CIS 3500 Test 1 (Chapter 1-10)
While port scanning your network for authorized systems, you notice one of your file servers has TCP port 31337 open. When you connect to the port with netcat, you see a prompt that reads, "Enter password for access" Your server may be infected with what type of malware?
A Backdoor
A desktop system on your network has been compromised. DEspite loading different OS from different media on the same desktop, attackers appear to have access to that system every time it is powered on. This would be an example of what kind of Rootkit?
A Firmware Rootkit
An employee at your organization is concerned because her ex-spouse seems to know everything she does. She tells you her ex keeps accessing her email and social media accounts even after she has changed her passwords multiple times. She is using a laptop at home that was a gift from her ex. Based on what you've been told, you suspect the laptop has what type of malware?
A Key Logger
A disgruntled administrator is fired for negligence at your organization. 30 days later, your organization's internal file server and backup server crash at exactly the same time. If the disgruntled administrator was responsible for administering those servers during her employment, this is likely what kind of malware?
A Logic Bomb
A user reports seeing "odd certificate warnings" on her web browser this morning whenever she visits Google. Looking at her browser, you see certificate warnings. Looking at the network traffic, you see all HTTP and HTTPS requests from the system are being routed to the same IP regardless of destination. Which of the following attack types are you singing this case?
A Man-in-the-Middle attack
There are reports of a worm going through your company that communicates to other nodes on port TCP/1337. What tool would you use to find infected nodes in your network?
A Network Scanner that searches for ports
When an attacker captures network traffic and retransmits it at a later time, what type of attack are they attempting?
A Replay Attack
Users are reporting the wireless network on one side of the building is broken. They can connect, but can't seem to get to the internet. While investigating, you notice all of the affected users are connecting to an access point you don't recognize. These users have fallen victim to what type of attack?
A Rogue Access Point attack
A colleague has been urging you to download a new animated screensaver he has been using for several weeks. When showing you the program, the cursor on his screen moves on its own and a cmd window opens and quickly closes. You suspect that this screensaver is what type of malware?
A Trojan Horse
A piece of malware is infecting the desktops in your organization. Every hour more systems are infected. The infections are happening in different departments and in cases where the users don't share files, programs, or emails. What type of malware causes type of infection?
A Worm
Why are false negatives more critical than false positives in an NIDS and IPS Solutions?
A false-negative is a missed malicious behavior or program
A user wants to know if the network is down, because she is unable to reconnect to anything. While troubleshooting, you notice that the MAC address for her default gateway doesn't match the MAC address of your organization's router. What type of attack has been used against this user?
ARP Poisoning
Your network tarffic logs show a large spike in traffic to your DNS server. Looking at the logs, you see a large number TCP connection attempts from a single IP address. The destination port of the TCP connections seems to increment by one with eqach new connection attempt. This is most likely an example of what activity?
Active Reconnaissance
What is the term used to define attacks that are characterized by using toolkits to achieve a presents on a target network, with a focus on the long game â€" maintaining a persistence on the target network?
Advanced Persistent Threats (APTs)
A user in your organization is having issues with her laptop. Every time she opens a web browser, she sees different pop ups every few minutes. It doesn't seem to matter which websites are being visited- the popups still appear. What type of malware does this sound like?
Adware
Read the three key functions of a security information and event management system:
Aggregation, Correlation, and Alerting
Malware engineers sometimes take steps to prevent reverse engineering of their code. A virus, such as Zeus, that uses encryption to resist reverse engineering attempts is what type of malware?
An Armored Virus
You are managing a large network with several dozen switches when your monitoring system loses control over half of them. This monitoring system uses SNMPv2 to read traffic statistics and to make configuration changes to the switches. What is most likely happened to cause the loss of control?
An attcker has likely sniffed the cleartext SNMP password and hijacked a portion of the network
Why should you never use a network scanner on a network you were not authorized to scan?
Any unauthorized network scan appears malicious and can get you in trouble with authorities
You're providing incident response services for small company after a breach. The first thing you notice is the entire network is completely flat once you get behind the firewall. Services, user workstations, and printers are all on the same subnet with no VLANs or network segmentation. This is an example of what type of weakness?
Arcitecture or Design Weakness
Which of the following are true concerning attacker skill and sophistication?
Attackers do not have magic skills, but rather the persistence and skill to keep attacking weaknesses; There is a surprising number of attacks being performed using old attacks, old vulnerabilities, and simple methods that take advantage of "low-hanging fruit"
You have been asked to prepare a report on network-based intrusion detection systems that compares the nids solutions from to potential vendors your company is considering. One solution is signature-based in one is behavioral-based. Which of the following lists what your report will identify as the key advantage of each?
Behavioral NIDS can detect zero-day attacks, Key Based NIDS has low false-positive rates.
You've been asked to perform an assessment of a new software application. Your client wants you to perform the assessment without providing you any information about how the software was developed or how the date it was processed by the application. This is an example of what type of testing?
Black-Box Testing
Why should you compare hashes of the file to download from the internet to a library of known hash values?
Comparing Hash Values can verified if the file you've downloaded has been tampered with
What's two things can removable media control do to improve security?
Controlling removable media access can prevent malware instrusions and the loss of sensitive data
What is the main difference between a credentialed and non-credentialed vulnerability scan?
Credentialed scans are performed with a valid set of user credentials
A colleague can't open any Word document stored on his local system. When you force open one of the documents to analyze it, you see nothing but seemingly random characters. There's no visible sign the file is still a Word document. Regardless of what you use view to open or the Word documents, you don't see anything but random characters. Your colleague was most likely a victim of what type of malware?
Crypto-malware
While examining a laptop infected with malware, you notice that the Maori loads on Startup and it's also loads a file called netutilities.dll each time Microsoft Word is opened. This is an example of which of the following?
DLL Injection
Coming into your office, you overhear a conversation between two security guards. One guard is telling the other she caught several people digging through the trash behind the building early this morning. The security guard says the people claimed to be looking for aluminum cans. But only had a bag of papers - no cans. what type of attack has the security guard witnessed?
Dumpster Diving
What is the name given to the group of individuals who not only has the ability to write scripts that exploit vulnerabilities but also are capable of discovering new vulnerabilities
Elite Hackers
While examining log files on a compromised Linux system, you notice and unprivileged user account was compromised, followed by several processes crashing and restarting, and finally the shadow file was accessed and modified. Which of the following techniques might the attacker have used?
Escalation of Privilege
After you implement a new firewall on your corporate Network, A co-worker comes to you and asks why he can no longer connect to a telnet server is installed on his home DSL Line. This failure to connect is likely due to:
Firewall blocking Telnet because it is insecure
Criminal activity on the internet can include which of the following?
Fraud, extortion, theft, embezzlement, and forgery
Attacks by an individual or even small group of attackers fall into which threat category?
Hactivist threat category
What is the name given to a group of hackers who work together for a collectivist effort, typically on behalf of some cause?
Hactivists
What term is used to describe the type of threat that is characterized by a much longer period of preparation, tremendous financial backing, and a large and organized group of attackers?
Highly Structured Threat
Why is the internet exchange preferred in Enterprise VPN deployments?
IKE automates the key exchange process in a two-phase process to exchange session keys
You are asked to present to Senior Management virtual private network methodologies in advance of your company's purchase of new VPN concentrators. Why would you strongly recommend IPSec VPNs?
IPSec protocols include access control, connectionless integrity, traffic-flow confidentiality, rejection of replayed packets, data security, and data-origin authentification
After an upgrade to your VPN concentrator Hardware, your manager comes to you with a traffic graph showing a 50% increase in VPN traffic since the new hardware was installed. What is the possible cause of this increase?
If a VPN defaults to full-tunneling, all network traffic travels through it
You're reviewing a custom web application in accidentally type a number in the text field. The application returns and error message contain variable names, file names, and the full path of the application. This is an example of which of the following?
Improper Handling
Warfare conducted against the information in information processing equipment used by an advisary is known as which of the following?
Information Warfare
Which of the following are reasons that the insider threat is considered so dangerous?
Insiders have the access and knowledge to cause immediate damage, may already have the means to commit criminal activity, and are often disgruntled employees looking to disrupt operations.
While validating a vulnerability, your colleague changes the password of the administrator account on the Windows Server she is examining. This is an example of what type of testing?
Intrusive Testing
How does a mail gateway's control of spam improve security?
It blocks potential phising attacks from reaching your users
Network-based intrusion prevention system (NIPS) relies on what other technology at its core
It relies on an IDS
Your organization is struggling to contain a recent outbreak of malware. On some of the PCs, your antivirus solution is able to detect and clean the malware. On other PCs exhibiting the exact same symptoms, your antivirus solution reports the system is "clean". These PCs are all running the same operating system and same antivirus software. What might be happening?
Likely Polymorphic Malware
Your organization is having issues with a custom web application. The application seems to run fine for a while but starts to lock up or crash after 7 to 10 days of continuous use. Examining the server, you notice that memory usage seems to climb every day until the servers out of memory. The application is most likely suffering from which of the following?
Memory Leaks
Which of the following describes most Network Tools that are designed to detect an attack?
Most tools are passive
Why will NAT likely continue to be used in IPv6 Networks?
NAT hides internal addressing schemes and prevents connections from outside nodes
Which of the following is the term used to describe the processes used in the collection of information from public sources?
Open-Source Intelligence (OSINT)
What is the primary difference between penetration tests and vulnerability scans?
PenTests examine system vulnerabilities that can be exploited. Scans for vulnerability do not exploit.
While responding to a security incident, your team examines network traffic logs. You see incoming connections to a web server in the DMZ. Several hours later in the same network traffic logs you see connections from the web server to other systems in the DMZ as well as internal systems. This is an example of what type of technique?
Pivoting
Which of the following is a vulnerability related to a lack of vendor support?
Product declared "end-of-life", vendor is no longer in business, or the vendor does not support non-standard configuration for its products
How can proxy servers improve security?
Proxies limit the sites employees can access on the network
You've been asked to try and crack the password of a disgruntled user who was recently fired. Which of the following could help you crack the password in the least amount of time?
Rainbow Tables
Several desktops in your organization are displaying a red screen with the message "Your files have been encrypted. Pay 1 bitcoin to recover them." These desktops are likely infected with what form of malware?
Ransomware
An externally facing web server in your organization keeps crashing. Looking at that the server after a reboot, you noticed CPU usage is pegged and memory usage is rapidly climbing. The traffic log show a massive amount of incoming HTTP and https requests to the server. Which type of attack is this web server experiencing?
Resource Exhaustion
Which of the following would be an example of initial exploitation?
SQL Injection to successfully bypass a login attempt
Which of the following is the term used to refer to individuals who do not have the technical expertise to develop scripts or discover new vulnerabilities in software but have just enough understanding of computer systems to be able to download and run scripts that others have developed?
Script Kiddies
What type of attack involves an attacker putting a layer of code between an original device driver and the operating system?
Shimming
Attacks by individuals from organized crime are generally considered to fall into which threat category?
Structured Threat category
You are attempting to perform an external vulnerability assesment for a client, but your source IP addresses keep getting blocked every time you attempt to run a vulnerability scan. The client confirms this is "as expected" behavior. You aren't able to scan for vulnerbailities, but you have been able to do which of the following?
Successfully performed a passive test of the client's security controls
While waiting in the lobby of your building for a guest, you notice a man in a red shirt standing close to a locked door with a large box in his hands. He waits for someone else to come along and open the locked door, then proceeds to follow her inside. What type of social engineering attack have you just witnessed?
Tailgating
You noticed some unusual network traffic and discovered several systems in your organization are communicating with a rather dubious "market research" company on a regular basis. When you investigate further you discover that users of the affected systems all installled the same piece of freeware. What might be happening on your network?
The freeware likely was infected with Spyware.
Users at your organization are complaining about slow systems. Examining several of them, you see that CPU utilization is extremely high and a process called "btmine" is running on each of the affected systems. You also notice each of the effected systems is communicating with an IP address outside of your country and UDP Port 43232. If you disconnect the network connections on the affected systems, the CPU utilization drops significantly. Based on what you've observed, you suspect these systems are affected what type of malware?
The machine is likely a bot in a botnet
Why is Email encryption difficult?
There is no uniform standardized protocol for email encryption
Which of the following are characteristics of remote-access Trojans?
They are deployed through malware auch as worms, they allow attacks to connect to the system remotely, and give attackers the ability to modify files and change settings.
What term is used to describe the gathering of information from a variety of sources, including non-public sources, to allow an entity to properly focus their defenses against the most likely threat actors?
Threat Intelligence
Which of the following is a passive tool?
Tripwire
Colleague asks you for advice on why he can't log into his Gmail account. Looking at his browser, you see that he is typed "www.gmal.com" in the address bar. The screen looks very similar to the Gmail login screen. Your colleague has just fallen victim to what type of attack?
Typo Squatting
Which of the following could be an indicator of compromise?
Unusual network traffic, additional logins, and large numbers of requests for the same file are all indicators.
A user in your organization contact you to see if there's any update to the account compromised that happened last week. When you asked him to explain what he means, they use your tells you he received a phone call earlier in the week from your department and was asked to verify his user ID and password. The user says he gave the caller his user ID and password. This user has fallen victim to what specific type of attack?
Vishing
When discussing threat concerns regarding competitors, which of the following is true?
Where in the past it would take significant risk to copy the detailed engineering specification of a major process for firm, today it can be accomplished with a few clicks and a USB drive.
You've been asked to examine a custom web application your company is developing. You will have access to design documents, data structure descriptions, data flow diagrams, and any oter details about the application you think would be useful. This is an example of what type of testing?
White-Box Testing
You've been to asked to examine network traffic for evidence of compromise. You have 1TB of tcpdump logs to review. Which of the following tools would you use to examine these logs?
Wireshark
You were sitting at the airport when your friend gets a message on her phone. In the text is a picture of a duck with the word "Pwnd" as the caption. Your friend doesn't know who sent the message. Your friend is a victim of what type of attack?
a Bluejacking attack
A web application you were reviewing as an input field for username and indicates the username should be between 6 and 12 characters. You've discovered that if you put in put a username 150 characters or more in length, the application crashes. What is this an example of?
a Buffer Overflow
A user calls to report a problem with an application you support. The user says when she accidentally pasted an entire paragraph into the input field, the application crashed. You were able to consistently reproduce the results using the same method. What vulnerability might be users accidentally discovered in that application?
a Buffer Overflow vulnerability.
Your Ecommerce site is crashing under an extremely high traffic volume. Looking at the traffic logs, using tens of thousands of requests for the same URL coming from hundreds of different IP addresses around the world. What type of attack are you facing?
a DDoS attack
All of the wireless users on the third floor of your building are reporting issues with a network. Every 15 minutes, their devices disconnect from the network. Within a minute or so they were able to reconnect. What type of attack is most likely underway in this situation?
a Dissociation Attack
A colleague shows you a scanning report indicating your web server is not vulnerable to the Heartbleed bug. You know this isn't true as you've personally verified that web server is vulnerable. You believe the scanner used to examine your web server is reporting which of the following?
a False Negative
While running a vulnerability scanner against a Windows 2016 server, the tool reports server may be affected by an offset2lib patch vulnerability. You find this odd because the offeset2lib patch vulnerability only applies to Linux-based systems. Your vulnerability scanner has most likely reported which of the following?
a False Positive
What kind of device provides tamper protection for encryption keys?
a Hardware Security Modukle, or HSM
Your organization has been hit with multiple targeted Network attacks over the last few months resulting into data breaches. To attempt to discover how the attackers are getting into your systems, you can set up a few vulnerable virtual machines with fake data on them that look like the organization's real machines. What defense mechanism have you built?
a Honeynet
What technology can check the client's Health before allowing access to the network?
a Network Access Control, or NAC
The tcpdump command-line tool is classified as which of the following?
a Protocol Analyizer
What kind of tool is Wireshark?
a Protocol Analyzer
You are working with a group testing a new application. You've noticed that when three or more of you click submit on a specific form at the same time, the application crashes every time. This is most likely an example of which of the following?
a Race Condition
Your manager comes to you with an audit finding that 85% of the machines on your network are vulnerable to a variety of different exploits. He wants you to verify the findings of the report. What would be the best tool for this?
a Vulnerability Scanner
While acting in organization, you discovered that new users are added to the domain by sending an email request to the IT department, but the emails don't always come from Human Resources, and IT doesn't always check with HR to ensure the new user request corresponds to an authorized user. This is an example of which of the following?
a Vulnerable Business Process
You've been asked to help address some finding some recent PCI audit, one of which is support for SSL 2.0 on a web server. Your CFO wants to know why SSL 2.0 support is a problem. You tell her SSL 2.0 support is an example of which of the following vulnerabilities?
a Weak Cipher Suite
Your organization's web server was just compromised despite being protected by a firewall and IPS. The web server is fully patched and properly configured according to the industry best practices. The IPS logs show no unusual activity, but your network traffic logs show an unusual connection from an IP address belonging to a university. What type of attack is most likely occurring?
a Zero-Day attack
A web server any organization has been defaced. The server is patched and properly configured as far as anyone can tell. You log show unusual traffic from external IP addresses just before the defacement occurred. It's possible your server was attacked by which of the following?
a Zero-day exploit
Which of the following is an example of an embedded system?
a network-enabled thermostat
A colleague calls you to ask for assistance. He is having trouble keeping an attacker out of his network. He tells you no matter what he tries, he can't seem to keep the attacker out of in his network and he has no idea how the attacker keeps getting in. This is an example of what type of attack?
an Advanced Persistent Threat
Which of the following is the term generally used to refer to the act of deliberately accessing computer systems and networks without authorization?
an Attack
Your organization is considering using a new ticket identifier what's your current help desk system. The new identifier would be a 16 digit integer created by combining the date, time, and operator ID. Unfortunately, when you tried using the new identifier in the ticket number field on your current system, the application crashes every time. The old method of using a 5 digit integer works just fine. This is most likely an example of which of the following?
an Integer Overflow
While examining internal Network traffic, you notice a large amount of suspicious traffic coming from an IP address in the development environment. The IP address isn't listed on any network diagram shouldn't be active on your network as far as you can tell. When you asked the developers about it, one of them tells you he set up that server over 12 months ago for a temporary project and forgot all about it. This is an example of which of the following?
an Undocumented Asset
A colleague on your team takes three times longer than you to complete, tasks and in particular I feel application. When you go to help him, you notice immediately that he does not use any of the shortcuts designed into the application. When you ask him why he is not using shortcuts, he tells you he didn't know the shortcuts exist. This is an example of which of the following?
an Untrained User
What is the most common use of data sanitization tools?
to Erase Hard Drives of any sensitive data