312-50 (Mixed Questions Set 2)

1. You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email( boss@company ). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network. What testing method did you use?

Social engineering

Tailgating

Piggybacking

Eavesdropping

Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.

A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a
more complex fraud scheme.

Incorrect Answers:
( B ) Using tailgaiting an attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card, simply walks in behind a person who has legitimate access.
References: https://en.wikipedia.org/wiki/Social_engineering_(security)

Explanation

Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.

A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a
more complex fraud scheme.

Incorrect Answers:
( B ) Using tailgaiting an attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card, simply walks in behind a person who has legitimate access.
References: https://en.wikipedia.org/wiki/Social_engineering_(security)

2. Which of the following parameters describe LM Hash (see exhibit):

I, II, and III

I

II

I and II

The LM hash is computed as follows:
( 1 ) The user's password is restricted to a maximum of fourteen characters.
( 2 ) The user’s password is converted to uppercase.
Etc.
14 character Windows passwords, which are stored with LM Hash, can be cracked in five seconds.
References: https://en.wikipedia.org/wiki/LM_hash

Explanation

The LM hash is computed as follows:
( 1 ) The user's password is restricted to a maximum of fourteen characters.
( 2 ) The user’s password is converted to uppercase.
Etc.
14 character Windows passwords, which are stored with LM Hash, can be cracked in five seconds.
References: https://en.wikipedia.org/wiki/LM_hash

3. Your team has won a contract to infiltrate an organization. The company wants to have the attack be as realistic as possible; therefore, they did not provide any information besides the company name. What should be the first step in security testing the client?

Reconnaissance

Enumeration

Scanning

Escalation

Phases of hacking
( Phase 1) Reconnaissance
( Phase 2 ) Scanning
( Phase 3 ) Gaining Access
( Phase 4 ) Maintaining Access
( Phase 5 ) Covering Tracks

Phase 1: Passive and Active Reconnaissance:
-- Passive reconnaissance involves gathering information regarding a potential target without the targeted individual’s
or company’s knowledge.
-- Active reconnaissance involves probing the network to discover individual hosts, IP addresses, and services on the network.

References: http://hack-o-crack.blogspot.se/2010/12/five-stages-of-ethical-hacking.html

Explanation

Phases of hacking
( Phase 1) Reconnaissance
( Phase 2 ) Scanning
( Phase 3 ) Gaining Access
( Phase 4 ) Maintaining Access
( Phase 5 ) Covering Tracks

Phase 1: Passive and Active Reconnaissance:
-- Passive reconnaissance involves gathering information regarding a potential target without the targeted individual’s
or company’s knowledge.
-- Active reconnaissance involves probing the network to discover individual hosts, IP addresses, and services on the network.

References: http://hack-o-crack.blogspot.se/2010/12/five-stages-of-ethical-hacking.html

4. You are performing information gathering for an important penetration test. You have found pdf, doc, and images in your objective. You decide to extract metadata from these files and analyze it. What tool will help you with the task?

Metagoofil

Armitage

Dimitry

Cdpsnarf

Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company.

Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfOption 1Miner? and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.
References: http://www.edge-security.com/metagoofil.php

Explanation

Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company.

Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfOption 1Miner? and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.
References: http://www.edge-security.com/metagoofil.php

5. This phase will increase the odds of success in later phases of the penetration test. It is also the very first step in Information Gathering, and it will tell you what the "landscape" looks like. What is the most important phase of ethical hacking in which you need to spend a considerable amount of time?

Footprinting

Network mapping

Gaining access

Escalating privileges

Footprinting is a first step that a penetration tester used to evaluate the security of any IT infrastructure, footprinting means to gather the maximum information about the computer system or a network and about the devices that are attached to this network.
References: http://www.ehacking.net/2011/02/footprinting-first-step-of-ethical.html

Explanation

Footprinting is a first step that a penetration tester used to evaluate the security of any IT infrastructure, footprinting means to gather the maximum information about the computer system or a network and about the devices that are attached to this network.
References: http://www.ehacking.net/2011/02/footprinting-first-step-of-ethical.html

6. You have several plain-text firewall logs that you must review to evaluate network traffic. You know that in order to do fast, efficient searches of the logs you must use regular expressions. Which command-line utility are you most likely to use?

Grep

Notepad

MS Excel

Relational Database

grep is a command-line utility for searching plain-text data sets for lines matching a regular expression.
References: https://en.wikipedia.org/wiki/Grep

Explanation

grep is a command-line utility for searching plain-text data sets for lines matching a regular expression.
References: https://en.wikipedia.org/wiki/Grep

7. Which regulation defines security and privacy controls for Federal information systems and organizations?

NIST-800-53

PCI-DSS

EU Safe Harbor

HIPAA

NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations," provides a catalog of security controls for all U.S. federal information systems except those related to national security.
References: https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53

Explanation

NIST Special Publication 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations," provides a catalog of security controls for all U.S. federal information systems except those related to national security.
References: https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53

8. Which of the following is the least-likely physical characteristic to be used in biometric control that supports a large company?

Height and Weight

Voice

Fingerprints

Iris patterns

There are two main types of biometric identifiers:
( 1 ) Physiological characteristics: The shape or composition of the body.
( 2 ) Behavioral characteristics: The behavior of a person.

Examples of physiological characteristics used for biometric authentication include fingerprints; DNA; face, hand, retina or ear features; and odor. Behavioral characteristics are related to the pattern of the behavior of a person, such as typing rhythm, gait, gestures and voice.

References: http://searchsecurity.techtarget.com/definition/biometrics

Explanation

There are two main types of biometric identifiers:
( 1 ) Physiological characteristics: The shape or composition of the body.
( 2 ) Behavioral characteristics: The behavior of a person.

Examples of physiological characteristics used for biometric authentication include fingerprints; DNA; face, hand, retina or ear features; and odor. Behavioral characteristics are related to the pattern of the behavior of a person, such as typing rhythm, gait, gestures and voice.

References: http://searchsecurity.techtarget.com/definition/biometrics

9. Which of the following is NOT a Bluetooth attack?

Bluedriving

Bluejacking

Bluesmacking

Bluesnarfing

Incorrect Answers:
( B ) Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones,
PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or
bluechat) to another Bluetooth-enabled device via the OBEX protocol.
( C ) BlueSmack is a Bluetooth attack that knocks out some Bluetooth-enabled devices immediately. This Denial of Service
attack can be conducted using standard tools that ship with the official Linux Bluez utils package.
( D ) Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection, often
between phones, desktops, laptops, and PDAs (personal digital assistant.). This allows access to a calendar, contact list,
emails and text messages, and on some phones, users can copy pictures and private videos.
References: https://en.wikipedia.org/wiki/Bluejacking
http://trifinite.org/trifinite_stuff_bluesmack.html
https://en.wikipedia.org/wiki/Bluesnarfing

Explanation

Incorrect Answers:
( B ) Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones,
PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or
bluechat) to another Bluetooth-enabled device via the OBEX protocol.
( C ) BlueSmack is a Bluetooth attack that knocks out some Bluetooth-enabled devices immediately. This Denial of Service
attack can be conducted using standard tools that ship with the official Linux Bluez utils package.
( D ) Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection, often
between phones, desktops, laptops, and PDAs (personal digital assistant.). This allows access to a calendar, contact list,
emails and text messages, and on some phones, users can copy pictures and private videos.
References: https://en.wikipedia.org/wiki/Bluejacking
http://trifinite.org/trifinite_stuff_bluesmack.html
https://en.wikipedia.org/wiki/Bluesnarfing

10. You are performing a penetration test. You achieved access via a buffer overflow exploit and you proceed to find interesting data, such as files with usernames and passwords. You find a hidden folder that has the administrator's bank account password and login information for the administrator's bitcoin account. What should you do?

Report immediately to the administrator

Do not report it and continue the penetration test.

Transfer money from the administrator's account to another account.

Do not transfer the money but steal the bitcoins.

The correct answer is to report immediately to the administrator. As a penetration tester, it is important to follow ethical guidelines and prioritize the security and well-being of the organization being tested. Reporting the discovery of sensitive information, such as bank account passwords and login information, allows the administrator to take appropriate actions to protect their accounts and prevent any potential harm.

Explanation

The correct answer is to report immediately to the administrator. As a penetration tester, it is important to follow ethical guidelines and prioritize the security and well-being of the organization being tested. Reporting the discovery of sensitive information, such as bank account passwords and login information, allows the administrator to take appropriate actions to protect their accounts and prevent any potential harm.

11. "NMAP -sn 192.168.11.200-215" The NMAP command above performs which of the following?

A ping scan

A trace sweep

An operating system detect

A port scan

NMAP -sn (No port scan)
This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run.
References: https://nmap.org/book/man-host-discovery.html

Explanation

NMAP -sn (No port scan)
This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run.
References: https://nmap.org/book/man-host-discovery.html

12. The security concept of "separation of duties" is most similar to the operation of which type of security device?

Firewall

Bastion host

Intrusion Detection System

Honeypot

In most enterprises the engineer making a firewall change is also the one reviewing the firewall metrics for unauthorized changes. What if the firewall administrator wanted to hide something? How would anyone ever find out? This is where the separation of duties comes in to focus on the responsibilities of tasks within security.
References: http://searchsecurity.techtarget.com/tip/Modern-security-management-strategy-requires-security-separation-of-duties

Explanation

In most enterprises the engineer making a firewall change is also the one reviewing the firewall metrics for unauthorized changes. What if the firewall administrator wanted to hide something? How would anyone ever find out? This is where the separation of duties comes in to focus on the responsibilities of tasks within security.
References: http://searchsecurity.techtarget.com/tip/Modern-security-management-strategy-requires-security-separation-of-duties

13. When you are testing a web application, it is very useful to employ a proxy tool to save every request and response. You can manually test every request and analyze the response to find vulnerabilities. You can test parameter and headers manually to get more precise results than if using web vulnerability scanners. What proxy tool will help you find web vulnerabilities?

Burp suite

Maskgen

Dimitry

Proxychains

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
References: https://portswigger.net/burp/

Explanation

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
References: https://portswigger.net/burp/

14. An Internet Service Provider (ISP) has a need to authenticate users connecting using analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network. Which AAA protocol is most likely able to handle this requirement?

RADIUS

DIAMETER

Kerberos

TACACS+

Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to the Internet or internal networks, wireless networks, and integrated e-mail services. These networks may incorporate modems, DSL, access points, VPNs, network ports, web servers, etc.
References: https://en.wikipedia.org/wiki/RADIUS

Explanation

Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to the Internet or internal networks, wireless networks, and integrated e-mail services. These networks may incorporate modems, DSL, access points, VPNs, network ports, web servers, etc.
References: https://en.wikipedia.org/wiki/RADIUS

15. Which of the following is a command line packet analyzer similar to GUI-based Wireshark?

TCPDump

Nessus

Etherea

Jack the ripper

TCPDump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.
References: https://en.wikipedia.org/wiki/Tcpdump

Explanation

TCPDump is a common packet analyzer that runs under the command line. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.
References: https://en.wikipedia.org/wiki/Tcpdump

16. What is the process of logging, recording, and resolving events that take place in an organization?

Incident Management Process

Security Policy

Internal Procedure

Metrics

The activities within the incident management process include:
-- Incident detection and recording
-- Classification and initial support
-- Investigation and analysis
-- Resolution and record
-- Incident closure
-- Incident ownership, monitoring, tracking and communication Establish incident framework management
-- Evaluation of incident framework management

References: https://en.wikipedia.org/wiki/Incident_management_(ITSM)#Incident_management_procedure

Explanation

The activities within the incident management process include:
-- Incident detection and recording
-- Classification and initial support
-- Investigation and analysis
-- Resolution and record
-- Incident closure
-- Incident ownership, monitoring, tracking and communication Establish incident framework management
-- Evaluation of incident framework management

References: https://en.wikipedia.org/wiki/Incident_management_(ITSM)#Incident_management_procedure

17. A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS?

The host is likely a printer.

The host is likely a Windows machine.

The host is likely a Linux machine.

The host is likely a router.

The Internet Printing Protocol (IPP) uses port 631.
References: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Explanation

The Internet Printing Protocol (IPP) uses port 631.
References: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

18. Which of the following is assured by the use of a hash?

Integrity

Confidentiality

Authentication

Availability

An important application of secure hashes is verification of message integrity. Determining whether any changes have been made to a message (or a file), for example, can be accomplished by comparing message digests calculated before, and after, transmission (or any other event).
References: https://en.wikipedia.org/wiki/Cryptographic_hash_function#Verifying_the_integrity_of_files_or_messages

Explanation

An important application of secure hashes is verification of message integrity. Determining whether any changes have been made to a message (or a file), for example, can be accomplished by comparing message digests calculated before, and after, transmission (or any other event).
References: https://en.wikipedia.org/wiki/Cryptographic_hash_function#Verifying_the_integrity_of_files_or_messages

19. This asymmetry cipher is based on factoring the product of two large prime numbers. What cipher is described above?

RSA

SHA

RC5

MD5

RSA is based on the practical difficulty of factoring the product of two large prime numbers, the factoring problem.

Note: A user of RSA creates and then publishes a public key based on two large prime numbers, along with an auxiliary value. The prime numbers must be kept https://www.gratisexam.com/secret. Anyone can use the public key to encrypt a message, but with currently published methods, if the public key is large enough, only someone with knowledge of the prime numbers can feasibly decode the message.

References: https://en.wikipedia.org/wiki/RSA_(cryptosystem)

Explanation

RSA is based on the practical difficulty of factoring the product of two large prime numbers, the factoring problem.

Note: A user of RSA creates and then publishes a public key based on two large prime numbers, along with an auxiliary value. The prime numbers must be kept https://www.gratisexam.com/secret. Anyone can use the public key to encrypt a message, but with currently published methods, if the public key is large enough, only someone with knowledge of the prime numbers can feasibly decode the message.

References: https://en.wikipedia.org/wiki/RSA_(cryptosystem)

20. Which of the following is a protocol specifically designed for transporting event messages?

SYSLOG

SMS

SNMP

ICMP

SYSLOG is a standard for message logging. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity label.
References: https://en.wikipedia.org/wiki/Syslog#Network_protocol

Explanation

SYSLOG is a standard for message logging. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity label.
References: https://en.wikipedia.org/wiki/Syslog#Network_protocol

21. The chance of a hard drive failure is once every three years. The cost to buy a new hard drive is $300. It will require 10 hours to restore the OS and software to the new hard disk. It will require a further 4 hours to restore the database from the last backup to the new hard disk. The recovery person earns $10/hour. Calculate the SLE, ARO, and ALE. Assume the EF = 1 (100%). What is the closest approximate cost of this replacement and recovery operation per year?

$146

$1320

$440

$100

The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE).

Suppose than an asset is valued at $100,000, and the Exposure Factor (EF) for this asset is 25%. The single loss expectancy (SLE) then, is 25% * $100,000, or $25,000.

In our example the ARO is 33%, and the SLE is 300+14*10 (as EF=1). The ALO is thus: 33%*(300+14*10) which equals 146.

References: https://en.wikipedia.org/wiki/Annualized_loss_expectancy

Explanation

The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE).

Suppose than an asset is valued at $100,000, and the Exposure Factor (EF) for this asset is 25%. The single loss expectancy (SLE) then, is 25% * $100,000, or $25,000.

In our example the ARO is 33%, and the SLE is 300+14*10 (as EF=1). The ALO is thus: 33%*(300+14*10) which equals 146.

References: https://en.wikipedia.org/wiki/Annualized_loss_expectancy

22. When you are getting information about a web server, it is very important to know the HTTP Methods (GET, POST, HEAD, PUT, DELETE, TRACE) that are available because there are two critical methods (PUT and DELETE). PUT can upload a file to the server and DELETE can delete a file from the server. You can detect all these methods (GET, POST, HEAD, PUT, DELETE, TRACE) using NMAP script engine. What nmap script will help you with this task?

Http-methods

Http enum

Http-headers

Http-git

You can check HTTP method vulnerability using NMAP.
Example: #nmap –script=http-methods.nse 192.168.0.25
References: http://solutionsatexperts.com/http-method-vulnerability-check-using-nmap/

Explanation

You can check HTTP method vulnerability using NMAP.
Example: #nmap –script=http-methods.nse 192.168.0.25
References: http://solutionsatexperts.com/http-method-vulnerability-check-using-nmap/

23. When you are collecting information to perform a data analysis, Google commands are very useful to find sensitive information and files. These files may contain information about passwords, system functions, or documentation. What command will help you to search files using Google as a search engine?

Site: target.com filetype:xls username password email

Inurl: target.com filename:xls username password email

Domain: target.com archive:xls username password email

Site: target.com file:xls username password email

If you include site: in your query, Google will restrict your search results to the site or domain you specify.
If you include filetype:suffix in your query, Google will restrict the results to pages whose names end in suffix. For example, [ web page evaluation checklist filetype:pdf ] will return Adobe Acrobat pdf files that match the terms “web,” “page,” “evaluation,” and “checklist.”
References: http://www.googleguide.com/advanced_operators_reference.html

Explanation

If you include site: in your query, Google will restrict your search results to the site or domain you specify.
If you include filetype:suffix in your query, Google will restrict the results to pages whose names end in suffix. For example, [ web page evaluation checklist filetype:pdf ] will return Adobe Acrobat pdf files that match the terms “web,” “page,” “evaluation,” and “checklist.”
References: http://www.googleguide.com/advanced_operators_reference.html

24. You've just been hired to perform a pen test on an organization that has been subjected to a large-scale attack. The CIO is concerned with mitigating threats and vulnerabilities to totally eliminate risk. What is one of the first things you should do when given the job?

Interview all employees in the company to rule out possible insider threats.

Establish attribution to suspected attackers.

Start the wireshark application to start sniffing network traffic.

The goals of penetration tests are:
( 1 ) Determine feasibility of a particular set of attack vectors
( 2 ) Identify high-risk vulnerabilities from a combination of lower-risk vulnerabilities exploited in a particular sequence
( 3 ) Identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability
scanning software
( 4 ) Assess the magnitude of potential business and operational impacts of successful attacks
( 5 ) Test the abilOption 3ity of network defenders to detect and respond to attacks
( 6 ) Provide evidence to support increased investments in security personnel and technology
References: https://en.wikipedia.org/wiki/Penetration_test

Explanation

The goals of penetration tests are:
( 1 ) Determine feasibility of a particular set of attack vectors
( 2 ) Identify high-risk vulnerabilities from a combination of lower-risk vulnerabilities exploited in a particular sequence
( 3 ) Identify vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability
scanning software
( 4 ) Assess the magnitude of potential business and operational impacts of successful attacks
( 5 ) Test the abilOption 3ity of network defenders to detect and respond to attacks
( 6 ) Provide evidence to support increased investments in security personnel and technology
References: https://en.wikipedia.org/wiki/Penetration_test

25. A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software as many of the other clients on the network. The client can see the network, but cannot connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requests being sent by the wireless client. What is a possible source of this problem?

The WAP does not recognize the client’s MAC address

The client cannot see the SSID of the wireless network

Client is configured for the wrong channel

The wireless client is not configured to use DHCP

MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC Filtering is often used on wireless networks.
References: https://en.wikipedia.org/wiki/MAC_filtering

Explanation

MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC Filtering is often used on wireless networks.
References: https://en.wikipedia.org/wiki/MAC_filtering

26. You are using NMAP to resolve domain names into IP addresses for a ping sweep later. Which of the following commands looks for IP addresses?

>host -t a hackeddomain.com

>host -t soa hackeddomain.com

>host -t ns hackeddomain.com

>host -t AXFR hackeddomain.com

The A record is an Address record. It returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host.
References: https://en.wikipedia.org/wiki/List_of_DNS_record_types

Explanation

The A record is an Address record. It returns a 32-bit IPv4 address, most commonly used to map hostnames to an IP address of the host.
References: https://en.wikipedia.org/wiki/List_of_DNS_record_types

27. Which of the following is the structure designed to verify and authenticate the identity of individuals within the enterprise taking part in a data exchange?

PKI

Single sign on

Biometrics

SOA

A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates[1] and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email.
References: https://en.wikipedia.org/wiki/Public_key_infrastructure

Explanation

A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates[1] and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email.
References: https://en.wikipedia.org/wiki/Public_key_infrastructure

28. The "black box testing" methodology enforces which kind of restriction?

Only the external operation of a system is accessible to the tester.

Only the internal operation of a system is known to the tester.

The internal operation of a system is only partly accessible to the tester.

The internal operation of a system is completely known to the tester.

Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings.
References: https://en.wikipedia.org/wiki/Black-box_testing

Explanation

Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings.
References: https://en.wikipedia.org/wiki/Black-box_testing

29. Which of the following is an extremely common IDS evasion technique in the web world?

Unicode characters

Spyware

Port knocking

Subnetting

Unicode attacks can be effective against applications that understand it. Unicode is the international standard whose goal is to represent every character needed by every written human language as a single integer number. What is known as Unicode evasion should more correctly be referenced as UTF-8 evasion. Unicode characters are normally represented with two bytes, but this is impractical in real life.

One aspect of UTF-8 encoding causes problems: non-Unicode characters can be represented encoded. What is worse is multiple representations of each character can exist. Non-Unicode character encodings are known as overlong characters, and may be signs of attempted attack.

References: http://books.gigatux.nl/mirror/apachesecurity/0596007248/apachesc-chp-10-sect-8.html

Explanation

Unicode attacks can be effective against applications that understand it. Unicode is the international standard whose goal is to represent every character needed by every written human language as a single integer number. What is known as Unicode evasion should more correctly be referenced as UTF-8 evasion. Unicode characters are normally represented with two bytes, but this is impractical in real life.

One aspect of UTF-8 encoding causes problems: non-Unicode characters can be represented encoded. What is worse is multiple representations of each character can exist. Non-Unicode character encodings are known as overlong characters, and may be signs of attempted attack.

References: http://books.gigatux.nl/mirror/apachesecurity/0596007248/apachesc-chp-10-sect-8.html

30. You are a Network Security Officer. You have two machines. The first machine (192.168.0.99) has snort installed, and the second machine (192.168.0.150) has kiwi syslog installed. You perform a syn scan in your network, and you notice that kiwi syslog is not receiving the alert message from snort. You decide to run wireshark in the snort machine to check if the messages are going to the kiwi syslog machine. What wireshark filter will show the connections from the snort machine to kiwi syslog machine?

Tcp.dstport==514 && ip.dst==192.168.0.150

Tcp.srcport==514 && ip.src==192.168.0.99

Tcp.dstport==514 && ip.dst==192.168.0.0/16

Tcp.srcport==514 && ip.src==192.168.150

We need to configure destination port at destination ip. The destination ip is 192.168.0.150, where the kiwi syslog is installed.
References: https://wiki.wireshark.org/DisplayFilters

Explanation

We need to configure destination port at destination ip. The destination ip is 192.168.0.150, where the kiwi syslog is installed.
References: https://wiki.wireshark.org/DisplayFilters

31. Which of the following security operations is used for determining the attack surface of an organization?

Running a network scan to detect network services in the corporate DMZ

Training employees on the security policy regarding social engineering

Reviewing the need for a security clearance for each employee

Using configuration management to determine when and where to apply security patches

For a network scan the goal is to document the exposed attack surface along with any easily detected vulnerabilities.
References: http://meisecurity.com/home/consulting/consulting-network-scanning/

Explanation

For a network scan the goal is to document the exposed attack surface along with any easily detected vulnerabilities.
References: http://meisecurity.com/home/consulting/consulting-network-scanning/

32. The configuration allows a wired or wireless network interface controller to pass all traffic it receives to the central processing unit (CPU), rather than passing only the frames that the controller is intended to receive. Which of the following is being described?

Promiscuous mode

Port forwarding

Multi-cast mode

WEM

Promiscuous mode refers to the special mode of Ethernet hardware, in particular network interface cards (NICs), that allows a NIC to receive all traffic on the network, even if it is not addressed to this NIC. By default, a NIC ignores all traffic that is not addressed to it, which is done by comparing the destination address of the Ethernet packet with the hardware address (a.k.a. MAC) of the device. While this makes perfect sense for networking, non-promiscuous mode makes it difficult to use network monitoring and analysis software for diagnosing connectivity issues or traffic accounting.

References: https://www.tamos.com/htmlhelp/monitoring/

Explanation

Promiscuous mode refers to the special mode of Ethernet hardware, in particular network interface cards (NICs), that allows a NIC to receive all traffic on the network, even if it is not addressed to this NIC. By default, a NIC ignores all traffic that is not addressed to it, which is done by comparing the destination address of the Ethernet packet with the hardware address (a.k.a. MAC) of the device. While this makes perfect sense for networking, non-promiscuous mode makes it difficult to use network monitoring and analysis software for diagnosing connectivity issues or traffic accounting.

References: https://www.tamos.com/htmlhelp/monitoring/

33. An incident investigator asks to receive a copy of the event logs from all firewalls, proxy servers, and Intrusion Detection Systems (IDS) on the network of an organization that has experienced a possible breach of security. When the investigator attempts to correlate the information in all of the logs, the sequence of many of the logged events do not match up. What is the most likely cause?

The network devices are not all synchronized.

Proper chain of custody was not observed while collecting the logs.

The attacker altered or erased events from the logs.

The security breach was a false positive.

Time synchronization is an important middleware service of distributed systems, amongst which Distributed Intrusion Detection System (DIDS) makes extensive use of time synchronization in particular.
References: http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5619315&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%
3D5619315

Explanation

Time synchronization is an important middleware service of distributed systems, amongst which Distributed Intrusion Detection System (DIDS) makes extensive use of time synchronization in particular.
References: http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5619315&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%
3D5619315

34. A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files, and the third is a binary file is named "nc." The FTP server's access logs show that the anonymous user account logged in to the server, uploaded the files, and extracted the contents of the tarball and ran the script using a function provided by the FTP server's software. The ps command shows that the nc file is running as process, and the netstat command shows the nc process is listening on a network port. What kind of vulnerability must be present to make this remote attack possible?

File system permissions

Privilege escalation

Directory traversal

Brute force login

To upload files the user must have proper write file permissions.
References: http://codex.wordpress.org/Hardening_WordPress

Explanation

To upload files the user must have proper write file permissions.
References: http://codex.wordpress.org/Hardening_WordPress

35. A company's Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application. What kind of Web application vulnerability likely exists in their software?

Cross-site scripting vulnerability

Cross-site Request Forgery vulnerability

SQL injection vulnerability

Web site defacement vulnerability

Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset of HTML markup. When accepting HTML input from users (say, very large), output encoding (such as <b>very</b> large) will not suffice since the user input needs to be rendered as HTML by the browser (so it shows as "very large", instead of "very large"). Stopping an XSS attack when accepting HTML input from users is much more complex in this situation. Untrusted HTML input must be run through an HTML sanitization engine to ensure that it does not contain cross-site scripting code.
References: https://en.wikipedia.org/wiki/Cross-site_scripting#Safely_validating_untrusted_HTML_input

Explanation

Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset of HTML markup. When accepting HTML input from users (say, very large), output encoding (such as <b>very</b> large) will not suffice since the user input needs to be rendered as HTML by the browser (so it shows as "very large", instead of "very large"). Stopping an XSS attack when accepting HTML input from users is much more complex in this situation. Untrusted HTML input must be run through an HTML sanitization engine to ensure that it does not contain cross-site scripting code.
References: https://en.wikipedia.org/wiki/Cross-site_scripting#Safely_validating_untrusted_HTML_input

36. What is a "Collision attack" in cryptography?

Collision attacks try to find two inputs producing the same hash.

Collision attacks try to get the public key.

Collision attacks try to break the hash into three parts to get the plaintext value.

A Collision Attack is an attempt to find two input strings of a hash function that produce the same hash result.
References: https://learncryptography.com/hash-functions/hash-collision-attackCollision attacks try to break the hash into three parts to get the plaintext value.

Explanation

A Collision Attack is an attempt to find two input strings of a hash function that produce the same hash result.
References: https://learncryptography.com/hash-functions/hash-collision-attackCollision attacks try to break the hash into three parts to get the plaintext value.

37. The Open Web Application Security Project (OWASP) is the worldwide not-for-profit charitable organization focused on improving the security of software. What item is the primary concern on OWASP's Top Ten Project Most Critical Web Application Security Risks?

Injection

Cross Site Scripting

Cross Site Request Forgery

Path disclosure

The top item of the OWASP 2013 OWASP's Top Ten Project Most Critical Web Application Security Risks is injection.
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
References: https://www.owasp.org/index.php/Top_10_2013-Top_10

Explanation

The top item of the OWASP 2013 OWASP's Top Ten Project Most Critical Web Application Security Risks is injection.
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
References: https://www.owasp.org/index.php/Top_10_2013-Top_10

38. An attacker gains access to a Web server's database and displays the contents of the table that holds all of the names, passwords, and other user information. The attacker did this by entering information into the Web site's user login page that the software's designers did not expect to be entered. This is an example of what kind of software design problem?

Insufficient input validation

Insufficient exception handling

Insufficient database hardening

Insufficient security management

The most common web application security weakness is the failure to properly validate input coming from the client or from the environment before using it. This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.
References: https://www.owasp.org/index.php/Testing_for_Input_Validation

Explanation

The most common web application security weakness is the failure to properly validate input coming from the client or from the environment before using it. This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.
References: https://www.owasp.org/index.php/Testing_for_Input_Validation

39. The purpose of a __________ is to deny network access to local area networks and other information assets by unauthorized wireless devices.

Wireless Intrusion Prevention System

Wireless Access Point

Wireless Access Control List

Wireless Analyzer

A wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).
References: https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system

Explanation

A wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).
References: https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system

40. Which of the following describes the characteristics of a Boot Sector Virus?

Moves the MBR to another location on the hard disk and copies itself to the original location of the MBR

Moves the MBR to another location on the RAM and copies itself to the original location of the MBR

Modifies directory table entries so that directory entries point to the virus code instead of the actual program

Overwrites the original MBR and only executes the new virus code

A boot sector virus is a computer virus that infects a storage device's master boot record (MBR). The virus moves the boot sector to another location on the hard drive.
References: https://www.techopedia.com/definition/26655/boot-sector-virus

Explanation

A boot sector virus is a computer virus that infects a storage device's master boot record (MBR). The virus moves the boot sector to another location on the hard drive.
References: https://www.techopedia.com/definition/26655/boot-sector-virus

41. Which of the following is a design pattern based on distinct pieces of software providing application functionality as services to other applications?

Service Oriented Architecture

Object Oriented Architecture

Lean Coding

Agile Process

A service-oriented architecture (SOA) is an architectural pattern in computer software design in which application components provide services to other components via a communications protocol, typically over a network.

References: https://en.wikipedia.org/wiki/Service-oriented_architecture

Explanation

A service-oriented architecture (SOA) is an architectural pattern in computer software design in which application components provide services to other components via a communications protocol, typically over a network.

References: https://en.wikipedia.org/wiki/Service-oriented_architecture

42. Which mode of IPSec should you use to assure security and confidentiality of data within the same LAN?

ESP transport mode

AH permiscuous

ESP confidential

AH Tunnel mode

When transport mode is used, IPSec encrypts only the IP payload. Transport mode provides the protection of an IP payload through an AH or ESP header.

Encapsulating Security Payload (ESP) provides confidentiality (in addition to authentication, integrity, and anti-replay protection) for the IP payload.

Incorrect Answers:
B: Authentication Header (AH) provides authentication, integrity, and anti-replay protection for the entire packet (both the IP header and the data payload carried in the packet). It does not provide confidentiality, which means that it does not encrypt the data.

References: https://technet.microsoft.com/en-us/library/cc739674(v=ws.10).aspx

Explanation

When transport mode is used, IPSec encrypts only the IP payload. Transport mode provides the protection of an IP payload through an AH or ESP header.

Encapsulating Security Payload (ESP) provides confidentiality (in addition to authentication, integrity, and anti-replay protection) for the IP payload.

Incorrect Answers:
B: Authentication Header (AH) provides authentication, integrity, and anti-replay protection for the entire packet (both the IP header and the data payload carried in the packet). It does not provide confidentiality, which means that it does not encrypt the data.

References: https://technet.microsoft.com/en-us/library/cc739674(v=ws.10).aspx

43. How does the Address Resolution Protocol (ARP) work?

It sends a request packet to all the network elements, asking for the MAC address from a specific IP.

It sends a reply packet to all the network elements, asking for the MAC address from a specific IP.

It sends a reply packet for a specific IP, asking for the MAC address.

It sends a request packet to all the network elements, asking for the domain name from a specific IP.

When an incoming packet destined for a host machine on a particular local area network arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the IP address. The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it. A machine that recognizes the IP address as its
own returns a reply so indicating. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied.
References: http://searchnetworking.techtarget.com/definition/Address-Resolution-Protocol-ARP

Explanation

When an incoming packet destined for a host machine on a particular local area network arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the IP address. The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it. A machine that recognizes the IP address as its
own returns a reply so indicating. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied.
References: http://searchnetworking.techtarget.com/definition/Address-Resolution-Protocol-ARP

44. Which of the following is the greatest threat posed by backups?

A backup is the source of Malware or illicit information.

A backup is unavailable during disaster recovery.

A backup is incomplete because no verification was performed.

An un-encrypted backup can be misplaced or stolen.

If the data written on the backup media is properly encrypted, it will be useless for anyone without the key.
References: http://resources.infosecinstitute.com/backup-media-encryption/

Explanation

If the data written on the backup media is properly encrypted, it will be useless for anyone without the key.
References: http://resources.infosecinstitute.com/backup-media-encryption/

45. A company's security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?

Attempts by attackers to access Web sites that trust the Web browser user by stealing the user's authentication credentials.

Attempts by attackers to access the user and password information stored in the company's SQL database.

Attempts by attackers to access passwords stored on the user's computer without the user's knowledge.

Attempts by attackers to determine the user's Web browser usage patterns, including when sites were visited and for how long.

Cookies can store passwords and form content a user has previously entered, such as a credit card number or an address.
Cookies can be stolen using a technique called cross-site scripting. This occurs when an attacker takes advantage of a website that allows its users to post unfiltered HTML and JavaScript content.
References: https://en.wikipedia.org/wiki/HTTP_cookie#Cross-site_scripting_.E2.80.93_cookie_theft

Explanation

Cookies can store passwords and form content a user has previously entered, such as a credit card number or an address.
Cookies can be stolen using a technique called cross-site scripting. This occurs when an attacker takes advantage of a website that allows its users to post unfiltered HTML and JavaScript content.
References: https://en.wikipedia.org/wiki/HTTP_cookie#Cross-site_scripting_.E2.80.93_cookie_theft

46. While performing online banking using a Web browser, a user receives an email that contains a link to an interesting Web site. When the user clicks on the link, another Web browser session starts and displays a video of cats playing a piano. The next business day, the user receives what looks like an email from his bank, indicating that his bank account has been accessed from a foreign country. The email asks the user to call his bank and verify the authorization of a funds transfer that took place. What Web browser-based security vulnerability was exploited to compromise the user?

Cross-Site Request Forgery

Cross-Site Scripting

Clickjacking

Web form input validation

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.

Example and characteristics
If an attacker is able to find a reproducible link that executes a specific action on the target page while the victim is being logged in there, he is able to embed such link on a page he controls and trick the victim into opening it. The attack carrier link may be placed in a location that the victim is likely to visit while logged into the target site (e.g. a discussion forum), sent in a HTML email body or attachment.

Incorrect Answers:
( C ) Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code
or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.
References: https://en.wikipedia.org/wiki/Cross-site_request_forgery

Explanation

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.

Example and characteristics
If an attacker is able to find a reproducible link that executes a specific action on the target page while the victim is being logged in there, he is able to embed such link on a page he controls and trick the victim into opening it. The attack carrier link may be placed in a location that the victim is likely to visit while logged into the target site (e.g. a discussion forum), sent in a HTML email body or attachment.

Incorrect Answers:
( C ) Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code
or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.
References: https://en.wikipedia.org/wiki/Cross-site_request_forgery

47. Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in software applications?

Validate and escape all information sent to a server

Use security policies and procedures to define and implement proper security settings

Verify access right before allowing access to protected information and UI controls

Use digital certificates to authenticate a server prior to sending data

Contextual output encoding/escaping could be used as the primary defense mechanism to stop Cross-site Scripting (XSS) attacks.
References: https://en.wikipedia.org/wiki/Cross-site_scripting#Contextual_output_encoding.2Fescaping_of_string_input

Explanation

Contextual output encoding/escaping could be used as the primary defense mechanism to stop Cross-site Scripting (XSS) attacks.
References: https://en.wikipedia.org/wiki/Cross-site_scripting#Contextual_output_encoding.2Fescaping_of_string_input

48. An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network's external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file. What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?

Protocol analyzer

Intrusion Prevention System (IPS)

Network sniffer

Vulnerability scanner

A packet analyzer (also known as a network analyzer, protocol analyzer or packet sniffer—or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is a computer program or piece of computer hardware that can intercept and log traffic that passes over a digital neOption 4twork or part of a network. A packet analyzer can analyze packet traffic saved in a PCAP file.
References: https://en.wikipedia.org/wiki/Packet_analyzer

Explanation

A packet analyzer (also known as a network analyzer, protocol analyzer or packet sniffer—or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is a computer program or piece of computer hardware that can intercept and log traffic that passes over a digital neOption 4twork or part of a network. A packet analyzer can analyze packet traffic saved in a PCAP file.
References: https://en.wikipedia.org/wiki/Packet_analyzer

49. Which of the following is considered the best way to protect Personally Identifiable Information (PII) from Web application vulnerabilities?

Use cryptographic storage to store all PII

Use encrypted communications protocols to transmit PII

Use full disk encryption on all hard drives to protect PII

Use a security token to log into all Web applications that use PII

As a matter of good practice any PII should be protected with strong encryption.
References: https://cuit.columbia.edu/cuit/it-security-practices/handling-personally-identifying-information

Explanation

As a matter of good practice any PII should be protected with strong encryption.
References: https://cuit.columbia.edu/cuit/it-security-practices/handling-personally-identifying-information

50. In Risk Management, how is the term "likelihood" related to the concept of "threat"?

Likelihood is the probability that a threat-source will exploit a vulnerability.

Likelihood is a possible threat-source that may exploit a vulnerability.

Likelihood is the likely source of a threat that could exploit a vulnerability.

Likelihood is the probability that a vulnerability is a threat-source.

The ability to analyze the likelihood of threats within the organization is a critical step in building an effective security program. The process of assessing threat probability should be well defined and incorporated into a broader threat analysis process to be effective.
References: http://www.mcafee.com/campaign/securitybattleground/resources/chapter5/whitepaper-on-assessing-threat-attack-likelihood.pdf

Explanation

The ability to analyze the likelihood of threats within the organization is a critical step in building an effective security program. The process of assessing threat probability should be well defined and incorporated into a broader threat analysis process to be effective.
References: http://www.mcafee.com/campaign/securitybattleground/resources/chapter5/whitepaper-on-assessing-threat-attack-likelihood.pdf