final csit 188 Multiple choice questions and labs
Which of the following HTTP response messages would you receive if additional action needs to be taken to complete the request?
3xx: Redirection The HTTP response message 3xx: Redirection indicates that additional action needs to be taken to complete the request.
Which of the following describes Mobile Device Management software?
A combination of an on-device application or agent that communicates with a backend server to receive policies and settings. Explanation MDM software is typically deployed as a combination of an on-device application or agent that communicates with a backend server
Which of the following best describes a DoS attack?
A hacker overwhelms or damages a system and prevents users from accessing a service. Explanation A DoS attack is an attack on the availability of a service by disrupting, denying, or otherwise interfering with the ability to keep a service available. The more you understand what a DoS attack is and what can happen, the better prepared you are to use countermeasures.
Which of the following best describes Microsoft Internet Information Services (IIS)?
A web server technology Explanation Microsoft Internet Information Services (IIS) is a web server technology.
Which key area in the mobile device security model is supported by device designers requiring passwords, biometrics, and two-factor authentication methods?
Access controls Explanation Access control includes passwords, biometrics, and two-factor authentication methods to gain access to the device.
Which of the following best describes a certificate authority (CA)?
An entity that issues digital certificates. explain A certificate authority is an entity that issues digital certificates.
While performing a penetration test, you captured a few HTTP POST packets using Wireshark. After examining the selected packet, which of the following concerns or recommendations will you include in your report?
Passwords are being sent in clear text. Explanation Passwords and usernames are being sent in clear text, which can be captured and used for man-in-the-middle attacks.
Which of the following types of injections can be injected into conversations between an application and a server to generate excessive amounts of spam email?
SMTP injection Explanation With an SMTP injection, SMTP commands can be injected into conversations between an application and an SMTP server to generate excessive amounts of spam email.
Anti-malware software utilizes different methods to detect malware. One of these methods is scanning. Which of the following best describes scanning?
Scanning uses live system monitoring to detect malware immediately. This technique utilizes a database that needs to be updated regularly. Scanning is the quickest way to catch malware programs. Explanation Scanning uses live system monitoring to detect malware immediately. This technique utilizes a database that needs to be updated regularly. Scanning is the quickest way to catch malware programs. If the database is not updated, the scanner won't be able to detect new malware threats.
Which of the following malware types shows the user signs of potential harm that could occur if the user doesn't take a certain action?
Scareware Explanation Scareware shows the user signs of potential harm that could happen if the user doesn't take some sort of action, such as purchasing a specific program to clean the system.
A penetration tester discovers a vulnerable application and is able to hijack a website's URL hyperlink session ID. The penetration tester is able to intercept the session ID; when the vulnerable application sends the URL hyperlink to the website, the session IDs are embedded in the hyperlink. Which of the following types of session hijacking countermeasures is the penetration tester using?
Session fixation attack Explanation Session fixation attacks target websites where session IDs are provided in the hyperlink. URLs are sent to a user with session IDs already embedded into them. When a user logs in using this URL, their user information becomes aligned with that session ID. An attacker following the same URL would have the same level of access as the targeted user.
Which of the following tools can be used to create botnets?
Shark, PlugBot, and Poison Ivy Explanation Botnets are typically used to carryout DoS and DDoS attacks. You can use the following tools to create botnets: -Shark -PlugBot -Poison Ivy
Julie is looking for a honeypot detection tool that is capable of packet manipulation. Which of the following tools should she use?
Snort inline Explanation A computer whose sole purpose is to listen for connection attempts on interesting ports, then log the data about each attempt is called a honeypot.
Which of the following describes the risks of spyware that are particular to mobile devices?
Spyware can monitor and log call histories, GPS locations, and text messages. Explanation Spyware apps can monitor and log activity on a mobile device, including: Call history GPS location Text messages Email Keystrokes
You have just captured the following packet using Wireshark and the filter shown. Which of the following is the captured password?
St@y0ut!@ Explanation The password is found in the lower pane, following the words password=, and is St@y0ut@.
Donna is configuring the encryption settings on her email server. She is given a choice of encryption protocols and has been instructed to use the protocol that has the most improvements. Which of the following cryptographic protocols should she choose?
TLS explain Transport Layer Security (TLS) is a protocol that is used to establish a secure connection between a client and a server and ensure the privacy and integrity of information during transmission. TLS is a replacement for SSL.
Which of the following Bluetooth threats has increased due to the availability of software that can be used to activate Bluetooth cameras and microphones?
The creation of Bluetooth bugging and eavesdropping devices. Explanation The creation of Bluetooth bugging and eavesdropping devices has become easier due to availability of software that can be used to activate Bluetooth cameras and microphones.
Which of the following best describes this image?
The iOS operating system stack. Explanation The image represents the iOS operating system stack.
Which of the following best describes source routing?
The packet's sender designates the route that a packet should take through the network. Explanation In source routing, packet's sender designates the route that a packet should take through the network. The purpose is to specify a route that bypasses the firewall. Using this technique, the attacker attempts to evade the firewall restrictions.
Which of the following terms is the encrypted form of a message that is unreadable except to its intended recipient?
ciphertext Explanation Ciphertext is the encrypted form of a message that is unreadable except to its intended recipient.
Daphne suspects a Trojan horse is installed on her system. She wants to check all active network connections to see which programs are making connections and the FQDN of where those programs are connecting to. Which command will allow her to do this?
netstat -f -b Explanation netstat -f -b shows the fully qualified domain name (FQDN) and the name of programs that are making connections.
Which of the following Bluetooth discovery tools will produce the output shown below?
sdptool Explanation The sdptool tool performs Service Discovery Protocol (SDP) queries on Bluetooth devices and will show all available services on the device.
A security analyst is using tcpdump to capture suspicious traffic detected on port 443 of a server. The analyst wants to capture the entire packet with hexadecimal and ascii output only. Which of the following tcpdump options will achieve this output?
-SX port 443 Explanation -SX is the command line options for both full packet capture and hexadecimal and ascii output of port 443.
User-Mode-Linux (UML) is an open-source tool used to create virtual machines. It's efficient for deploying honeypots. One of the big issues with UML is that it doesn't use a real hard disk, but a fake IDE device called /dev/ubd*. How can an attacker find a UML system?
Attackers need to take a look at the /etc/fstab file or execute the mount command. Explanation You can find a UML system by looking at the /etc/fstab file, executing the mount command, or checking the /dev/ubd/ directory. Another sign of a UML is the TUN/TAP backend for the network device 0 (zero). This isn't common on a real system, so it identifies a UML.
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the name of the company requesting payment?
ACME, Inc Explanation By looking at the beginning of the packet, you see that Robert Scam is sending an email with a subject line of ACME, Inc Invoice #1543. Therefore, you now know that the name of the company requesting payment is ACME, Inc.
Which of the following steps in an Android penetration test checks for a vulnerability hackers use to break down the browser's sandbox using infected JavaScript code?
Check for a cross-application-scripting error Explanation Checking for a cross-application-scripting error requires investigating vulnerabilities in the Android browser. Hackers use this vulnerability to break down the browser's sandbox using infected JavaScript code.
Jose, a medical doctor, has a mobile device that contains sensitive patient information. He is concerned about unauthorized access to the data if the device is lost or stolen. Which of the following are the best options for preventing this from happening? (Select two.)
Configure the device to wipe after a number of failed login attempts. Configure the device to remotely wipe as soon as it is reported lost. Explanation Configuring the device to wipe after a number of failed login attempts, and configuring the device to perform a factory reset or wipe when the device is reported lost or stolen are the best options in this scenario.
Kathy doesn't want to purchase a digital certificate from a public certificate authority, but needs to establish a PKI in her local network. Which of the follow actions should she take?
Create a local CA and generate a self-signed certificate. Explanation Kathy can implement a local PKI by first creating a local CA and generating a self-signed certificate.
Which of the following cryptographic algorithms is used in asymmetric encryption?
Diffie-Hellman explain Diffie-Hellman is an asymmetric cryptographic algorithm.
Ping of death, teardrop, SYN flood, Smurf, and fraggle are all examples of which of the following?
DoS attack types Explanation Some of the popular DoS attack types are: TCP fragmentation Ping flood Smurf attack Fraggle attack Phlashing SYN flood Ping of death Land attacks
There are several types of signature evasion techniques. Which of the following best describes the obfuscated codes technique?
Is an SQL statement that is hard to read and understand. Explanation Obfuscated code is an SQL statement that is hard to read and understand.
Which of the follow is a characteristic of Elliptic Curve Cryptography (ECC)?
Is suitable for small amounts of data and small devices, such as smartphones. explain ECC is an approach to cryptography based on groups of numbers and elliptic curve. ECC is an asymmetric encryption algorithm that is suitable for small amounts of data for small devices, such as smartphones.
Which of the following cryptography attacks is characterized by the attacker having access to both the plain text and the resulting ciphertext, but does not allow the attacker to choose the plain text?
Known plain text explain A known plain text attack is characterized by the attacker having access to both the plain text and the resulting ciphertext. The attacker can make conclusions about the encrypting key and will have validation if the encrypting key is discovered.
A virus has replicated itself throughout the infected systems and is executing its payload. Which of the following phases of the virus lifecycle is the virus in?
Launch Explanation Launch is the third phase of the virus life cycle. The virus is launched and executes its payloads in this phase.
Jim, a smartphone user, receives a bill from his provider that contains fees for calling international numbers he is sure he hasn't called. Which of the following forms of Bluetooth hacking was most likely used to attack his phone?
Bluebugging Explanation A Bluebugging attack exploits a Bluetooth device to install a backdoor that bypasses normal authentication, giving full access to the device, including the ablility to initiate phone calls.
Which of the following types of Bluetooth hacking is a denial-of-service attack?
Bluesmacking Explanation A Bluesmack attack is a denial-of-service attack where the L2CAP layer of the Bluetooth protocol stack is used to transfer an oversized packet causing the L2CAP layer to crash, denying Bluetooth services to the user.
Which of the following laws is designed to regulate emails?
CAN-SPAM Act Explanation The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) establishes the rules and guidelines for commercial emails and curbs annoying spam emails.
Frank wants to do a penetration test. He is looking for a tool that checks for vulnerabilities in web applications, network systems, wireless networks, mobile devices, and defense systems such as IDS or IPS. Which of the following tools would you recommend to him?
COREImpact Pro Explanation COREImpact Pro is a penetration testing tool that checks for vulnerabilities in web applications, network systems, wireless networks, mobile devices, and defense systems such as IDS or IPS.
Which of the following is considered an out-of-band distribution method for private key encryption?
Copying the key to a USB drive. Explanation Out-of-band distribution involves manually distributing the key--for example, copying the key to a USB drive and sending it to the other party.
Which of the following is the best defense against cloud account and service traffic hijacking?
Find and fix software flaws continuously, use strong passwords, and use encryption. Explanation Account and service traffic hijacking happens when the hacker exploits application weaknesses to take control of an account. The defenses are using strong passwords, using encryption, and finding and fixing software flaws continuously.
Patrick is planning a penetration test for a client. As part of this test, he will perform a phishing attack. He needs to create a virus to distribute through email and run a custom script that will let him track who has run the virus. Which of the following programs will allow him to create this virus?
JPS Explanation JPS Virus Maker is a common program that can perform many different tasks, including creating viruses and running a custom script.
Which of the following can void a mobile device's warranty, cause poor performance, or brick a mobile device (making it impossible to turn on or repair)?
Rooting or jailbreaking Explanation Rooting or jailbreaking a mobile device may: Void the device's warranty Cause poor performance Incur malware infections Brick the device making it impossible to turn on or repair.
Which of the following best describes a cybersquatting cloud computing attack?
The hacker uses phishing scams by making a domain name that is almost the same as the cloud service provider. Explanation When cybersquatting, the hacker uses phishing scams by making a domain name that is almost the same as the cloud service provider.
Which of the following is an attack where all traffic is blocked by taking up all available bandwidth between the target computer and the Internet?
Volumetric attack Explanation Volumetric attacks block traffic by taking up all available bandwidth between the target and the Internet.
Ports that show a particular service running but deny a three-way handshake connection indicate the potential presence of which of the following?
honeypot Explanation A computer whose sole purpose is to listen for connection attempts on interesting ports and log the data about each attempt is called a honeypot.
Using Wireshark filtering, you want to see all traffic except IP address 192.168.142.3. Which of the following is the best command to filter a specific source IP address?
ip.src ne 192.168.142.3 Explanation The ne filter stands for not equal. This command will display all traffic not equal to 192.168.142.3.
Which of the following virus types is shown in the code below?
logic bomb Explanation A logic bomb is triggered by an event, such as specific date and time or a program being executed.
Which of the following honeypot interaction levels can't be compromised completely and is generally set to collect information about attacks like network probes and worms?
low level Explanation A low-level honeypot will simulate only a limited number of services and applications of a target system or network and rely on the emulation of services and programs that would be found on a vulnerable system. This means the honeypot can't be compromised completely and is generally set to collect information about attacks like network probes and worms.
Which of the following types of wireless antenna is shown?
yagi Explanation The antenna shown is a Yagi antenna, a special type of high-gain directional antenna.
Which of the following best describes an anti-virus sensor system?
A collection of software that detects and analyzes malware. Explanation A collection of software that detects and analyzes malware is known as an anti-virus sensor system. This system is used along with the sheep dip computer to perform malware analysis.
Which of the following best describes the SQL Power Injector tool?
A tool used to find SQL injections on a web page. Explanation SQL Power Injector is used to find SQL injections on a web page.
Which of the following best describes a web application?
A web application is software that has been installed on a web server. Explanation A web application is software that has been installed on a web server. These applications process, store, and distribute information on demand.
As part of your penetration test, you are using Ettercap in an attempt to spoof DNS. You have configured the target and have selected the dns_spoof option (see image). To complete the configuration of this test, which of the following MITM options should you select?
ARP poisoning Explanation To successfully complete the configuration of your DNS spoofing test, you need to select the ARP poisoning option. ARP requests and replies are sent to victims to poison their ARP cache. Once the cache has been poisoned, the victim sends all packets to the attacker, who modifies them and forwards them to the real destination.
Which of the following policies best governs the use of bring-your-own-device (BYOD) that connect with an organization's private network?
Acceptable use policy Explanation An acceptable use policy governs all aspects of the use of BYOD that connect with an organizations private network.
Web applications use sessions to establish a connection and transfer sensitive information between a client and a server. Attacking an application's session management mechanisms can help you get around some of the authentication controls and allow you to use the permissions of more privileged application users. Which of the following type of attacks could you use to accomplish this?
Cookie parameter tampering Explanation In a cookie parameter tampering attack, an attacker collects cookies and analyzes them to determine how the cookies are being generated. The attacker then uses tools to tamper with the parameters and replay them to the application.
An attacker is attempting to determine whether a system is a honeypot. Which of the following actions should the attacker take?
Craft a malicious probe packet to scan for services. Explanation An attacker can detect the presence of honeypots by probing the services running on the system or crafting malicious probe packets to scan for services such as HTTP over SSL, SMTP over SSL, and IMAP over SSL. Ports that show a particular service running but deny a three-way handshake connection indicate the potential presence of a honeypot. When all else fails, you can often reach out to the ethical hacking community and utilize other hackers' knowledge and wisdom. If a honeypot cannot be detected, it cannot be evaded.
You are looking for a web server security tool that will detect hidden malware in websites and advertisements. Which of the following security tools would you most likely use?
Hackalert Explanation Hackalert is a cloud-based subscription service that detects hidden malware in websites and advertisements.
You are on a Windows system. You receive an alert that a file named MyFile.txt.exe had been found. Which of the following could this indicate?
Host-based IDS Explanation The following is a list of host-based intrusion signs: Unknown files inserted into the system Altered file attributes Unrecognized file extensions such as .ODIN, .OZD, and .BUK in a Windows-based system Rogue suid or sgid files on a Linux system Changes to the file or folder metadata Changes to the hidden status of files New files that do not match the existing naming scheme For example, if a file named FileName.txt.exe is discovered, in this case, this Windows file is an executable file and could potentially be malicious by tricking a user to click on it, thinking it was a text file.
Which of the following web server countermeasures is implemented to fix known vulnerabilities, eliminate bugs, and improve performance?
Install patches and updates. Explanation Patches and updates are designed to fix known vulnerabilities, eliminate bugs, and improve performance.
The SQL injection methodology has four parts. Which of the following parts is similar to playing the game 20 questions?
Launch a SQL attack Explanation In part three, launch a SQL attack, there are two main categories for SQL injection: in-band and blind. Blind SQL, also known as inferential SQL injection, is time-consuming because instead of receiving data, you're receiving true or false results. If you've ever played 20 questions, you know that it can be difficult to investigate using yes or no questions, but not impossible.
You are looking for a web application security tool that runs automated scans looking for vulnerabilities susceptible to SQL injection, cross-site scripting, and remote code injection. Which of the following web application security tools would you most likely use?
Netsparker Explanation Netsparker runs automated scans looking for vulnerabilities susceptible to SQL injection, cross-site scripting, and remote code injection.
An older technique for defeating honeypots is to use tarpits, which sometimes operate at different levels of the OSI model, depending on their function. Which of the following layers of the OSI model do tarpits work at?
OSI layers 2 (DataLink), 4 (Transport), and 7 (Application) Explanation Layer 7 (Application layer) tarpits act as security entities and are designed to respond to incoming packet requests slowly. Layer 4 (Transport layer) tarpits use the TCP/IP stack and slow the spread of worms, backdoors, and other attacks. Layer 2 (Data Link layer) tarpits can discover an attack from the same network and the same MAC address for multiple IP addresses.
Which of the following firewall technologies operates at Layers 3 (Network) and 4 (Transport) of the OSI model?
Packet filtering Explanation Packet filtering firewalls look at the header information of the packets to determine legitimate traffic. This technology operates at Layers 3 (Network) and 4 (Transport) of the OSI model.
Which of the following attacks utilizes encryption to deny a user access to a device?
Ransomware attack Explanation In a ransomware attack, the hacker utilizes encryption to deny a user access to its device by locking files or even the screen.
Which of the following footprinting methods would you use to scan a web server to find ports that the web server is using for various services?
Service discovery Explanation Service discovery is a method of scanning a web server to find ports that are being used by services. These services can be used as pathways for application hacking.
It is important to be prepared for a DoS attack. These attacks are becoming more common. Which of the following best describes the response you should take for a service degradation?
Services can be set to throttle or even shut down. Explanation To respond to a service degradation, services can be set to throttle or even shut down in the event of an attack.
Your network administrator has set up training for all the users regarding clicking on links in emails or instant messages. Which of the following is your network administrator attempting to prevent?
Session fixation Explanation User education is an important part of security. Because attacks like session fixation rely on a user clicking on a link in an email or instant message, users should be trained not to click on these links.
Bob encrypts a message using a key and sends it to Alice. Alice decrypts the message using the same key. Which of the following types of encryption keys is being used?
Symmetric Explanation To use a symmetric key, both parties exchange a shared secret key before communications begin.
Which of the following forms of cryptography is best suited for bulk encryption because of its speed?
Symmetric cryptography Explanation Symmetric cryptography is best suited for bulk encryption because it is much faster than asymmetric cryptography.
Which of the following describes the exploitation stage of the mobile device penetration testing process?
The use of man-in-the-middle attacks, spoofing, and other attacks to take advantage of client-side vulnerabilities. Explanation Exploitation uses man-in-the-middle attacks, spoofing, ARP poisoning, and traffic insertion attacks to exploit client-side vulnerabilities and manipulate captured traffic to exploit back-end servers.
Which of the following explains why web servers are often targeted by attackers?
Web servers provide an easily found, publicly accessible entrance to a network that users are encouraged to enter into and browse. Explanation Web servers provide an entrance to a network that users are encouraged to enter into, browse, and get comfortable with.
Which of the following actions was performed using the WinDump command line sniffer? command: windump -i -1 -w C:\test\mycap.pcap
Wrote packet capture files from interface 1 into mycap.pcap. Explanation The command line request is to collect packet capture files from -I (interface) and -w (write) them to the C:\test\mycap.pcap file.
During a penetration test, Omar found unpredicted responses from an application. Which of the following tools was he most likely using while assessing the network?
beSTORM Explanation beSTORM is a smart fuzzer that finds buffer overflow weaknesses as it automates and documents the process of delivering malicious input and then watches for unpredicted responses from an application.
Which type of cryptanalysis method is based on substitution-permutation networks?
integral explain Integral cryptanalysis is useful against block ciphers based on substitution-permutation networks and is an extension of differential cryptanalysis.
Which of the following Bluetooth configuration and discovery tools can be used to check which services are made available by a specific device and can work when the device is not discoverable, but is still nearby?
sdptool Explanation The sdptool tool provides the interface for performing Service Discovery Protocol (SDP) queries on Bluetooth devices. The sdptool can be used to check which services are made available by a specific device and can work when the device is not discoverable, but is still nearby.
ARP, DNS, and IP are all examples of which of the following?
spoofing methods Explanation Common spoofing methods include Address Resolution Protocol (ARP), Domain Name Server (DNS), and Internet Protocol (IP). Spoofing is also used in email phishing schemes.
Which of the following is the number of keys used in asymmetric (public key) encryption?
2 explain Public key (asymmetric) encryption uses two keys, a public key and a private key. The sender transmits a confidential message encrypted with the recipient's public key. The message can only be decrypted with the associated private key possessed solely by the recipient.
An attacker conducts a normal port scan on a host and detects protocols used by a Windows operating system and protocols used by a Linux operating system. Which of the following might this indicate?
A honeypot Explanation The likelihood of the scanned system to host standard Linux protocols and standard Windows protocols on ports at the same time may be an indicator of a honeypot rather than a legitimate host. A high-level honeypot simulates all services and applications.
Which of the following operating systems is the most prevalent in the smartphone market?
Android Explanation Essentially, only two operating systems share the smartphone market, Android and iOS, with Android having the largest share.
Which of the following IDS detection types compare behavior to baseline profiles or network behavior baselines?
Anomaly-based Explanation Anomaly-based detection compares behavior to baseline profiles or network behavior baselines. These baseline profiles are used to define what is normal behavior on the network or host.
Which of the following is a short-range wireless personal area network that supports low-power, long-use IoT needs?
BLE Explanation Bluetooth low energy (BLE), also known as Bluetooth Smart, is a wireless personal area network. It supports low-power, long-use IoT needs
Alan wants to implement a security tool that protects the entire contents of a hard drive and prevents access even if the drive is moved to another system. Which of the following tools should he choose?
BitLocker explain BitLocker is a Microsoft security solution that encrypts the entire contents of a hard drive, protecting all files on the disk. BitLocker uses a special key that is required to unlock the hard disk. You cannot unlock/decrypt a drive simply by moving it to another computer.
Which of the following is a password cracking tool that can make over 50 simultaneous target connections?
Brutus Explanation Brutus is a password cracking tool that can make over 50 simultaneous target connections.
Which of the following cloud security controls includes backups, space availability, and continuity of services?
Computation and storage Explanation With computation and storage, the cloud provider must have policies and procedures in place to protect data. These policies and procedures could include backups, space availability, and continuity of services.
Gathering information about a system, its components, and how they work together is known as ________?
Footprinting Explanation Footprinting is the process of gathering information about the system, its components, and how they work together.
An attacker is attempting to connect to a database using a web application system account instead of user-provided credentials. Which of the following methods is the attacker attempting to use?
Hijacking web credentials Explanation With the hijacking web credentials method, an attacker attempts to connect to the database using a web application system account instead of user-provided credentials.
Which of the following firewall limitations is a critical vulnerability because it means that packet filters cannot tell whether a connection was started inside or outside the organization?
Inability to detect the keep the state status. Explanation A packet filtering firewall does not detect or keep the connection state. This inability to keep up with the state status is a critical vulnerability because it means that packet filters cannot tell whether a connection was started inside or outside the organization.
Which of the following bring-your-own-device (BYOD) risks is both a security issue for an organization and a privacy issue for a BYOD user?
Mixing personal and corporate data Explanation Mixing personal and corporate data is both a security issue for a company and a privacy issue for users.
Which of the following is a sign of a network-based intrusion?
New or unusual protocols and services running. Explanation If you detect new or unusual protocols and services running, those are signs of possible network intrusion.
Which of the following is an entity that accepts and validates information contained within a request for a certificate?
Registration authority Explanation A registration authority (RA) can be used in large enterprise environments to offload client enrollment request processing by handling client verification prior to certificates issue. The RA accepts registrations, validates identity, and approves or denies certificate requests.
If an attacker's intent is to discover and then use sensitive data like passwords, session cookies, and other security configurations such as UDDI, SOAP, and WSDL, which of the following cloud computing attacks is he using?
Service hijacking through network sniffing. Explanation When service hijacking through network sniffing, the attacker uses packet sniffers such as Wireshark or Cain and Abel to intercept and monitor traffic transmission between two cloud nodes. The attacker's intent is to discover and then user sensitive data such as passwords, session cookies, and other security configurations such as UDDI, SOAP, and WSDL.
Alan, an ethical hacker, roots or jailbreaks a mobile device. He checks the inventory information reported by the mobile device management (MDM) software that manages the mobile device. Which of the following describes what he expects to see in the inventory?
The inventory will show the device as vulnerable. Explanation An MDM should flag a mobile device as vulnerable when it is rooted or jailbroken.
Which of the following best explains why brute force attacks are always successful?
They test every possible valid combination. explain Brute force attacks are always successful because they test every possible valid combination. Therefore, they will eventually discover the actual key, password, or code that was used.
Which of the following best describes the purpose of the wireless attack type known as wardriving?
To find information that will help breach a victim's wireless network. Explanation Wardriving, or war driving, is when a hacker drives around in their car and uses a laptop or smartphone to search for wireless networks they can then attempt to break into.
Which of the following Bluetooth attack countermeasures would help prevent other devices from finding your Bluetooth device that is in continuous operation?
Use hidden mode when your Bluetooth device is enabled. Explanation While Bluetooth is enabled on your device, you can use hidden mode. Hidden mode prevents other devices from finding your device.
Jessica needs to set up a firewall to protect her internal network from the Internet. Which of the following would be the best type of firewall for her to use?
hardware Explanation Hardware firewalls are physical devices that are usually placed at the junction or gateway between two networks, generally a private network and a public network such as the internet. Hardware
The ping command is designed to test connectivity between two computers. There are several command options available to customize ping, making it a useful tool for network administrators. On Windows, the default number of ping requests is set is four. Which of the following command options will change the default number of ping requests?
-n Explanation ping -n defines the number of echo requests to send.
The program shown is a crypter. Which of the following best defines what this program does?
A crypter can encrypt, obfuscate, and manipulate malware to make it difficult to detect. Explanation The crypter is a shell around the malware code that keeps the malware from being analyzed and reverse-engineered. The program uses different techniques to encrypt and obfuscate the malware to help prevent detection by anti-malware programs.
Which of the following best describes a rogue access point attack?
A hacker installing an unauthorized access point within a company. Explanation A rogue access point is an unauthorized access point that has been set up in a company. These access points are sometimes set up by employees to bypass the existing limitation of the company's authorized access points. They can also be installed by a hacker who has gained physical access to the building.
Which of the following best describes a honeypot?
A honeypot's purpose is to look like a legitimate network resource. Explanation A honeypot's purpose is to look like a legitimate network resource. A honeypot can be a host, a service on a host, a network device, a virtual entity, or even a single file set up to attract attackers to a secure area away from an organization's real network. Even better, while it's distracting the attacker, you can monitor the malicious activity to learn what the attacker is trying to do.
As the cybersecurity specialist for your company, you have used Wireshark to check for man-in-the-middle DHCP spoofing attacks using the bootp filter. After examining the results, what is your best assessment?
A man-in-the-middle spoofing attack is possible due to two DHCP ACK packets. Explanation Because you received two DHCP ACK packets from the same source IP address, there is a high probability that one of these is a result of a man-in-the-middle spoofing attack. A DHCP Offer packet is expected.
Which of the following best describes a wireless access point?
A networking hardware device that allows other Wi-Fi devices to connect to a wired network. Explanation A wireless access point is a networking hardware device that allows other Wi-Fi devices to connect to a wired network.
Which of the following best describes the Bluediving hacking tool?
A penetration suite that runs on Linux that can implement several attacks, including bluebug, bluesnarf, and bluesmack, and also performs Bluetooth address spoofing. Explanation Bluediving is a Bluetooth penetration suite that runs on Linux. It can implement several attacks, including bluebug, bluesnarf, and bluesmack. It also performs Bluetooth address spoofing.
Which of the following best describes a wireless hotspot?
A physical location where people may obtain free internet access using Wi-Fi. Explanation A hotspot lets you connect an internet-capable device to the internet through a wireless, portable device, such as a phone. Hotspots often use third, fourth, and fifth generation (3G, 4G, and 5G) technology to provide this type of connection. Although personal phones are often used as hotspots, many businesses, such as airports and coffee shops, provide hotspots for their customers.
Which of the following describes a PKI?
A security architecture that ensures data connections between entities are validated and secure. explain A public key infrastructure (PKI) is a security architecture that ensures data connections between entities are validated and secure.
You work for a very small company that has 12 employees. You have been asked to configure wireless access for them. Knowing that you have a very limited budget to work with, which of the following technologies should you use?
A software-based access point. Explanation To connect your wireless computers to the network, you will want to install an access point. Since you are working with a limited budget, using a software-based access point will give your employees wireless access for the lowest cost.
Which of the following describes a session ID?
A unique token that a server assigns for the duration of a client's communications with the server. Explanation A session ID is a unique token that a server assigns for the duration of a client's communications with the server
Which of the following best describes a phishing attack?
A user is tricked into believing that a legitimate website is requesting their login information. Explanation In a phishing attack, a user is tricked into believing that a legitimate website is requesting their login information. Instead, the user is redirected to a malicious website that steals the user's login information.
Frank, an attacker, has gained access to your network. He decides to cause an illegal instruction. He watches the timing to handle an illegal instruction. Which of the following is he testing for?
A virtual machine Explanation VMware is a commercially available virtual machine that is used to launch multiple instances of operating systems simultaneously on the same physical machine. The first step in detecting VMware is to look at the hardware, since VMware is supposed to emulate hardware. Some specific pieces of hardware attackers look for that are not configurable on some VMware are the video card, display adapter, and network card.
Which of the following is the term used to describe what happens when an attacker sends falsified messages to link their MAC address with the IP address of a legitimate computer or server on the network?
ARP poisoning Explanation Address Resolution Protocol (ARP) poisoning is when an attacker sends fake ARP messages to link their MAC address with the IP address of a legitimate computer or server on the network. Once their MAC address is linked to an authentic IP address, the attacker can receive any messages directed to the legitimate address. As a result, the attacker can intercept, modify, or block communications to the legitimate MAC address.
As the cybersecurity specialist for your company, you believe a hacker is using ARP poisoning to infiltrate your network. To test your hypothesis, you have used Wireshark to capture packets and then filtered the results. After examining the results, which of the following is your best assessment regarding ARP poisoning?
ARP poisoning is occurring, as indicated by the duplicate response IP address. Explanation When using Wireshark to detect ARP poisoning, Wireshark displays a duplicate use of IPs detected. Even without this message, seeing two packets with the same IP address is a good indication that ARP poisoning is taking place on your network.
Jason, an attacker, has manipulated a client's connection to disconnect the real client and allow the server to think that he is the authenticated user. Which of the following describes what he has done?
Active hijacking Explanation Active hijacking is when an attacker manipulates a client's connection to disconnect the real client and allow the server to think that the attacker is the authenticated user.
Which of the following cryptography attacks is characterized by the attacker making a series of interactive queries and choosing subsequent plain texts based on the information from the previous encryption?
Adaptive chosen plain text explain An adaptive chosen plain text attack is characterized by the attacker making a series of interactive queries and choosing subsequent plain texts based on the information from the previous encryptions.
Which of the following best describes Bluetooth MAC spoofing?
An attacker changes the Bluetooth address of his own device to match the address of a target device so that the data meant for the victim device reaches the attacker's device first. Explanation Bluetooth MAC spoofing occurs when an attacker changes the Bluetooth address of his own device to match a target device's address. In this attack, the data meant for the victim device reaches the attacker's device first.
You are using BlazeMeter to test cloud security. Which of the following best describes BlazeMeter?
An end-to-end performance and load testing tool that can simulate up to 1 million users and makes realistic load tests easier. Explanation BlazeMeter is an end-to-end performance and load testing tool that can simulate up to 1 million users and makes realistic load tests easier.
An attacker may use compromised websites and emails to distribute specially designed malware to poorly secured devices. This malware provides an access point to the attacker, which he can use to control the device. Which of the following devices can the attacker use?
Any device that can communicate over the Internet can be hacked. Explanation With the advancement of the Internet of Things, it's important to note that zombie devices aren't limited to desktops and laptops. Any device that can communicate over the Internet can be hacked. This includes security cameras, DVR players, and even kitchen appliances.
Which of the following is an open-source web server technology?
Apache Web Server Apache Web Server (or Apache HTTP Server) is an open-source web server that is the most widely used web server technology.
Which of the following best describes the key difference between DoS and DDoS?
Attackers use numerous computers and connections. Explanation The DoS attacks that you probably hear the most about are distributed denial-of-service attacks (DDoS). The key difference is these attacks use numerous computers and numerous internet connections across the world to overload the target systems. DDoS attacks are usually executed through a network of devices that the attacker has gained control of.
Creating an area of the network where offending traffic is forwarded and dropped is known as _________?
Black hole filtering Explanation Black hole filtering creates an area of the network called a black hole where offending traffic is forwarded and dropped
Which of the following Bluetooth hacking tools is a complete framework to perform man-in-the-middle attacks on Bluetooth smart devices?
Btlejuice Explanation Btlejuice is a complete framework to perform man-in-the-middle attacks on Bluetooth smart devices. It is composed of an interception core, an interception proxy, and a dedicated web interface. The core and proxy components are run on two independent computers, each with a Bluetooth adapter. Using the two adapters, btlejuice can send and receive Bluetooth communications to perform the man-in-the-middle attack.
HTTP headers can contain hidden parameters such as user-agent, host headers, accept, and referrer. Which of the following tool could you use to discover hidden parameters?
Burp Suite Explanation HTTP headers can contain hidden parameters such as user-agent, host headers, accept, and referrer. Tools used during this step include Burp Suite, HttPrint, and WebScarab. Burp Suite is a web spidering application that can be used as a local proxy. Once you have browsed every link and URL that you can find and completed every form and application available, Burp Suite provides a site map and identifies hidden application content or functions that it can find.
You are a cybersecurity specialist. ACME, Inc. has hired you to install and configure their wireless network. As part of your installation, you have decided to use Wi-Fi Protected Access 2 (WPA2) security on all of your wireless access points. You want to ensure that the highest level of security is used. Which of the following encryption protocols should you use to provide the highest level of security?
CCMP Explanation Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) provides the highest level of security. CCMP also provides data integrity and authentication and is an improvement over TKIP because it has a larger block size for encryptions and a larger key size. CCMP also has stronger algorithms. Using CCMP in conjunction with AES ensures a higher level of security than TKIP and RC4.
Which of the following are network sniffing tools?
Cain and Abel, Ettercap, and TCPDump Explanation Cain and Abel is a collection of tools that includes ARP poisoning. Cain and Abel redirects packets from a target by forging ARP replies.
In 2011, Sony was targeted by an SQL injection attack that compromised over a million emails, usernames, and passwords. Which of the following could have prevented the attack?
Careful configuration and penetration testing on the front end. Explanation SQL attacks such as with Sony, United States Department of Energy, and MySQL could have been prevented with careful configuration and penetration testing on the front end.
You have just discovered that a hacker is trying to penetrate your network using MAC spoofing. Which of the following best describes MAC spoofing?
Changing a hacker's network card to match a legitimate address being used on a network. Explanation MAC spoofing is changing a network interface card's (NIC's) media access control (MAC) address to a different MAC address in an attempt to impersonate another computer or disguise the source of the transmission.
Your company produces an encryption device that lets you enter text and receive encrypted text in response. An attacker obtains one of these devices and starts inputting random plain text to see the resulting ciphertext. Which of the following cryptographic attacks is being used?
Chosen plain text explain A chosen plain text attack is when the attacker chooses the plaintext to be encrypted. The attacker can choose the plain text that will produce clues to the encryption key used.
Daphne has determined that she has malware on her Linux machine. She prefers to only use open-source software. Which anti-malware software should she use?
ClamAV Explanation ClamAV is an open-source anti-malware program that works with most versions of Linux. Kaspersky, Avira, and Bitdefender are popular anti-malware programs, but are not open-source.
You are the cybersecurity specialist for your company and have been hired to perform a penetration test. You have been using Wireshark to capture and analyze packets. Knowing that HTTP POST data can sometimes be easy prey for hackers, you have used the http.request.method==POST Wireshark filter. The results of that filter are shown in the image. After analyzing the captured information, which of the following would be your biggest concern?
Clear text passwords are shown. Explanation The biggest concern for the captured packet would be that the username and password are being transmitted in clear text.
Which type of web application requires a separate application to be installed before you can use the app?
Client-based web app Explanation Client-based apps are run in a separate client-side application that needs to be installed before the web app can be used.
From your Kali Linux computer, you have used a terminal and the airodump-ng command to scan for wireless access points. From the results shown, which of the following is most likely a rogue access point?
CoffeeShop Explanation According to the output, the power rating (PWR) of the CoffeeShop access point is very high compared to the other access points and is, therefore, most likely the rogue access point
Which of the following best describes the process of using prediction to gain session tokens in an Application level hijacking attack?
Collect several session IDs that have been used before and then analyze them to determine a pattern. Explanation The easiest way to predict session tokens is to collect several session IDs that have been used before and then analyze them to determine a pattern. Once you know the pattern or algorithm being used, you may be able to predict a future ID.
A hacker has used an SQL injection to deface a web page by inserting malicious content and altering the contents of the database. Which of the following did the hacker accomplish?
Compromise data integrity Explanation To compromise data integrity, an SQL injection is used to deface a web page by inserting malicious content or altering the contents of the database.
Firewalls, whether hardware or software, are only as effective as their __________?
Configuration Explanation Firewalls, whether hardware or software, are only as effective as their configuration; configurations are only as effective as the administrators creating them.
As a penetration tester, you have found there is no data validation being completed at the server, which could leave the web applications vulnerable to SQL injection attacks. Which of the following could you use to help defend against this vulnerability?
Decline any entry that includes binary input, comment characters, or escape sequences. Explanation The most important SQL injection countermeasure is to ensure validation at the server. Limit the size and data type of any input data. Accept only the expected values, and test the content of all string variables. Decline any entry that includes binary input, comment characters, or escape sequences. Enforce type and length checks so that input is viewed as a value and not as a potentially executable code. Ideally, you want to implement various layers of data validation, filtering, and sanitizing. You want to be sure that questionable or unvalidated data does not make it to your web application.
Joelle, an app developer, created an app using two-factor authentication (2FA) and requires strong user passwords. Which of the following IoT security challenges is she trying to overcome?
Default, weak, and hardcoded credentials Explanation Many IoT devices allow weak or default passwords, which are easy to attack and break. The main problem is that there's no set regulation for IoT authentication, only guidelines. Some ways to strengthen IoT devices with authentication are to use two-factor authentication (2FA) and enforce strong passwords or certificates.
Robin, an IT technician, has implemented identification and detection techniques based on the ability to distinguish legitimate traffic from illegitimate traffic over the network. Which of the following is he trying to achieve?
Defend the network against IDS evasions. Explanation Identification and detection techniques based on the ability to detect and distinguish legitimate from illegitimate traffic can help play a part in defending a network against IDS evasions. Although countermeasures may not prevent the attack, they can help proactively detect attacks early on
Which of the following best describes the Platform as a Service (PaaS) cloud computing service model?
Delivers everything a developer needs to build an application on the cloud infrastructure. Explanation Platform as a Service (PaaS) delivers everything a developer needs to build an application on the cloud infrastructure. The deployment comes without the cost and complexity of buying and managing the underlying hardware and software layers.
Which of the following best describes a stateful inspection?
Determines the legitimacy of traffic based on the state of the connection from which the traffic originated. Explanation Stateful firewalls, also referred to as stateful multilayer firewalls, determine the legitimacy of traffic based on the state of the connection from which the traffic originated. The stateful firewall maintains a state table that tracks the ongoing record of active connections.
Anabel purchased a smart speaker. She connected it to all the smart devices in her home. Which of the following communication models is she using?
Device-to-device The device-to-device model is meant mostly for systems with devices transferring small data packets to each other at a very low data rate. The devices could include thermostat, light bulbs, door locks, CCTV cameras, refrigerators, and wearable devices.
What are the four primary systems of IoT technology?
Devices, gateway, data storage, and remote control Explanation IoT technology comprises four primary systems: devices, gateway system, data storage system using cloud, and remote control through mobile apps.
The following are countermeasures you would take against a web application attack: Secure remote administration and connectivity testing. Perform extensive input validation. Configure the firewall to deny ICMP traffic. Stop data processed by the attacker from being executed. Which of the following attacks would these countermeasures prevent?
DoS attacks Explanation The countermeasures for a DoS attack are to: Secure remote administration and connectivity testing. Perform extensive input validation. Configure the firewall to deny ICMP traffic. Stop the attacker's data processing from being executed.
Which of the following mobile security best practices for users is concerned with geotags?
Don't auto-upload photos to social networks. Explanation Don't auto-upload photos to social networks. Uploading photos is a privacy concern, and photos have geotags that can be used to track movements.
Which of the following parts of the Trojan horse packet installs the malicious code onto the target machine?
Dropper Explanation The dropper is the part of the Trojan horse that installs the malicious code onto the target machine. Creating the dropper is the second step in the process
Which of the following encryption tools would prevent a user from reading a file that they did not create and does not require you to encrypt an entire drive?
EFS Windows Encrypting File System (EFS) encrypts individual files so that only the user who created the file can open it. Decryption is automatic when the file owner opens it. Other users cannot open the encrypted file unless specifically authorized.
As part of your penetration test, you have captured an FTP session, as shown below. Which of the following concerns or recommendations will you include in your report?
FTP uses clear-text passwords. Explanation FTP is a very unsecure protocol, and, as can be seen from the captured session, the username and password can be seen in a clear-text form. This means that FTP users are vulnerable to man-in-the-middle (MITM) attacks that can steal usernames and passwords or modify files as they pass over a network.
A hacker has discovered UDP protocol weaknesses on a target system. The hacker attempts to send large numbers of UDP packets from a system with a spoofed IP address, which broadcasts out to the network in an attempt to flood the target system with an overwhelming amount of UDP responses. Which of the following DoS attacks is the hacker attempting to use?
Fraggle attack Explanation A fraggle attack is a DoS attack that targets UDP protocol weaknesses. A large number of UDP packets from a spoofed IP address are broadcast to a network in an attempt to flood the target computer.
What are the two types of Intrusion Detection Systems (IDSs)?
HIDS and NIDS Explanation The different types of IDSs include Host Intrusion Detection Systems (HIDS) and Network Intrusion Detection Systems (NIDS).
Which of the following motivates attackers to use DoS and DDoS attacks?
Hacktivism, profit, and damage reputation Explanation The following are motivation for DoS and DDoS Attacks: -Distraction -Damage reputation -Hacktivism -Fun -Profit
Robert, an IT administrator, is working for a newly formed company. He needs a digital certificate to send and receive data securely in a Public Key Infrastructure (PKI). Which of the following requests should he submit?
He must send identifying data with his certificate request to a registration authority (RA). explain The registration authority (RA) processes all requests for digital certificates. Registration authorities verify the identifying data before the request is forwarded to the certificate authority (CA) for certificate generation.
Lorena, the CIO, wants to ensure that the company's security practices and policies match well with their firewall security configuration for maximum protection against hacking. Which of the following actions should Lorena take?
Hire a penetration tester. Explanation At the organizational level, firewall penetration testing should ensure that the firewall security configuration aligns with the organization's security practices and policies. Firewalls, whether hardware or software, are only as effective as their configuration. Testing is required to ensure the appropriate rules have been implemented and that those rules operate as intended.
Mark, an ethical hacker, is looking for a honeypot tool that will simulate a mischievous protocol such as devil or mydoom. Which of the following honeypot tools should he use?
HoneyBOT Explanation HoneyBOT is capable of simulating echo, ftp, telnet, smtp, http, POP3, and radmin, as well as a range of mischievous protocols such as devil, mydoom, lithium, blaster, netbus, and sub7.
Rudy is analyzing a piece of malware discovered in a pentest. He has taken a snapshot of the test system and will run the malware. He will take a snapshot afterwards and monitor different components such as ports, processes, event logs, and more for any changes. Which of the following processes is he using?
Host integrity monitoring Explanation Host integrity monitoring is part of the dynamic analysis process. The analyzer takes a snapshot of the testing computer before executing the malware. After the malware runs, the analyzer uses the same tools to take another snapshot and looks for any changes in the system.
Which of the following are protocols included in the IPsec architecture?
IKE, AH, and ESP Explanation There are several protocols within the IPsec architecture, including: -The Internet Key Exchange (IKE), which creates the encryption keys. -Authentication Header (AH), which authenticates the packets' sender. -Encapsulating Security Payload (ESP), which provides sender authentication and encryption.
Which of the following protocols is one of the most common methods used to protect packet information and defend against network attacks in VPNs?
IPsec Explanation Internet Protocol Security (IPsec) is one of the most common methods used to protect packet information and defend against network attacks.
You are employed by a small start-up company. The company is in a small office and has several remote employees. You must find a business service that will accommodate the current size of the company and scale up as the company grows. The service needs to provide adequate storage as well as additional computing power. Which of the following cloud service models should you use?
IaaS Explanation Infrastructure as a Service (IaaS) delivers infrastructure to the client, such as processing, storage, networks, and virtualized environments. The client deploys and runs software without purchasing servers, data center space, or network equipment.
Which of the following functions does a single quote (') perform in an SQL injection?
Indicates that data has ended and a command is beginning. Explanation A single quote (') indicates that data has ended and a command is beginning.
Which of the following is the correct order for a hacker to launch an attack?
Information gathering, vulnerability scanning, launch attack, gain remote access, maintain access Explanation Hackers first gather information on the target they intend to exploit. Then they scan the network or system for vulnerabilities worth attacking. Next, they launch the attack. During the attack, their goal is to gain access to a device, then command and control the attack while remaining undetected by security products. Finally, the hacker tries to maintain access for as long as possible to launch more elaborate attacks.
YuJin drove his smart car to the beach to fly his drone in search of ocean animal activity. Which of the following operation systems are most likely being used by his car and drone?
Integrity RTOS and snappy Explanation Nucleus and Integrity RTOS are both used in the aerospace, industrial, automotive, and medical sectors.
Which of the following has five layers of structure that include Edge technology, Access gateway, Internet, Middleware, and Application?
IoT architecture Explanation The IoT has been structured into an architecture of layers because with so many devices operating in one system and this system being connected with other processes, IoT needs a well-defined and effective architecture to function properly. The layers help track the consistency of the system. There are five layers total: Edge technology, Access gateway, Internet, Middleware, and Application.
Which of the following is the first step you should take if malware is found on a system?
Isolate the system from the network immediately. Explanation If malware is found on a system, you should: -Isolate the system from the network immediately. -Verify that the anti-malware software is updated and running. If its not, update it and scan the system. -Sanitize the system using updated anti-malware software and appropriate techniques. Part of a penetration test is checking for malware vulnerabilities. When performing a penetration test, the penetration tester follows a set of steps: >Scan for open ports. >Scan for running processes. >Check for suspicious or unknown registry entries. >Verify all running Windows services. >Check startup programs. >Look through event log for suspicious events. >Verify all installed programs. >Scan files and folders for manipulation. >Verify device drivers are legitimate. >Check all network and DNS settings and activity. >Scan for suspicious API calls. >Run anti-malware scans.
Which of the following best describes the countermeasures you would take against a cross-site request forgery attack?
Log off immediately after using a web application. Clear the history after using a web application, and don't allow your browser to save your login details. Explanation The countermeasures for a cross-site request forgery attack are to log off immediately after using a web application. Clear the history after using a web application, and don't allow your browser to save your login details.
Ann has a corner office that looks out on a patio that is frequently occupied by tourists. She likes the convenience of her Bluetooth headset paired to her smartphone, but is concerned that her conversations could be intercepted by an attacker sitting on the patio. Which of the following countermeasures would be the most effective for protecting her conversations?
Lower the Bluetooth power setting on the smartphone and headset. Explanation Lowering the Bluetooth power settings will decrease the Bluetooth range, making it harder to intercept from a distance.
Strict supply chain management, comprehensive supplier assessment, HR resource requirements, transparent information security and management, compliance reporting, and a security breach notification process are defenses against which of the following cloud computing threats?
Malicious insiders Explanation Malicious insiders are usually resentful people who have some kind of connection with a company or cloud service. The best defense is to have strict supply chain management, comprehensive supplier assessment, HR resource requirements, transparent information security and management, compliance reporting, and a security breach notification process
Which of the following mobile security concerns is characterized by malicious code that specifically targets mobile devices?
Malicious websites Explanation Malicious or compromised websites are often used to launch web or network attacks. An attacker can design a website to easily determine what type of device is being used and then use malicious code that specifically targets mobile devices.
Which term describes the process of sniffing traffic between a user and server, then re-directing the traffic to the attacker's machine, where malicious traffic can be forwarded to either the user or server?
Man-in-the-middle Explanation A man-in-the-middle attack is the process of sniffing traffic between a user and sever and then re-directing the traffic to the attacker's machine, where malicious traffic can be forwarded to either the user or server.
Mary wants to send a message to Sam. She wants to digitally sign the message to prove that she sent it. Which of the following cryptographic keys would Mary use to create the digital signature?
Mary's private key explain Mary would use her own private key to create the digital signature. This proves that only Mary could have sent the message because only Mary has access to her private key. Sam would use Mary's public key to verify the digital signature.
A company has implemented the following defenses: The data center is located in safe geographical area. Backups are in different locations. Mitigation measures are in place. A disaster recovery plan is in place. Which of the following cloud computing threats has the customer implemented countermeasures against?
Natural disasters Explanation Natural disasters such as floods, lightning, and earthquakes can lead to service and data loss. Defenses are to locate data centers in a safe geographical area, have backups at different locations, take mitigation measures, and have a disaster recovery plan.
Google Cloud, Amazon Web Services, and Microsoft Azure are some of the most widely used cloud storage solutions for enterprises. Which of the following factors prompts companies to take advantage of cloud storage?
Need to bring costs down and growing demand for storage. explanation Some of the most widely used cloud storage for enterprises are Google Cloud, Amazon Web Services, and Microsoft Azure. Because of the growing demand for storage and desire to bring costs down, many companies take advantage of cloud storage.
Which of the following is a nonprofit organization that provides tools and resources for web app security and is made up of software developers, engineers, and freelancers?
OWASP Explanation OWASP stands for Open Web Application Security Project. It is a nonprofit organization made up of software developers, engineers, and freelancers. They provide tools and resources for web app security. From time to time, OWASP publishes a report on the 10 most serious web app security risks affecting the cyber world.
Penetration testing is a practice conducted by an ethical hacker to see how an organization's security policies and security practices measure up to the organization's actual overall successful system security. When can an ethical hacker start the penetration test?
Once all the legal contracts are signed, formalities are settled, and permissions are given Explanation Penetration testing usually begins by establishing an extensive plan and scope of the penetration testing project. There are usually many project planning meetings between the penetration testers, organization system administrators, network administrators, and security personnel. Then, once all the legal contracts are signed, formalities are settled, and permissions are given, the actual testing can begin.
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the host 192.168.0.34 filter?
Only packets with 192.168.0.34 in either the source or destination address are captured. Explanation Wireshark's host filter lets you only capture where the specified IP address is in either the source or the destination address.
Using Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following best describes the effects of using the net 192.168.0.0 filter?
Only packets with either a source or destination address on the 192.168.0.0 network are captured. Explanation The net filter captures traffic to or from a range of IP addresses. Since the network address of 192.168.0.0 was used, only packets with either a source or destination address on the 192.168.0.0 network are displayed.
Which of the following is an open-source cryptography toolkit that implements SSL and TLS network protocols and the related cryptography standards required by them?
OpenSSL explain OpenSSL is an open-source cryptography toolkit that implements SSL and TLS network protocols and the related cryptography standards they require.
Which of the following best describes a proxy server?
Operates at Layer 7 (Application) of the OSI model. Explanation Proxy servers act as a proxy for internal hosts when connecting to the internet. Proxy servers can also: Prevent client systems from communicating directly with an outside source. This reduces exposure and risk. Filter traffic by content. This means proxy servers can operate at Layer 7 (the Application layer) of the OSI. Speed up browsing by caching frequently visited sites and resources. Packet filtering technology operates at Layers 3 (Network layer) and 4 (Transport layer) of the OSI model. Circuit-level gateways are a more complex form of firewall. Circuit-level gateways operate at Level 5 (Session layer) of the OSI model.
Which of the following is characterized by an attacker using a sniffer to monitor traffic between a victim and a host?
Passive hijacking Explanation Passive hijacking is when an attacker uses a sniffer to monitor traffic between a victim and a host.
Which of the following best describes the HTTP Request/Response TRACE?
Performs a loopback test to a target resource. Explanation The TRACE command performs a loopback test to a target resource.
Above all else, which of the following must be protected to maintain the security and benefit of an asymmetric cryptographic solution, especially if it is widely used for digital certificates?
Private keys explain The strength of an asymmetric cryptographic system lies in the secrecy and security of its private keys. A digital certificate and a digital signature are little more than unique applications of a private key. If the private keys are compromised for a single user, for a secured network, or for a digital certificate authority, the entire realm of trust is destroyed.
A company has subscribed to a cloud service that offers cloud applications and storage space. Through acquisition, the number of company employees quickly doubled. The cloud service vendor was able to add cloud services for these additional employees without requiring hardware changes. Which of the following cloud concepts does this represent?
Rapid elasticity Explanation Rapid elasticity describes the cloud provider's ability to increase or decrease service levels to meet customer needs without requiring hardware changes.
Which of the following best describes a reverse proxy method for protecting a system from a DoS attack?
Redirects all traffic before it is forwarded to a server, so the redirected system takes the impact. Explanation When a DoS attack occurs and a proxy server takes the impact, this is known as a Reverse Proxy DoS protection method. This method redirects all traffic to the reverse proxy before it is forwarded to the real server.
Which of the following is the most frequently used symmetric key stream cipher?
Ron's Cipher v4 (RC4) Explanation RC4 is the most frequently used symmetric key stream cipher. RC4 is commonly used with WEP and SSL.
Linda, an Android user, wants to remove unwanted applications (bloatware) that are pre-installed on her device. Which of the following actions must she take?
Root the Android device. Explanation Rooting overcomes the security restrictions imposed by the Android device's manufacturer to: Visually change the appearance or theme. Increase performance by overclocking the CPU or GPU. Remove bloatware that comes pre-installed on the device.
Part of a penetration test is checking for malware vulnerabilities. During this process, the penetration tester will need to manually check many different areas of the system. After these checks have been completed, which of the following is the next step?
Run anti-malware scans Explanation After the penetration tester has run system scans and checked different areas of the system, anti-malware scans should be run. Before running these scans, make sure the software is updated
Which of the following cloud computing service models delivers software applications to a client either over the Internet or on a local area network?
SaaS Explanation Software as a Service (SaaS) delivers software applications to the client either over the Internet or on a local area network
Mary is using asymmetric cryptography to send a message to Sam so that only Sam can read it. Which of the following keys should she use to encrypt the message?
Sam's public key Explanation Mary should use Sam's public key to encrypt the message. Only the corresponding private key, which only Sam has, can be used to decrypt the message.
Upload bombing and poison null byte attacks are designed to target which of the following web application vulnerabilities?
Scripting errors Explanation Upload bombing and poison null byte attacks are designed to target possible errors in scripting. Upload bombing loads tons of files onto a server, hoping to fill up the server's drives and crash the system. A poison null byte attack sends special characters to the script. If the script is unable to handle the characters, the script may provide access that it wouldn't otherwise.
Which of the following tasks is being described? Sniff the traffic between the target computer and the server. Monitor traffic with the goal of predicting the packet sequence numbers. Desynchronize the current session. Predict the session ID and take over the session. Inject commands to target the server.
Session hijacking Explanation The steps in the question describe the process used in session hijacking. Passive hijacking is, essentially, sniffing traffic between the target and the host, and does not complete steps 2-4.
Analyzing emails, suspect files, and systems for malware is known as which of the following?
Sheep dipping Explanation The process of analyzing emails, suspect files, and systems for malware is called sheep dipping. The term comes from the process sheep farmers use to dip sheep in chemical solutions to clear them of parasites.
Your network administrator is configuring settings so the switch shuts down a port when the max number of MAC addresses is reached. What is the network administrator taking countermeasures against?
Sniffing Explanation Switched networks provide a natural barrier for an attacker using a sniffer. Be sure to configure settings so the switch shuts down a port when the max number of MAC addresses is reached, so MAC flooding isn't possible.
Allen, the network administrator, needs a tool that can do network intrusion prevention and intrusion detection, capture packets, and monitor information. Which of the following tools would he most likely select?
Snort Explanation Snort is an open-source network intrusion prevention system capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching, so it can detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts.
IP address spoofing, fragmentation attacks, using proxy servers, ICMP tunneling, and ACK tunneling are all examples of which of the following firewall penetration testing techniques?
TCP packet filtering Explanation When using the TCP packet filtering testing technique, the penetration tester can accomplish the following by modifying the TCP packet: -Spoof the IP address to gain unauthorized access. -Use fragmentation attacks to force the TCP header information into the next fragment. This allows the penetration tester to bypass the firewall. -Use proxy servers that block the actual IP address and display another. This allows access to a blocked website or target device. -Use ICMP tunneling to tunnel a backdoor application in the data portion of ICMP Echo packets. -Perform ACK tunneling using tools such as AckCmd to tunnel a backdoor application using TCP packets with the ACK bit set.
You are configuring a wireless access point and are presented with the image shown below. Which of the following is the most correct statement regarding the access point's configuration?
The Host Name is what the users see in the list of available networks when they connect to the access point. Explanation The Host Name is the name users see when they try to connect to an access point. The Wireless Network Name (SSID) is a unique name separate from the name users see when they connect to the wireless access point.
You are configuring several wireless access points for your network. Knowing that each access point will have a service set identifier (SSID), you want to ensure that it is configured correctly. Which of the following SSID statements are true?
The SSID is a unique name, separate from the access point name. Explanation Although the name (or host name) of an access point can be the same as the SSID, most wireless routers let you assign a unique SSID which users or customers see when connecting the network. Although an SSID is necessary for a secure network, on its own, it doesn't do much to make a network more secure. For example, SSIDs are sent in a packet in plain text. A hacker can easily capture the packet and find the SSID using a sniffing tool, such as Wireshark and tcpdump.
You are using software as a service (SaaS) in your office. Who is responsible for the security of the data stored in the cloud?
The provider is responsible for all the security. Explanation With software as a service (SaaS), the provider is supposed to provide all the security. With infrastructure as a service (IaaS), you're responsible for pretty much every aspect of the security.
You are using Wireshark to try and determine if a denial-of-service (DDoS) attack is happening on your network (128.28.1.1). You previously captured packets using the tcp.flags.syn==1 and tcp.flags.ack==1 filter, but only saw a few SYN-ACK packets. You have now changed the filter to tcp.flags.syn==1 and tcp.flags.ack==0. After examining the Wireshark results shown in the image, which of the following is the best reason to conclude that a DDoS attack is happening?
There are multiple SYN packets with different source addresses destined for 128.28.1.1. Explanation The captured and filtered packets show many SYN packets being sent from many different sources, but all destined for the same target or destination address. This is a strong indication that a DDoS attack is currently happening.
Which of the following statements is true regarding cookies?
They were created to store information about user preferences and web activities. Explanation Cookies are a necessary part of web applications; they are also a notable vulnerability. Because HTTP was not designed to save state information, cookies were created to store information about user preferences and web activities.
An IDS can perform many types of intrusion detections. Three common detection methods are signature-based, anomaly-based, and protocol-based. Which of the following best describes protocol-based detection?
This detection method can include malformed messages and sequencing errors. Explanation Protocol-based detection can include malformed messages, sequencing errors, and similar variations from a protocol's known good behavior. Protocol detection can be useful against unknown or zero-day exploits, which might attempt to manipulate protocol behavior for malicious purposes.
Which of the following tools enables security professionals to audit and validate the behavior of security devices?
Traffic IQ Professional Explanation An example of a dedicated evasion defense tool is Traffic IQ Professional, which enables security professionals to audit and validate the behavior of security devices. They do this by generating the standard application traffic or attack traffic between two virtual machines. This tool can be used to assess, audit, and test the behavioral characteristics of any non-proxy packet filtering device, including Application-layer firewalls, intrusion detection and prevention systems, and routers and switches.
Heather wants to gain remote access to Randy's machine. She has developed a program and hidden it inside a legitimate program that she is sure Randy will install on his machine. Which of the following types of malware is she using?
Trojan horse Explanation A Trojan horse is a malware program that is hidden inside a legitimate program. When the user runs that program, the Trojan horse runs in the background without the user's knowledge, giving the hacker remote access.
The ACME company has decided to implement wireless technology to help improve the productivity of their employees. As the cybersecurity specialist for this company, you have the responsibility of seeing that the wireless network is as secure as possible. Which of the following best describes one of the first countermeasures that should be used to ensure wireless security?
Use a Wi-Fi predictive planning tool to determine where to place your access points. Explanation Proper planning and implementation of the wireless network from the beginning will help make it more difficult for hackers to have any effect on your network after it's been installed. Therefore, one of the first countermeasures is to take advantage of Wi-Fi predictive planning tools, such as iBwave Design, AirMagnet Planner, and TamoGraph Site Survey.
Using sniffers has become one way for an attacker to view and gather network traffic. If an attacker overcomes your defenses and obtains network traffic, which of the following is the best countermeasure for securing the captured network traffic?
Use encryption for all sensitive traffic. Explanation Using encryption methods is the best practice to secure network traffic in this scenario. It becomes one of the last lines of defense. If the encryption method used is strong enough, it will take the attacker too long to decrypt the obtained encrypted traffic to be worth the effort.
Which of the following is a characteristic of Triple DES (3DES)?
Uses a 168-bit key Explanation Triple DES (3DES): Applies DES three times Uses a 168-bit key Is used in IPsec as its strongest and slowest encipherment
Which of the following best describes a feature of symmetric encryption?
Uses only one key to encrypt and decrypt data. Explanation Symmetric encryption, also known as secret key encryption, pre-shared key, or private key encryption, uses only one key to encrypt and decrypt data.
Which of the following is a characteristic of the Advanced Encryption Standard (AES) symmetric block cipher?
Uses the Rijndael block cipher. Explanation AES is an iterative symmetric key block cipher that uses the following: The Rijndael Block Cipher, which is resistant to all known attacks. A variable-length block and key length (128-, 192-, or 256-bit keys).
Which of the following uses on-the-fly encryption, meaning the data is automatically encrypted immediately before it is saved and decrypted immediately after it is loaded?
VeraCrypt explain VeraCrypt is software for establishing and maintaining an encrypted volume for data storage devices. VeraCrypt uses on-the-fly encryption, meaning the data is automatically encrypted immediately before it is saved and decrypted immediately after it is loaded. It requires no user intervention.
SQL injections are a result of which of the following flaws?
Web applications Explanation A SQL injection is an attack that attacks a web application by manipulating SQL statements entered into a web page.
You are analyzing the web applications in your company and have newly discovered vulnerabilities. You want to launch a denial-of-service (DoS) attack against the web server. Which of the following tools would you most likely use?
WebInspect Explanation Denial-of-service (DoS) attacks are against a web server. Tools that can be used during this step include UrlScan, Nessus, and WebInspect. WebInspect is a web application security assessment tool that helps identify known and unknown vulnerabilities within the Web Application layer.
Which of the following types of web server attacks is characterized by altering or vandalizing a website's appearance in an attempt to humiliate, discredit, or annoy the victim?
Website defacement Explanation Website defacement is a fairly unique attack where a website is vandalized so that the site's appearance is altered or defaced in an attempt to humiliate, discredit, or even just annoy the victim.
You suspect that an ICMP flood attack is taking place from time to time, so you have used Wireshark to capture packets using the tcp.flags.syn==1 filter. Initially, you saw an occasional SYN or ACK packet. After a short while, however, you started seeing packets as shown in the image. Using the information shown, which of the following explains the difference between normal ICMP (ping) requests and an ICMP flood
With the flood, all packets come from the same source IP address in quick succession. Explanation In comparison to the occasional ICMP ping requests that can be seen on a network, when an ICMP flood attack is happening, the ICMP packets are sent in quick succession from the same source IP address. As a result, there is little bandwidth available to receive many (if any) ACK or SYN packets.
You are a cybersecurity consultant. The company hiring you suspects that employees are connecting to a rogue access point (AP). You need to find the name of the hidden rogue AP so it can be deauthorized. Which of the following commands would help you locate the rouge access point from the wlp1s0 interface and produce the results shown?
airodump-ng wlp1s0mon Explanation The command airodump-ng wlp1s0mon is used to display access points. From the output, you see that there is one access point currently being shown as length: 0. As you let this program run, the next time a person attaches to this access point, the name of the hidden/rogue point will be captured and displayed.
You work for a company that is implementing symmetric cryptography to process payment applications such as card transactions where personally identifiable information (PII) needs to be protected to prevent identity theft or fraudulent charges. Which of the following algorithm types would be best for transmitting large amounts of data?
block Explanation Block ciphers encrypt by transposing plain text to ciphertext in chunks (block by block). Block ciphers are fast and can process large amounts of data.
James, a penetration tester, uses nmap to locate mobile devices attached to a network. Which of the following mobile device penetration testing stages is being implemented?
footprinting Explanation Footprinting uses scanning tools like nmap to locate mobile devices attached to your network. These tools often return the OS version and type.
Jin, a penetration tester, was hired to perform a black box penetration test. He decides to test their firewall. Which of the following techniques should he use first?
footprinting Explanation The first technique the penetration tester should use is footprinting. Footprinting is done by running a port scan on the system and accessing banners. This allows the penetration tester to determine the type of firewall used.
Which of the following Bluetooth discovery tool commands will show the Bluetooth MAC address, clock offset, and class of each discovered device?
hcitool inq Explanation The hcitool inq command searches for remote devices. For each discovered device, the clock offset and class are shown.
Which of the following honeypot interaction levels simulate all service and applications and can be completely compromised by attackers to get full access to the system in a controlled area?
high-level Explanation A high-level honeypot simulates all services and applications and can be completely compromised by attackers to get full access to the system in a controlled area
Which of the following is a physical or virtual network device set up to masquerade as a legitimate network resource?
honeypot Explanation A honeypot's purpose is to look like a legitimate network resource to attract and occupy attackers. A honeypot can be a host, a service on a host, a network device, a virtual entity, or even a single file set up to attract attackers to a secure area away from an organization's real network.
A user is having trouble connecting to a newly purchased Bluetooth device. An administrator troubleshoots the device using a Linux computer with BlueZ installed. The administrator sends an echo request to the device's Bluetooth MAC address to determine whether the device responds. Which of the following commands was used?
l2ping Explanation The l2ping command sends an L2CAP echo request to a Bluetooth MAC address given in dotted hex notation. This command can only be run by the root user and is used to check to see if the Bluetooth device is up.
Which of the following steps in the web server hacking methodology involves setting up a web server sandbox to gain hands-on experience attacking a web server?
mirroring Explanation The mirroring step involves setting up a web server sandbox that is similar to the web server being attacked to gain hands-on experience.
Which of the following is another name for the signature-based detection method?
misuse detection Explanation The signature-based detection method is also sometimes called misuse detection. The system compares traffic to known signatures in the signature file database. Remember, signature IDS systems rely on matching signatures to pattern traffic, or signature keys, in the signature file database.
When it comes to obfuscation mechanisms, nmap has the ability to generate decoys, meaning that detection of the actual scanning system becomes much more difficult. Which of the following is the proper nmap command?
nmap -D RND:10 target_IP_address Explanation nmap has the ability to generate decoys, meaning that detection of the actual scanning system becomes much more difficult. The nmap command used to generate decoys is nmap -D RND:10 target_IP_address. This will generate a random number of decoys implementing another obfuscation evasion technique.
Nmap provides many commands and scripts that are used to evade firewalls and intrusion detection systems. Which of the following is the proper nmap command to use the decoy option?
nmap -D RND:25 10.10.10.1 Explanation Nmap has a decoy option. Use the -D parameter to perform the scan. With -D option, it appears to the remote host that the host(s) you specify as decoys are scanning the target network, too. In the example, the host, 10.10.10.1, will see 25 port scans, and the remote host, or IDS, has no way of telling which one was real.
Which of the following is the number of keys used in symmetric encryption?
one Explanation Private key, or symmetric, encryption uses a single shared key. Both communicating parties must possess the shared key to encrypt and decrypt messages. The biggest challenge to symmetric cryptography is the constant need to protect the shared private key. This protection must be applied at all times, including during the initial transmission of the shared key between the parties.
Which of the following types of wireless antenna is shown in the image?
parabolic Explanation The antenna shown is a parabolic antenna, which is a high-gain antenna that uses a curved surface.
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the account manager's email address?
[email protected] Explanation By looking at the beginning of the packet, you see that the email was sent from a person named Robert Scam, who has an email address of [email protected]. Later in the packet, you see that the email was signed, "Thanks, Robert Scam - Account manager." Therefore, you know that the email address for the account manager is [email protected].
An IT technician receives an IDS alert on the company network she manages. A seemingly random user now has administration privileges in the system, some files are missing, and other files seem to have just been created. Which of the following alerts did this technician receive?
true positive Explanation A true positive alert is when an event triggers an alarm and causes the IDS to react as if a real attack is in progress.
Heather is performing a penetration test of her client's malware protection. She has developed a malware program that doesn't require any user interaction and wants to see how far it will spread through the network. Which of the following types of malware is she using?
worm Explanation A worm is a standalone malware program that can replicate without user interaction throughout a network.
You are working on firewall evasion countermeasures and are specifically looking for a tool to expose TTL vulnerabilities. Which of the following tools would you use?
Firewalking Explanation Firewalking is the process of probing a firewall to determine the configuration of ACLs by sending it TCP and UDP packets.
Which of the following is the process of determining the configuration of ACLs by sending a firewall TCP and UDP packets?
Firewalking Explanation Firewalking is the process of probing a firewall to determine the configuration of ACLs.
