condition. Option A is incorrect. Memory leaks occur when memory is allocated, but not deallocated. Option B is incorrect. A buffer overflow is when more data is put into a variable than it can hold. Option C is incorrect. An integer overflow occurs when an attempt is made to put an integer that is too large into a variable, such as trying to put a 64-bit integer into a 32-bit variable.

96. When a multithreaded application does not properly handle various threads accessing a common value, what flaw is this? A. Memory leak B. Buffer overflow C. Integer overflow D. Race condition

97. B. Near-field communication (NFC) is susceptible to an attacker eavesdropping on the signal. Option A is incorrect. Tailgating is a physical attack and not affected by NFC technology. Options C and D are incorrect. These are both unrelated to NFC technology.

97. Acme Company is using smart cards that use near-field communication (NFC) rather than needing to be swiped. This is meant to make physical access to secure areas more secure. What vulnerability might this also create? A. Tailgating B. Eavesdropping C. IP spoofing D. Race conditions

98. B. Tailgating involves simply following a legitimate user through the door once he or she has opened it. Option A is incorrect. This is unrelated to physical security. Option C is incorrect. It is possible to generate a fake smartcard, but that is a very uncommon attack. Option D is incorrect. Again, this is possible but is very uncommon

98. John is responsible for physical security at a large manufacturing plant. Employees all use a smart card in order to open the front door and enter the facility. Which of the following is a common way attackers would circumvent this system? A. Phishing B. Tailgating C. Spoofing the smart card D. RFID spoofing

99. D. This is the definition of shimming. Option A is incorrect. Application spoofing is not a term used in the industry. Options B and C are incorrect. These are both wireless attacks.

99. Which of the following is the term for an attack wherein malware inserts itself as a library, such as a DLL, between an application and the real system library the application is attempting to communicate with? A. Application spoofing B. Jamming C. Evil twin D. Shimming

Answer: C. Vulnerability scanning Explanation: Vulnerability scanning has minimal impact on network resource due to the passive nature of the scanning. A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan scans for known weaknesses such as missing patches or security updates. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security.

A company hires outside security experts to evaluate the security status of the corporate network. All of the company's IT resources are outdated and prone to crashing. The company requests that all testing be performed in a way which minimizes the risk of system failures. Which of the following types of testing does the company want performed? A. Penetration testing B. WAF testing C. Vulnerability scanning D. White box testing

Answer: C. Hardware Locks Explanation: Hardware security involves applying physical security modifications to secure the system(s) and preventing them from leaving the facility. Don't spend all of your time worrying about intruders coming through the network wire while overlooking the obvious need for physical security. Hardware security involves the use of locks to prevent someone from picking up and carrying out your equipment.

A company is trying to implement physical deterrent controls to improve the overall security posture of their data center. Which of the following BEST meets their goal? A. Visitor logs B. Firewall C. Hardware locks D. Environmental monitoring

Answer: C. All-in-one device E. Single point of failure Explanation: The disadvantages of combining everything into one include a potential single point of failure and the dependence on the one vendor. The all-in-one device represents a single point of failure risk being taken on.

A company replaces a number of devices with a mobile appliance, combining several functions. Which of the following descriptions fits this new implementation? (Select TWO). A. Cloud computing B. Virtualization C. All-in-one device D. Load balancing E. Single point of failure

Answer: A. Identification Explanation: Identification is defined as the claiming of an identity and only has to take place once per authentication or access process. A login process typically consists of an identification such as a username or email address and an authentication which proves you are who you say you are.

A customer has provided an email address and password to a website as part of the login process. Which of the following BEST describes the email address? A. Identification B. Authorization C. Access control D. Authentication

Web Security Gateway

A device that can block malicious content in "real time" as it appears (without first knowing the URL of a dangerous site).

Load Balancer

A device that can direct requests to different servers based on a variety of factors, such as the number of server connections, the server's processor utilization, and overall performance of the server.

Switches

A layer 2 device used to connect two or more network segments and regulate traffic.

Router

A layer 3( network layer) device, that transfers data from one network to another in an intelligent way to the web.

ACL (Access Control List)

A list of statements used by a router to permit or deny the forwarding of traffic on a network based on one or more criteria.

anomaly-based monitoring

A monitoring technique used by an IDS that creates a baseline of normal activities and compares actions against the baseline. Whenever a significant deviation from this baseline occurs, an alarm is raised.

Answer: D. Authentication Explanation: Authentication generally requires one or more of the following: Something you know: a password, code, PIN, combination, or secret phrase. Something you have: a smart card, token device, or key. Something you are: a fingerprint, a retina scan, or voice recognition; often referred to as biometrics, discussed later in this chapter. Somewhere you are: a physical or logical location. Something you do: typing rhythm, a secret handshake, or a private knock.

A network administrator has a separate user account with rights to the domain administrator group. However, they cannot remember the password to this account and are not able to login to the server when needed. Which of the following is MOST accurate in describing the type of issue the administrator is experiencing? A. Single sign-on B. Authorization C. Access control D. Authentication

Answer: A. WPA2 CCMP Explanation: CCMP is the standard encryption protocol for use with the WPA2 standard and is much more secure than the WEP protocol and TKIP protocol of WPA. CCMP provides the following security services: Data confidentiality; ensures only authorized parties can access the information Authentication; provides proof of genuineness of the user Access control in conjunction with layer management Because CCMP is a block cipher mode using a 128-bit key, it is secure against attacks to the 264 steps of operation.

A network administrator has been tasked with securing the WLAN. Which of the following cryptographic products would be used to provide the MOST secure environment for the WLAN? A. WPA2 CCMP B. WPA C. WPA with MAC filtering D. WPA2 TKIP

Answer: A. SHA-1

A network engineer is configuring a VPN tunnel connecting a company's network to a business partner. Which of the following protocols should be used for key exchange? A. SHA-1 B. RC4 C. Blowfish D. Diffie-Hellman

Answer: A. Bind server Explanation: BIND (Berkeley Internet Name Domain) is the most widely used Domain Name System (DNS) software on the Internet. It includes the DNS server component contracted for name daemon. This is the only option that directly involves DNS.

A network technician is on the phone with the system administration team. Power to the server room was lost and servers need to be restarted. The DNS services must be the first to be restarted. Several machines are powered off. Assuming each server only provides one service, which of the following should be powered on FIRST to establish DNS services? A. Bind server B. Apache server C. Exchange server D. RADIUS server

Protocal Analyzer

A protocol analyzer is a tool used to capture and analyze signals and data traffic over a communication channel.

Answer: B. Disable unnecessary services, C. Change default passwords Explanation: Increasing security posture is akin to getting the appropriate type of risk mitigation for your company. A plan and its implementation is a major part of security posture. When new servers and network devices are being deployed your most vulnerable points will be coming from all unnecessary services that may be running from servers and network default passwords. Thus your plan should be to disable those services that are not needed and change the default password during the deployment of the new servers and network devices.

A recent audit has revealed weaknesses in the process of deploying new servers and network devices. Which of the following practices could be used to increase the security posture during deployment? (Select TWO). A. Deploy a honeypot B. Disable unnecessary services C. Change default passwords D. Implement an application firewall E. Penetration testing

Answer: C. Record time offset Explanation: It is quite common for workstation as well as server times to be off slightly from actual time. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system. There is no mention that this was done by the incident response team.

A recent intrusion has resulted in the need to perform incident response procedures. The incident response team has identified audit logs throughout the network and organizational systems which hold details of the security breach. Prior to this incident, a security consultant informed the company that they needed to implement an NTP server on the network. Which of the following is a problem that the incident response team will likely encounter during their assessment? A. Chain of custody B. Tracking man hours C. Record time offset D. Capture video traffic

Answer: C. UTM Explanation: An all-in-one appliance, also known as Unified Threat Management (UTM) and Next Generation Firewall (NGFW), is one that provides a good foundation for security. A variety is available; those that you should be familiar with for the exam fall under the categories of providing URL filtering, content inspection, or malware inspection. Malware inspection is the use of a malware scanner to detect unwanted software content in network traffic. If malware is detected, it can be blocked or logged and/or trigger an alert.

A review of the company's network traffic shows that most of the malware infections are caused by users visiting gambling and gaming websites. The security manager wants to implement a solution that will block these websites, scan all web traffic for signs of malware, and block the malware before it enters the company network. Which of the following is suited for this purpose? A. ACL B. IDS C. UTM D. Firewall

B. A Trojan horse wraps a malicious program to a legitimate program. When the user downloads and installs the legitimate program, they get the malware. Option A is incorrect. A logic bomb is malware that does its misdeeds when some condition is met. Option C is incorrect. A rootkit is malware that gets administrative, or root access. Option D is incorrect. A macro virus is a virus that is embedded in a document as a macro

A sales manager at your company is complaining about slow performance on his computer. When you thoroughly investigate the issue, you find spyware on his computer. He insists that the only thing he has downloaded recently was a freeware stock trading application. What would best explain this situation? A. Logic bomb B. Trojan horse C. Rootkit D. Macro virus

Answer: B. 21 Explanation: When establishing an FTP session, clients start a connection to an FTP server that listens on TCP port 21 by default.

A security administrator has configured FTP in passive mode. Which of the following ports should the security administrator allow on the firewall by default? A. 20 B. 21 C. 22 D. 23

Answer: D. Only USB devices supporting encryption are to be used. Explanation: The concern for preventing data loss is the concern for maintaining data confidentiality. This can be accomplished through encryption, access controls, and steganography. USB encryption is usually provided by the vendor of the USB device. It is not included on all USB devices.

A security administrator has implemented a policy to prevent data loss. Which of the following is the BEST method of enforcement? A. Internet networks can be accessed via personally-owned computers. B. Data can only be stored on local workstations. C. Wi-Fi networks should use WEP encryption by default. D. Only USB devices supporting encryption are to be used.

Answer: A. Review all user permissions and group memberships to ensure only the minimum set of permissions required to perform a job is assigned. Explanation: Reviewing user permissions and group memberships form part of a privilege audit is used to determine that all groups, users, and other accounts have the appropriate privileges assigned according to the policies of the corporation.

A security administrator is responsible for performing periodic reviews of user permission settings due to high turnover and internal transfers at a corporation. Which of the following BEST describes the procedure and security rationale for performing such reviews? A. Review all user permissions and group memberships to ensure only the minimum set of permissions required to perform a job is assigned. B. Review the permissions of all transferred users to ensure new permissions are granted so the employee can work effectively. C. Ensure all users have adequate permissions and appropriate group memberships, so the volume of help desk calls is reduced. D. Ensure former employee accounts have no permissions so that they cannot access any network file stores and resources.

Answer: C. Least Privilege Explanation: A least privilege policy is to give users only the permissions that they need to do their work and no more. That is only allowing security administrators to be able to make changes to the firewall by practicing the least privilege principle.

A security administrator notices that a specific network administrator is making unauthorized changes to the firewall every Saturday morning. Which of the following would be used to mitigate this issue so that only security administrators can make changes to the firewall? A. Mandatory vacations B. Job rotation C. Least privilege D. Time of day restrictions

Answer: C. Data integrity Explanation: Integrity is the process of ensuring that the information has not been altered during transmission. This can be accomplished by means of hashing.

A security administrator wants to ensure that the message the administrator sends out to their Chief Financial Officer (CFO) does not get changed in route. Which of the following is the administrator MOST concerned with? A. Data confidentiality B. High availability C. Data integrity D. Business continuity

Answer: D. Safety Explanation: Fencing is used to increase physical security and safety. Locks are used to keep those who are unauthorized out.

A security manager requires fencing around the perimeter, and cipher locks on all entrances. The manager is concerned with which of the following security controls? A. Integrity B. Availability C. Confidentiality D. Safety

Answer: B. TOTP Explanation: Time-based one-time password (TOTP) tokens are devices or applications that generate passwords at fixed time intervals. Therefore, the password will only be valid for a predefined time interval.

A security technician has been asked to recommend an authentication mechanism that will allow users to authenticate using a password that will only be valid for a predefined time interval. Which of the following should the security technician recommend? A. CHAP B. TOTP C. HOTP D. PAP

VPN concentrator

A single device that incorporates advanced encryption and authentication methods in order to handle a large number of VPN tunnels.

Web Application Firewall

A special type of application-aware firewall that looks deep into the applications using HTTP.

Network firewall

A stateful firewall that's looking at traffic on the third (network) and fourth( Transport) layers. But it's looking at the application information.

NIDS (Network intrusion detection system)

A system that uses passive hardware sensors to monitor traffic on a specific segment of the network.

Answer: C.Shielding Explanation: EMI can cause circuit overload, spikes, or even electrical component failure. In the question it is mentioned that switch degradation occurs when the building's roof air-conditioning system is also running. All electromechanical systems emanate EMI. Thus you could alleviate the problem using EMI shielding.

A technician is investigating intermittent switch degradation. The issue only seems to occur when the building's roof air conditioning system runs. Which of the following would reduce the connectivity issues? A. Adding a heat deflector B. Redundant HVAC systems C. Shielding D. Add a wireless network

Answer: A. SNMPv3 Explanation: SNMPv3 provides the following security features: Message integrity-Ensures that a packet has not been tampered with in transit. Authentication-Determines that the message is from a valid source. Encryption-Scrambles the content of a packet to prevent it from being learned by an unauthorized source.

A technician wants to securely collect network device configurations and statistics through a scheduled and automated process. Which of the following should be implemented if configuration integrity is most important and a credential compromise should not allow interactive logons? A. SNMPv3 B. TFTP C. SSH D. TLS

Answer: B. Publish the new certificates to the global address list. Explanation: CAs can be either private or public, with VeriSign being one of the best known of the public variety. Many operating system providers allow their systems to be configured as CA systems. These CA systems can be used to generate internal certificates that are used within a business or in large external settings. The process provides certificates to the users. Since the user in question has been re-issued a smart card, the user must receive a new certificate by the CA to allow the user to send digitally signed email. This is achieved by publishing the new certificates to the global address list.

A user was reissued a smart card after the previous smart card had expired. The user is able to log into the domain but is now unable to send digitally signed or encrypted email. Which of the following would the user need to perform? A. Remove all previous smart card certificates from the local certificate store. B. Publish the new certificates to the global address list. C. Make the certificates available to the operating system. D. Recover the previous smart card certificates.

C. Port security

A video surveillance audit recently uncovered that an employee plugged in a personal laptop and used the corporate network to browse inappropriate and potentially malicious websites after office hours. Which of the following could BEST prevent a situation like this form occurring again? A. Intrusion detection B. Content filtering C. Port security D. Vulnerability scanning

Answer: C. This may violate data ownership and non-disclosure agreements. Explanation: With sending your data to a third party is already a risk since the third party may have a different policy than yours. Data ownership and non-disclosure is already a risk that you will have to accept since the data will be sent for debugging /troubleshooting purposes which will result in definite disclosure of the data.

Acme Corp has selectively outsourced proprietary business processes to ABC Services. Due to some technical issues, ABC services wants to send some of Acme Corp's debug data to a third party vendor for problem resolution. Which of the following MUST be considered prior to sending data to a third party? A. The data should be encrypted prior to transport B. This would not constitute unauthorized data sharing C. This may violate data ownership and non-disclosure agreements D. Acme Corp should send the data to ABC Services' vendor instead

Answer: D. Bollards Explanation: To stop someone from entering a facility, barricades or gauntlets can be used. These are often used in conjunction with guards, fencing, and other physical security measures. Bollards are physical barriers that are strong enough to withstand impact with a vehicle.

After running into the data center with a vehicle, attackers were able to enter through the hole in the building and steal several key servers in the ensuing chaos. Which of the following security measures can be put in place to mitigate the issue from occurring in the future? A. Fencing B. Proximity readers C. Video surveillance D. Bollards

C. The correct answer is spear phishing. Spear phishing is targeted to a specific group, in this case insurance professionals. Attackers can find individuals from public sources to target. This is known as open source intelligence. Option A is incorrect because that is too broad a category. Option B is incorrect because, though social engineering is a part of every phishing attack, this is more than just social engineering. Option D is incorrect because this is not a Trojan horse. In fact, malware is not even part of the attack.

Ahmed is a sales manager with a major insurance company. He has received an email that is encouraging him to click on a link and fill out a survey. He is suspicious of the email, but it does mention a major insurance association, and that makes him think it might be legitimate. Which of the following best describes this attack? A. Phishing B. Social engineering C. Spear phishing D. Trojan horse

Answer: B. Data exfiltration Explanation: Data exfiltration is the unauthorized copying, transfer or retrieval of data from a system.

Allowing unauthorized removable devices to connect to computers increases the risk of which of the following? A. Data leakage prevention B. Data exfiltration C. Data classification D. Data deduplication

Answer: B. Password history C. Minimum password age Explanation: In this question, users are forced to change their passwords every six weeks. However, they are able to change their password and enter the same password as the new password. Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. When a user is forced to change his password due to a maximum password age period expiring, (the question states that the network requires that the passwords be changed every six weeks) he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to his original password. This is where the minimum password age comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days.

An administrator discovers that many users have used their same passwords for years even though the network requires that the passwords be changed every six weeks. Which of the following, when used together, would BEST prevent users from reusing their existing password? (Select TWO). A. Length of password B. Password history C. Minimum password age D. Password expiration E. Password complexity F. Non-dictionary words

Answer: B. it is the beginning of a DDoS attack. Explanation: A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for periods of time. Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.

An administrator notices an unusual spike in network traffic from many sources. The administrator suspects that: A. it is being caused by the presence of a rogue access point. B. it is the beginning of a DDoS attack. C. the IDS has been compromised. D. the internal DNS tables have been poisoned.

Answer: B. 22

An employee needs to connect to a server using a secure protocol on the default port. Which of the following ports should be used? A. 21 B. 22 C. 80 D. 110

Answer: A. Password history Explanation: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords. However, without a minimum password age setting, the user could change his password six times and cycle back to his original password.

An organizations' security policy requires that users change passwords every 30 days. After a security audit, it was determined that users were recycling previously used passwords. Which of the following password enforcement policies would have mitigated this issue? A. Password history B. Password complexity C. Password length D. Password expiration

Answer: D. Shoulder surfing Explanation: Ann was able to see the Spreadsheet on Peter's computer. This direct observation is known as shoulder surfing. Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.

Ann an employee is visiting Peter, an employee in the Human Resources Department. While talking to Peter, Ann notices a spreadsheet open on Peter's computer that lists the salaries of all employees in her department. Which of the following forms of social engineering would BEST describe this situation? A. Impersonation B. Dumpster diving C. Tailgating D. Shoulder surfing

Answer: C. Malware and viruses Explanation: The most common threat to an organization is computer viruses or malware. A computer can become infected with a virus through day-to-day activities such as browsing web sites or emails. As browsing and opening emails are the most common activities performed by all users, computer viruses represent the most likely risk to a business. Common examples of malware include viruses, worms, trojan horses, and spyware. Viruses, for example, can cause havoc on a computer's hard drive by deleting files or directory information. Spyware can gather data from a user's system without the user knowing it. This can include anything from the Web pages a user visits to personal information, such as credit card numbers.

During a disaster recovery planning session, a security administrator has been tasked with determining which threats and vulnerabilities pose a risk to the organization. Which of the following should the administrator rate as having the HIGHEST frequency of risk to the organization? A. Hostile takeovers B. Large scale natural disasters C. Malware and viruses D. Corporate espionage

VPN (Virtual Private Network) Concentrators

Encrypted connection over the Internet between a computer or remote network and a private network.

Application aware Devices

Firewalls IPS IDS Proxies All dig into the application layer to make the decision to forward the traffic.

B. The primary and best way to defend against the attacks mentioned is filtering user input. Option A is incorrect. Encrypting the web traffic will not have any effect on these two attacks. Option C is incorrect. A web application firewall (WAF) might mitigate these attacks, but it would be secondary to filtering user input. Option D is incorrect. An IDS will simply detect the attack—it won't stop it.

Frank is deeply concerned about attacks to his company's e-commerce server. He is particularly worried about cross-site scripting and SQL injection. Which of the following would best defend against these two specific attacks? A. Encrypted web traffic B. Filtering user input C. A firewall D. An IDS

Answer: D. Phishing threats and attacks F. Information security awareness Explanation: Managers/ i.e. executives in the company are concerned with more global issues in the organization, including enforcing security policies and procedures. Managers should receive additional training or exposure that explains the issues, threats, and methods of dealing with threats. Management will also be concerned about productivity impacts and enforcement and how the various departments are affected by security policies. Phishing is a form of social engineering in which you ask someone for a piece of information that you are missing by making it look as if it is a legitimate request. An email might look as if it is from a bank and contain some basic information, such as the user's name. Executives an easily fall prey to phishing if they are not trained to lookout for these attacks.

Human Resources (HR) would like executives to undergo only two specific security training programs a year. Which of the following provides the BEST level of security training for the executives? (Select TWO). A. Acceptable use of social media B. Data handling and disposal C. Zero-day exploits and viruses D. Phishing threats and attacks E. Clean desk and BYOD F. Information security awareness

Answer: B. A public key, C. A private key Explanation: In a PKI the sender encrypts the data using the receiver's public key. The receiver decrypts the data using his own private key. The key pair consists of these two keys.

In PKI, a key pair consists of: (Select TWO). A. A key ring B. A public key C. A private key D. Key escrow E. A passphrase

C. Something you are, something you do and something you know

Internet banking customers currently use an account number and password to access their online accounts. The bank wants to improve security on high value transfers by implementing a system which call users back on a mobile phone to authenticate the transaction with voice verification. Which of the following authentication factors are being used by the bank? A. Something you know, something you do, and something you have B. Something you do, somewhere you are, and something you have C. Something you are, something you do and something you know D. Something you have, something you are, and something you know

Proxies Server

It helps prevent an attacker from invading a private network and is one of several tools used to build a firewall. The word proxy means "to act on behalf of another," and a proxy server acts on behalf of the user.

B. Half-open connections are the hallmark of a SYN flood. Option A is incorrect. We know from the question that this is a denial of service, but nothing indicates that it is (or is not) a distributed denial of service. Option C is incorrect. Buffer overflow involves putting too much data into a variable or array. Option D is incorrect. ARP poisoning is altering the ARP table in a switch; it is not related to website hacking.

Juanita is a network administrator for a small accounting firm. The users on her network are complaining of slow connectivity. When she examines the firewall logs, she observes a large number of half-open connections. What best describes this attack? A. DDoS B. SYN flood C. Buffer overflow D. ARP poisoning

Answer: B. Content filters Explanation: A content filter is a is a type of software designed to restrict or control the content a reader is authorised to access, particularly when used to limit material delivered over the Internet via the Web, e-mail, or other means. Because the user and the OSI layer interact directly with the content filter, it operates at Layer 7 of the OSI model.

Layer 7 devices used to prevent specific types of HTML tags are called: A. Firewalls B. Content filters C. Routers D. NIDS

signature-based monitoring

Monitoring that compares activities against a predefined signature

behavior-based monitoring

Monitoring that uses the "normal" process and actions as the standard by which attacks are compared

Statefull Firewall

Remembers active connections, allows only inbound TCP packets from those connections.

Answer: D. Anomaly-based IDS Explanation: Most intrusion detection systems (IDS) are what is known as signature-based. This means that they operate in much the same way as a virus scanner, by searching for a known identity - or signature - for each specific intrusion event. And, while signature-based IDS is very efficient at sniffing out known s of attack, it does, like anti-virus software, depend on receiving regular signature updates, to keep in touch with variations in hacker technique. In other words, signature-based IDS is only as good as its database of stored signatures. Any organization wanting to implement a more thorough - and hence safer - solution, should consider what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more complex creature. In network traffic terms, it captures all the headers of the IP packets running towards the network. From this, it filters out all known and legal traffic, including web traffic to the organization's web server, mail traffic to and from its mail server, outgoing web traffic from company employees and DNS traffic to and from its DNS server. There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects any traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and probes towards network hardware. It can, therefore, give early warnings of potential intrusions, because probes and scans are the predecessors of all attacks. And this applies equally to any new service installed on any item of hardware - for example, Telnet deployed on a network router for maintenance purposes and forgotten about when the maintenance was finished. This makes anomaly-based IDS perfect for detecting anything from port anomalies and web anomalies to mis-formed attacks, where the URL is deliberately mis-typed.

Suspicious traffic without a specific signature was detected. Under further investigation, it was determined that these were false indicators. Which of the following security devices needs to be configured to disable future false alarms? A. Signature-based IPS B. Signature-based IDS C. Application-based IPS D. Anomaly-based IDS

DLP (Data Loss Prevention)

Systems that monitor the contents of systems (workstations, servers, and networks) to make sure that key content is not deleted or removed

Answer: A. Software as a Service Explanation: Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.

The Chief Information Officer (CIO) has mandated web based Customer Relationship Management (CRM) business functions be moved offshore to reduce cost, reduce IT overheads, and improve availability. The Chief Risk Officer (CRO) has agreed with the CIO's direction but has mandated that key authentication systems be run within the organization's network. Which of the following would BEST meet the CIO and CRO's requirements? A. Software as a Service B. Infrastructure as a Service C. Platform as a Service D. Hosted virtualization service

Answer: C. Warm site Explanation: Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations, a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement.

The Chief Information Officer (CIO) wants to implement a redundant server location to which the production server images can be moved within 48 hours and services can be quickly restored, in case of a catastrophic failure of the primary datacenter's HVAC. Which of the following can be implemented? A. Cold site B. Load balancing C. Warm site D. Hot site

Answer: C. Firewalls Explanation: The basic purpose of a firewall is to isolate one network from another.

The Chief Information Security Officer (CISO) has mandated that all IT systems with credit card data be segregated from the main corporate network to prevent unauthorized access and that access to the IT systems should be logged. Which of the following would BEST meet the CISO's requirements? A. Sniffers B. NIDS C. Firewalls D. Web proxies E. Layer 2 switches

Answer: A. Acceptable use policy Explanation: Acceptable use policy describes how employees are allowed to use company systems and resources, and the consequences of misuse.

The IT department noticed that there was a significant decrease in network performance during the afternoon hours. The IT department performed analysis of the network and discovered this was due to users accessing and downloading music and video streaming from social sites. The IT department notified corporate of their findings and a memo was sent to all employees addressing the misuse of company resources and requesting adherence to company policy. Which of the following policies is being enforced? A. Acceptable use policy B. Telecommuting policy C. Data ownership policy D. Non-disclosure policy

load balancing

The process of distributing data transfer activity evenly so that no single device is overwhelmed.

Answer: A. Implement a honeynet Explanation: A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increase network security. A honeynet contains one or more honey pots, which are computer systems on the Internet expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems. Although the primary purpose of a honeynet is to gather information about attackers' methods and motives, the decoy network can benefit its operator in other ways, for example by diverting attackers from a real network and its resources. The Honeynet Project, a non-profit research organization dedicated to computer security and information sharing, actively promotes the deployment of honeynets. In addition to the honey pots, a honeynet usually has real applications and services so that it seems like a normal network and a worthwhile target. However, because the honeynet doesn't actually serve any authorized users, any attempt to contact the network from without is likely an illicit attempt to breach its security, and any outbound activity is likely evidence that a system has been compromised. For this reason, the suspect information is much more apparent than it would be in an actual network, where it would have to be found amidst all the legitimate network data. Applications within a honeynet are often given names such as "Finances" or "Human Services" to make them sound appealing to the attacker. A virtual honeynet is one that, while appearing to be an entire network, resides on a single server.

The security team would like to gather intelligence about the types of attacks being launched against the organization. Which of the following would provide them with the MOST information? A. Implement a honeynet B. Perform a penetration test C. Examine firewall logs D. Deploy an IDS

CIA (Confidentiality, Integrity, Availability)

These three form the security triad. Confidentiality helps prevent the unauthorized disclosure of data. Integrity provides assurances that data has not been modified, tampered with, or corrupted. Availability indicates that data and services are available when needed.

Answer: C. Capture the system image Explanation: Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. This is essential since the collection of evidence process may result in some mishandling and changing the exploited state.

To ensure proper evidence collection, which of the following steps should be performed FIRST? A. Take hashes from the live system B. Review logs C. Capture the system image D. Copy all compromised files

Answer: D. Mandatory vacations Explanation: A mandatory vacation policy requires all users to take time away from work to refresh. Mandatory vacation give the employee a chance to refresh, but it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfies the need to have replication or duplication at all levels. Mandatory vacations also provide an opportunity to discover fraud. In this case mandatory vacations can prevent the two members from colluding to steal the information that they have access to.

Two members of the finance department have access to sensitive information. The company is concerned they may work together to steal information. Which of the following controls could be implemented to discover if they are working together? A. Least privilege access B. Separation of duties C. Mandatory access control D. Mandatory vacations

Answer: A. Disable the USB root hub within the OS, C. Disable USB within the workstations BIOS. Explanation: A: The USB root hub can be disabled from within the operating system. C: USB can also be configured and disabled in the system BIOS.

Users are utilizing thumb drives to connect to USB ports on company workstations. A technician is concerned that sensitive files can be copied to the USB drives. Which of the following mitigation techniques would address this concern? (Select TWO). A. Disable the USB root hub within the OS. B. Install anti-virus software on the USB drives. C. Disable USB within the workstations BIOS. D. Apply the concept of least privilege to USB devices. E. Run spyware detection against all workstations.

C. Cross-site scripting involves entering a script into text areas that other users will view. Option A is incorrect. SQL injection is not about entering scripts, but rather SQL commands. Option B is incorrect. Clickjacking is about tricking users into clicking on the wrong thing. Option D is incorrect. Bluejacking is a Bluetooth attack.

What type of attack depends on the attacker entering JavaScript into a text area that is intended for users to enter text that will be viewed by other users? A. SQL injection B. Clickjacking C. Cross-site scripting D. Bluejacking

Answer: A. Sniffer Explanation: A sniffer is another name for a protocol analyzer. A protocol analyzer performs its function in a passive manner. In other words, computers on the network do not know that their data packets have been captured. A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing packets sent from a computer system is known as packet sniffing. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal). A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn't generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.

Which device monitors network traffic in a passive manner? A. Sniffer B. IDS C. Firewall D. Web browser

Answer: A. Trust Model Explanation: In a bridge trust model allows lower level domains to access resources in a separate PKI through the root CA. A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate. In a bridge trust model, a peer-to-peer relationship exists among the root CAs. The root CAs can communicate with one another, allowing cross certification. This arrangement allows a certification process to be established between organizations or departments. Each intermediate CA trusts only the CAs above and below it, but the CA structure can be expanded without creating additional layers of CAs.

Which of the following allows lower level domains to access resources in a separate Public Key Infrastructure? A. Trust Model B. Recovery Agent C. Public Key D. Private Key

Answer: D. User training Explanation: User training is an important aspect of maintaining safety and security. It helps improve users' security awareness in terms of prevention, enforcement, and threats. It is of critical importance when element of the company policy cannot be enforced by technical means.

Which of the following can be performed when an element of the company policy cannot be enforced by technical means? A. Develop a set of standards B. Separation of duties C. Develop a privacy policy D. User training

Answer: C. Cable locks Explanation: Cable locks are theft deterrent devices that can be used to tether a device to a fixed point keep smaller devices from being easy to steal.

Which of the following can be used as an equipment theft deterrent? A. Screen locks B. GPS tracking C. Cable locks D. Whole disk encryption

Answer: D. Steganography Explanation: Steganography is the process of concealing a file, message, image, or video within another file, message, image, or video. Note: The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable will arouse interest, and may in themselves be incriminating in countries where encryption is illegal. Thus, whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent, as well as concealing the contents of the message.

Which of the following can hide confidential or malicious data in the whitespace of other files (e.g. JPEGs)? A. Hashing B. Transport encryption C. Digital signatures D. Steganography

Answer: B. Cable locks Explanation: Cable locks are theft deterrent devices that can be used to tether a device to a fixed point keep smaller devices from being easy to steal.

Which of the following devices will help prevent a laptop from being removed from a certain location? A. Device encryption B. Cable locks C. GPS tracking D. Remote data wipes

Answer: D. The private key is only used by the client and kept secret while the public key is available to all. Explanation: The private key must be kept secret at all time. The private key is only by the client. The public key is available to anybody.

Which of the following explains the difference between a public key and a private key? A. The public key is only used by the client while the private key is available to all. Both keys are mathematically related. B. The private key only decrypts the data while the public key only encrypts the data. Both keys are mathematically related. C. The private key is commonly used in symmetric key decryption while the public key is used in asymmetric key decryption. D. The private key is only used by the client and kept secret while the public key is available to all.

Answer: B. Stateful Firewall Explanation: Stateful inspections occur at all levels of the network.

Which of the following firewall types inspects Ethernet traffic at the MOST levels of the OSI model? A. Packet Filter Firewall B. Stateful Firewall C. Proxy Firewall D. Application Firewall

Answer: A. Error and exception handling Explanation: Exception handling is an aspect of secure coding. When errors occur, the system should revert back to a secure state. This must be coded into the system by the programmer, and should capture errors and exceptions so that they could be handled by the application.

Which of the following is an application security coding problem? A. Error and exception handling B. Patch management C. Application Hardening D. Application fuzzing

Answer: A. NDP Explanation: The Neighbor Discovery Protocol (NDP) is a protocol in the Internet protocol suite used with Internet Protocol Version 6 (IPv6).

Which of the following protocols is used by IPv6 for MAC address resolution? A. NDP B. ARP C. DNS D. NCP

Answer: A. Retention of user keys Explanation: Account Disablement should be implemented when a user will be gone from a company whether they leave temporary or permanently. In the case of permanently leaving the company the account should be disabled. Disablement means that the account will no longer be an active account and that the user keys for that account are retained which would not be the case if the account was deleted from the system.

Which of the following security benefits would be gained by disabling a terminated user account rather than deleting it? A. Retention of user keys B. Increased logging on access attempts C. Retention of user directories and files D. Access to quarantined files

Answer: B. Honeypot Explanation: A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies. According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes: The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.

Which of the following should an administrator implement to research current attack methodologies? A. Design reviews B. Honeypot C. Vulnerability scanner D. Code reviews

Answer: B. 3DES, C. AES, F. Blowfish Explanation: B: Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. C: Advanced Encryption Standard (AES) is a block cipher that has replaced DES as the current standard, and it uses the Rijndael algorithm. It was developed by Joan Daemen and Vincent Rijmen. AES is the current product used by U.S. governmental agencies. F: Blowfish is an encryption system invented by a team led by Bruce Schneier that performs a 64bit block cipher at very fast speeds.

Which of the following symmetric key algorithms are examples of block ciphers? (Select THREE). A. RC4 B. 3DES C. AES D. MD5 E. PGP F. Blowfish

Answer: B. Sandboxing Explanation: Sandboxing is the process of isolating a system before installing new applications on it so as to restrict any potential malware that may be embedded in the new application from being able to cause harm to production systems.

Which of the following techniques describes the use of application isolation during execution to prevent system compromise if the application is compromised? A. Least privilege B. Sandboxing C. Black box D. Application hardening

Answer: A. Event Explanation: Event logs include Application logs, such as those where SQL Server would write entries. This is where you would see logs with details of someone trying to access a SQL database.

Which of the following types of logs could provide clues that someone has been attempting to compromise the SQL Server database? A. Event B. SQL_LOG C. Security D. Access

Answer: B. Job rotation Explanation: A job rotation policy defines intervals at which employees must rotate through positions. Similar in purpose to mandatory vacations, it helps to ensure that the company does not become too dependent on one person and it does afford the company with the opportunity to place another person in that same job.

Which of the following types of risk reducing policies also has the added indirect benefit of cross training employees when implemented? A. Least privilege B. Job rotation C. Mandatory vacations D. Separation of duties

Answer: A. WPA2 -PSK, E. WPA-LEAP Explanation: A brute force attack is an attack that attempts to guess a password. WPA2-PSK and WEP both use a "Pre-Shared Key". The pre-shared key is a password and therefore is susceptible to a brute force attack.

Which of the following wireless protocols could be vulnerable to a brute-force password attack? (Select TWO). A. WPA2-PSK B. WPA - EAP - TLS C. WPA2-CCMP D. WPA -CCMP E. WPA - LEAP F. WEP

Answer: B. Consider antenna placement Explanation: Cinderblock walls, metal cabinets, and other barriers can reduce signal strength significantly. Therefore, antenna placement is critical.

Which of the following would Peter, a security administrator, do to limit a wireless signal from penetrating the exterior walls? A. Implement TKIP encryption B. Consider antenna placement C. Disable the SSID broadcast D. Disable WPA

Answer: C. Baseline review Explanation: The standard configuration on a server is known as the baseline. The IT baseline protection approach is a methodology to identify and implement computer security measures in an organization. The aim is the achievement of an adequate and appropriate level of security for IT systems. This is known as a baseline. A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline).

Which of the following would a security administrator implement in order to identify change from the standard configuration on a server? A. Penetration test B. Code review C. Baseline review D. Design review

B. A logic bomb is malware that performs its malicious activity when some condition is met. Option A is incorrect because a worm is malware that self-propagates. Option C is incorrect because a Trojan horse is malware attached to a legitimate program. Option D is incorrect because a rootkit is malware that gets root or administrative privileges.

You are a security administrator for a medium-sized bank. You have discovered a piece of software on your bank's database server that is not supposed to be there. It appears that the software will begin deleting database files if a specific employee is terminated. What best describes this? A. Worm B. Logic bomb C. Trojan horse D. Rootkit

C. The text shown is the classic example of a basic SQL injection to log in to a site. Option A is incorrect. Cross-site scripting would have JavaScript in the text field. Option B is incorrect. Cross-site request forgery would not involve any text being entered in the web page. Option D is incorrect. ARP poisoning is altering the ARP table in a switch; it is not related to website hacking.

You are responsible for incident response at Acme bank. The Acme bank website has been attacked. The attacker used the login screen, but rather than enter login credentials, he or she entered some odd text: ' or '1' = '1. What is the best description for this attack? A. Cross-site scripting B. Cross-site request forgery C. SQL injection D. ARP poisoning

C. If users have been connecting but the WAP does not show them connecting, then they have been connecting to a rogue access point. This could be the cause of an architecture and design weakness such as a network without segmentation and control of devices connecting to the network. Option A is incorrect. Session hijacking involves taking over an already authenticated session. Most session hijacking attacks involve impersonation. The attacker attempts to gain access to another user's session by posing as that user. Option B is incorrect. Clickjacking involves causing visitors to a website to click on the wrong item. Option D is incorrect. Bluejacking is a Bluetooth attack.

You are responsible for network security at Acme Company. Users have been reporting that personal data is being stolen when using the wireless network. They all insist they only connect to the corporate wireless access point (WAP). However, logs for the WAP show that these users have not connected to it. Which of the following could best explain this situation? A. Session hijacking B. Clickjacking C. Rogue access point D. Bluejacking

Port Security (Switch)

a Cisco switch feature that limits the number of MAC addresses allowed to communicate through a particular port

Heuristic

a rule-of-thumb problem-solving strategy

UTM Security Appliances

a single hardware or software installation provides multiple security functions.

NIPS (network-based intrusion prevention system)

can actively monitor data streams, detect malicious content, and stop attacks in progress.

Firewalls

hardware, software, or both designed to prevent unauthorized persons from accessing electronic information

proxy server (proxy)

software server that handles all communications originating from or being sent to the Internet, acting as a spokesperson or bodyguard for the organization

URL filtering

the ability to filter traffic based on a web address

802.1x authentication

uses usernames and passwords, certificates, or devices such as smart cards to authenticate wireless clients