Comptia and security exam 2

1. Which of the following occurs when a string of data is sent to a buffer that is larger than the buffer was designed to handle?

Brute Force attack

Spoofing attack

Buffer overflow

Man in the middle attack

SYN flood

Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135

Explanation

Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135

2. With regards to the use of Instant Messaging, which of the following type of attack can best be guarded against by user awareness training?

Social engineering

Stealth

Ambush

Multi-prolonged

The only preventative measure in dealing with social engineering attacks is to educate your users and staff to never give out passwords and user Ids over the phone, via e-mail, or to anyone who is not positively verified as being who they say they are.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

Explanation

The only preventative measure in dealing with social engineering attacks is to educate your users and staff to never give out passwords and user Ids over the phone, via e-mail, or to anyone who is not positively verified as being who they say they are.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

3. Which of the following is the most effective defense against a social engineering attack?

Marking of documents

Escorting of guests

Badge security system

Training and awareness

The only preventative measure in dealing with social engineering attacks is to educate your users and staff to never give out passwords and user Ids over the phone, via e-mail, or to anyone who is not positively verified as being who they say they are. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

Explanation

The only preventative measure in dealing with social engineering attacks is to educate your users and staff to never give out passwords and user Ids over the phone, via e-mail, or to anyone who is not positively verified as being who they say they are. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

4. What is used in a distributed denial of service (DDOS) attack?

DDOS makes use of Botnet.

DDOS makes use of Phishing.

DDOS makes use of Adware.

DDOS makes use of Trojan.

A distributed denial of service (DDOS) attack utilizes a botnet. A botnet is a network of compromised computers or devices that are under the control of a malicious actor. These compromised devices, also known as bots, are used to flood a target system or network with an overwhelming amount of traffic, rendering it inaccessible to legitimate users. By using a botnet, the attacker can amplify the impact of the attack by coordinating multiple sources of traffic simultaneously.

Explanation

A distributed denial of service (DDOS) attack utilizes a botnet. A botnet is a network of compromised computers or devices that are under the control of a malicious actor. These compromised devices, also known as bots, are used to flood a target system or network with an overwhelming amount of traffic, rendering it inaccessible to legitimate users. By using a botnet, the attacker can amplify the impact of the attack by coordinating multiple sources of traffic simultaneously.

5. Identify the attack where the purpose is to stop a workstation or service from functioning?

This attack is known as non-repudiation.

This attack is known as TCP/IP hijacking.

This attack is known as denial of service (DoS).

This attack is known as brute force.

Denial of service (DoS) attack is a type of attack where the purpose is to stop a workstation or service from functioning. In a DoS attack, the attacker overwhelms the target system with a flood of illegitimate requests or excessive traffic, causing the system to become unresponsive or crash. This prevents legitimate users from accessing the system or service. The goal of this attack is to disrupt the availability of the targeted resource rather than gaining unauthorized access or stealing information.

Explanation

Denial of service (DoS) attack is a type of attack where the purpose is to stop a workstation or service from functioning. In a DoS attack, the attacker overwhelms the target system with a flood of illegitimate requests or excessive traffic, causing the system to become unresponsive or crash. This prevents legitimate users from accessing the system or service. The goal of this attack is to disrupt the availability of the targeted resource rather than gaining unauthorized access or stealing information.

6. How can you monitor the online activities of a user?

Viruses will permit monitoring of online activities.

Spy ware will permit monitoring of online activities.

Logic bomb will permit monitoring of online activities.

Worms will permit monitoring of online activities.

Spyware is a type of malicious software that is designed to monitor and collect information about a user's online activities without their knowledge or consent. It can track browsing history, keystrokes, login credentials, and other sensitive data. By installing spyware on a user's device, an attacker can gain unauthorized access to their online activities and monitor them. This makes spyware the correct answer for monitoring online activities.

Explanation

Spyware is a type of malicious software that is designed to monitor and collect information about a user's online activities without their knowledge or consent. It can track browsing history, keystrokes, login credentials, and other sensitive data. By installing spyware on a user's device, an attacker can gain unauthorized access to their online activities and monitor them. This makes spyware the correct answer for monitoring online activities.

7. What is a piece of code that appears to do something useful while performing a harmful and unexpected function like stealing passwords called?

Virus

Logic bomb

Worm

Trojan horse

Trojan horses are programs that enter a system or network under the guise of another program. A Trojan Horse may be included as an attachment or as part of an installation program. The Trojan Horse could create a back door or replace a valid program during installation. The Trojan Program would then accomplish its mission under the guise of another program. Trojan Horses can be used to compromise the security of your system and they can exist on a system for years before they are detected.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 84

Explanation

Trojan horses are programs that enter a system or network under the guise of another program. A Trojan Horse may be included as an attachment or as part of an installation program. The Trojan Horse could create a back door or replace a valid program during installation. The Trojan Program would then accomplish its mission under the guise of another program. Trojan Horses can be used to compromise the security of your system and they can exist on a system for years before they are detected.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 84

8. What is a program that appears to be useful but contains hidden code that allows unauthorized individuals to exploit or destroy data is commonly known?

A virus

A Trojan horse

A worm

A back door

A Trojan horse is a program that appears to be useful but contains hidden code that allows unauthorized individuals to exploit or destroy data. It is commonly known as a program that deceives users by pretending to perform a legitimate function, but in reality, it carries out malicious activities in the background. Unlike viruses and worms that can self-replicate and spread, a Trojan horse relies on the user to unknowingly install it. Once installed, it can give unauthorized individuals access to the infected system, allowing them to exploit or destroy data.

Explanation

A Trojan horse is a program that appears to be useful but contains hidden code that allows unauthorized individuals to exploit or destroy data. It is commonly known as a program that deceives users by pretending to perform a legitimate function, but in reality, it carries out malicious activities in the background. Unlike viruses and worms that can self-replicate and spread, a Trojan horse relies on the user to unknowingly install it. Once installed, it can give unauthorized individuals access to the infected system, allowing them to exploit or destroy data.

9. Which of the following is an example of the theft of network passwords without the use of software tools?

Trojan programs.

Social engineering.

Sniffing.

Hacking.

Social engineering is any means of using people to seek out information. These people practice espionage to: break in without detection, disguise themselves in, trick others into giving them access, or trick others into giving them information.

Explanation

Social engineering is any means of using people to seek out information. These people practice espionage to: break in without detection, disguise themselves in, trick others into giving them access, or trick others into giving them information.

10. Why does social engineering attacks often succeed?

Strong passwords are not required

Lack of security awareness

Multiple logins are allowed

Audit logs are not monitored frequently

Social engineering attacks work because of the availability heuristic, law of reciprocity, and law of consistency. In the past people have had experiences where a co-worker with a legitimate problem asked for help and been grateful for it. So by consistency, they feel the urge to help others again the way they've helped out somebody in the past. By availability, when someone asks for help, they associate that ask for help for every legitimate cry for help, and times when they needed help themselves and were helped; so essentially they're being a good Samaritan. If an awareness program were to be implemented where employees could be aware of social engineering tactics, they would be more likely to think about them, and be more suspect of an attack when someone does ask for a favor. With this knowledge in intuition, an employee will make a smarter decision.

Explanation

Social engineering attacks work because of the availability heuristic, law of reciprocity, and law of consistency. In the past people have had experiences where a co-worker with a legitimate problem asked for help and been grateful for it. So by consistency, they feel the urge to help others again the way they've helped out somebody in the past. By availability, when someone asks for help, they associate that ask for help for every legitimate cry for help, and times when they needed help themselves and were helped; so essentially they're being a good Samaritan. If an awareness program were to be implemented where employees could be aware of social engineering tactics, they would be more likely to think about them, and be more suspect of an attack when someone does ask for a favor. With this knowledge in intuition, an employee will make a smarter decision.

11. Which of the following attacks attempts to crack passwords

SMURF

Dictionary

Teardrop

Spamming

Dictionaries may be used in a cracking program to determine passwords. A short dictionary attack involves trying a list of hundreds or thousands of words that are frequently chosen as passwords against several systems. Although most systems resist such attacks, some do not. In one case, one system in five yielded to a particular dictionary attack.

Explanation

Dictionaries may be used in a cracking program to determine passwords. A short dictionary attack involves trying a list of hundreds or thousands of words that are frequently chosen as passwords against several systems. Although most systems resist such attacks, some do not. In one case, one system in five yielded to a particular dictionary attack.

12. A server or application that accepts more input than the server or application is expecting is known as:

It is known as a Denial of service (DoS).

It is known as a Buffer overflow.

It is known as a Brute force.

It is known as a Syntax error.

When a server or application accepts more input than it is expecting, it can lead to a buffer overflow. This occurs when the input exceeds the allocated memory space, causing the excess data to overwrite adjacent memory locations. This can result in the corruption of data, system crashes, or even the execution of malicious code. A buffer overflow is a common vulnerability that can be exploited by attackers to gain unauthorized access or disrupt the functioning of a system.

Explanation

When a server or application accepts more input than it is expecting, it can lead to a buffer overflow. This occurs when the input exceeds the allocated memory space, causing the excess data to overwrite adjacent memory locations. This can result in the corruption of data, system crashes, or even the execution of malicious code. A buffer overflow is a common vulnerability that can be exploited by attackers to gain unauthorized access or disrupt the functioning of a system.

13. What is the scenario named where a user receives an e-mail requesting personal data as well as bank account details?

This can be described as a hoax.

This can be described as packet sniffing.

This can be described as phishing.

This can be described as spam.

Phishing refers to the act of attempting to acquire personal and sensitive information, such as bank account details, by posing as a trustworthy entity in electronic communication. In this scenario, the user receives an email requesting personal data and bank account details, indicating an attempt to deceive and obtain sensitive information. Therefore, the correct answer is phishing.

Explanation

Phishing refers to the act of attempting to acquire personal and sensitive information, such as bank account details, by posing as a trustworthy entity in electronic communication. In this scenario, the user receives an email requesting personal data and bank account details, indicating an attempt to deceive and obtain sensitive information. Therefore, the correct answer is phishing.

14. You are the network administrator at Certkiller .com. During a routing site audit of Certkiller 's wireless network, you discover an unauthorized Access Point under the desk of Sales department user. When questioned, she denies any knowledge of it, but informs you that her new boyfriend has been to visit her several times, including taking her to lunch one time. What type of attack have you become a victim of?

Halloween attack

Phone tag

Replay attack

Social Engineering

IP Spoofing.

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, be e-mail, or by a visit. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

Explanation

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, be e-mail, or by a visit. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

15. Which of the following is a security breach that does not usually result in the theft of information or other security loss but the lack of legitimate use of that system?

CRL

DoS

ACL

MD2

None of the above

DOS attacks prevent access to resources by users authorized to use those resources. An attacker may attempt to bring down an e-commerce website to prevent or deny usage by legitimate customers.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 53

Explanation

DOS attacks prevent access to resources by users authorized to use those resources. An attacker may attempt to bring down an e-commerce website to prevent or deny usage by legitimate customers.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 53

16. What is the process of forging an IP (Internet Protocol) address to impersonate another machine called?

TCP/IP (Transmission Control Protocol/Internet Protocol) hijacking

IP (Internet Protocol) spoofing

Replay

Man in the middle

The word spoofing was popularized in the air-force. When a fighter jet notices an enemy missile (air-to-air or surface-to-air) coming, the pilot will fire off a flair or a chaff (depending on whether or not the missile is heat seeking or radar guided) to spoof (trick) the missile into going after the wrong target. IP spoofing works the same way, and is commonly used by computer hackers because it's easy to implement, it takes advantage of someone else's trust relationship, it makes it harder to identify the source of the true attack, and it focuses attention away to an innocent 3rd party.

Explanation

The word spoofing was popularized in the air-force. When a fighter jet notices an enemy missile (air-to-air or surface-to-air) coming, the pilot will fire off a flair or a chaff (depending on whether or not the missile is heat seeking or radar guided) to spoof (trick) the missile into going after the wrong target. IP spoofing works the same way, and is commonly used by computer hackers because it's easy to implement, it takes advantage of someone else's trust relationship, it makes it harder to identify the source of the true attack, and it focuses attention away to an innocent 3rd party.

17. Identify the malicious code that does not need human involvement to install itself and to spread?

A Virus does not need human involvement.

A Trojan horse does not need human involvement.

A Logic bomb does not need human involvement.

A Worm does not need human involvement.

A worm is a type of malicious code that can self-replicate and spread across computer networks without the need for human involvement. Unlike viruses or Trojan horses, worms can exploit vulnerabilities in computer systems and use them to propagate themselves automatically. They can spread through email attachments, network shares, or even by exploiting security flaws in operating systems. Once a worm infects a system, it can replicate itself and spread to other vulnerable systems without any human intervention. This makes worms particularly dangerous as they can quickly infect and spread across a large number of computers or networks.

Explanation

A worm is a type of malicious code that can self-replicate and spread across computer networks without the need for human involvement. Unlike viruses or Trojan horses, worms can exploit vulnerabilities in computer systems and use them to propagate themselves automatically. They can spread through email attachments, network shares, or even by exploiting security flaws in operating systems. Once a worm infects a system, it can replicate itself and spread to other vulnerable systems without any human intervention. This makes worms particularly dangerous as they can quickly infect and spread across a large number of computers or networks.

18. Which of the following type of attack CANNOT be deterred solely through technical means?

Dictionary.

Man in the middle.

DoS (Denial of Service).

Social engineering.

Because of human rights laws, it is unlawful to use technology to directly control people's emotions and behaviors. For this reason social engineering attacks cannot be deterred through technical means.

Explanation

Because of human rights laws, it is unlawful to use technology to directly control people's emotions and behaviors. For this reason social engineering attacks cannot be deterred through technical means.

19. The system administrator of the company has resigned. When the administrator's user ID is deleted, the system suddenly begins deleting files. What type of malicious code is this?

Logic bomb

Virus

Worm

When the system administrator's user ID is deleted and the system starts deleting files, it indicates the presence of a logic bomb. A logic bomb is a type of malicious code that lies dormant until a specific condition or trigger is met, such as the deletion of a user ID. Once triggered, it executes a predefined action, in this case, deleting files. Unlike viruses and worms, logic bombs do not self-replicate or spread to other systems.

Explanation

When the system administrator's user ID is deleted and the system starts deleting files, it indicates the presence of a logic bomb. A logic bomb is a type of malicious code that lies dormant until a specific condition or trigger is met, such as the deletion of a user ID. Once triggered, it executes a predefined action, in this case, deleting files. Unlike viruses and worms, logic bombs do not self-replicate or spread to other systems.

20. What is an application that appears to perform a useful function but instead contains some sort of malicious code called?

Worm

SYN flood

Virus

Trojan Horse

Logic Bomb

A Trojan horse attaches itself to another file, such as a word processing document. Trojan horses may also arrive as part of an e-mail for free game, software, or other file. When the Trojan horse activates and performs its task, it infects all of the word processing or template files. Consequently, every new file will carry the Trojan horse. The Trojan horse may not be visible because it masks itself inside of a legitimate program.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 80

Explanation

A Trojan horse attaches itself to another file, such as a word processing document. Trojan horses may also arrive as part of an e-mail for free game, software, or other file. When the Trojan horse activates and performs its task, it infects all of the word processing or template files. Consequently, every new file will carry the Trojan horse. The Trojan horse may not be visible because it masks itself inside of a legitimate program.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 80

21. Which program replicate independently across networks?

Spyware will replicate independently.

Worm will replicate independently.

Trojan horse will replicate independently.

Virus will replicate independently.

A worm is a type of malware that is capable of replicating and spreading independently across networks without the need for user interaction. Unlike viruses, which require a host file to attach themselves to, worms can self-replicate and spread by exploiting vulnerabilities in computer systems. This allows them to quickly and efficiently infect multiple devices and networks, making them a particularly dangerous and difficult form of malware to control and eradicate.

Explanation

A worm is a type of malware that is capable of replicating and spreading independently across networks without the need for user interaction. Unlike viruses, which require a host file to attach themselves to, worms can self-replicate and spread by exploiting vulnerabilities in computer systems. This allows them to quickly and efficiently infect multiple devices and networks, making them a particularly dangerous and difficult form of malware to control and eradicate.

22. What do intruders use most often to gain unauthorized-access to a system?

Brute force attack.

Key logging

Trojan horse.

Social engineering.

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, by e-mail, or by a visit. The answer is not written in the book, but the easiest way to gain information would be social engineering.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

Explanation

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, by e-mail, or by a visit. The answer is not written in the book, but the easiest way to gain information would be social engineering.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

23. What is usually the goal of TCP (transmission Control Protocol) session hijacking?

Taking over a legitimate TCP (transmission Control Protocol) connection.

Predicting the TCP (transmission Control Protocol) sequence number.

Identifying the TCP (transmission Control Protocol) port for future exploitation.

Identifying source addresses for malicious use.

None of the Above

The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered in a way that intercepts legitimate packets and allows a third party host to insert acceptable packets. Thus hijacking the conversation, and continuing the conversation under the disguise of the legitimate party, and taking advantage of the trust bond.

Explanation

The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered in a way that intercepts legitimate packets and allows a third party host to insert acceptable packets. Thus hijacking the conversation, and continuing the conversation under the disguise of the legitimate party, and taking advantage of the trust bond.

24. In an IP (Internet Protocol) spoofing attack, what field of an IP (Internet Protocol) packet does the attacker manipulate?

The version field.

The source address field.

The source port field.

The destination address field.

In IP Spoofing a hacker tries to gain access to a network by pretending his or her machine has the same network address as the internal network.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 515

Explanation

In IP Spoofing a hacker tries to gain access to a network by pretending his or her machine has the same network address as the internal network.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 515

25. Identify a port scanning tool?

Nmap is port scanning tool.

Cain & Abel is port scanning tool.

L0phtcrack is port scanning tool.

John the Ripper is port scanning tool.

Nmap is a well-known and widely used port scanning tool. It is designed to scan networks and discover open ports on remote systems. Nmap provides a comprehensive set of features and options that allow users to perform various types of scans, such as TCP, UDP, SYN, and more. It also offers advanced techniques like OS fingerprinting and version detection. Nmap is highly flexible and can be used for both legitimate network administration tasks and malicious activities, making it a popular choice among both security professionals and hackers.

Explanation

Nmap is a well-known and widely used port scanning tool. It is designed to scan networks and discover open ports on remote systems. Nmap provides a comprehensive set of features and options that allow users to perform various types of scans, such as TCP, UDP, SYN, and more. It also offers advanced techniques like OS fingerprinting and version detection. Nmap is highly flexible and can be used for both legitimate network administration tasks and malicious activities, making it a popular choice among both security professionals and hackers.

26. You configure a computer to act as a zombie set in order to attack a web server on a specific date. What would this contaminated computer be part of?

The computer is part of a DDoS attack.

The computer is part of a TCP/IP hijacking.

The computer is part of a spoofing attack.

The computer is part of a man-in-the-middle attack.

The computer is part of a DDoS attack, where multiple compromised computers are used to overwhelm a target server or network with a flood of internet traffic, causing it to become unavailable to legitimate users.

Explanation

The computer is part of a DDoS attack, where multiple compromised computers are used to overwhelm a target server or network with a flood of internet traffic, causing it to become unavailable to legitimate users.

27. Which of the following is the major difference between a worm and a Trojan horse?

Worms are spread via e-mail while Trojan horses are not.

Worms are self replicating while Trojan horses are not.

Worms are a form of malicious code while Trojan horses are not.

There is no difference.

A worm is different from a virus. Worms reproduce themselves, are self-contained and do not need a host application to be transported. The Trojan horse program may be installed as part of an installation process. They do not reproduce or self replicate.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, pp 83, 85

Explanation

A worm is different from a virus. Worms reproduce themselves, are self-contained and do not need a host application to be transported. The Trojan horse program may be installed as part of an installation process. They do not reproduce or self replicate.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, pp 83, 85

28. Which of the following can distribute itself without using a host file?

Virus.

Trojan horse.

Logic bomb.

Worm.

Worms are dangerous because they can enter a system by exploiting a 'hole' in an operating system. They don't' need a host file, and they don't need any user intervention to replicate by themselves. Some infamous worms were: Morris, Badtrans, Nimda, and Code Red.

Explanation

Worms are dangerous because they can enter a system by exploiting a 'hole' in an operating system. They don't' need a host file, and they don't need any user intervention to replicate by themselves. Some infamous worms were: Morris, Badtrans, Nimda, and Code Red.

29. Which of the following measures can be used to guard against a social engineering attack?

Education, limit available information and security policy.

Education, firewalls and security policy.

Security policy, firewalls and incident response.

Security policy, system logging and incident response.

A seems to be the best answer. The other answers involving objects and social engineering are verbal attacks.

Explanation

A seems to be the best answer. The other answers involving objects and social engineering are verbal attacks.

30. Which of the following network attacks misuses TCP's (Transmission Control Protocol) three way handshake to overload servers and deny access to legitimate users?

Man in the middle.

Smurf

Teardrop

SYN (Synchronize)

SYN flood is a DoS attack in which the hacker sends a barrage of SYN packets. The receiving station tries to respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are rejected until all current connections can be established.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 530

Explanation

SYN flood is a DoS attack in which the hacker sends a barrage of SYN packets. The receiving station tries to respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are rejected until all current connections can be established.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 530

31. Identify the malicious code that enters the system via a freely distributed game that is purposely installed and played?

It can enter a system by means of a logic bomb.

It can enter a system by means of a Trojan horse.

It can enter a system by means of a worm.

It can enter a system by means of an e-mail attachment.

A Trojan horse is a type of malicious code that disguises itself as a harmless file or program, such as a game, in order to trick users into downloading and installing it. Once installed, it can perform various malicious activities, such as stealing sensitive information, damaging files, or allowing unauthorized access to the system. In this case, the freely distributed game is purposely installed and played by the user, unknowingly allowing the Trojan horse to enter the system and carry out its malicious actions.

Explanation

A Trojan horse is a type of malicious code that disguises itself as a harmless file or program, such as a game, in order to trick users into downloading and installing it. Once installed, it can perform various malicious activities, such as stealing sensitive information, damaging files, or allowing unauthorized access to the system. In this case, the freely distributed game is purposely installed and played by the user, unknowingly allowing the Trojan horse to enter the system and carry out its malicious actions.

32. Which programming mechanism should be used to permit administrative access whilst bypassing the usual access control methods?

It is known as a logic bomb.

It is known as a back door.

It is known as a Trojan horse.

It is known as software exploit.

A back door is a programming mechanism that allows administrative access to a system while bypassing the usual access control methods. It is often used by system administrators or developers for troubleshooting or maintenance purposes. However, it can also be exploited by attackers to gain unauthorized access to a system. Unlike a logic bomb, which is a malicious code that triggers a harmful action at a specific time or event, a back door is intentionally created to provide a secret entry point into a system. It is different from a Trojan horse, which disguises itself as a legitimate program to deceive users. A software exploit, on the other hand, is a vulnerability in a software program that can be exploited by an attacker to gain unauthorized access or control over the system.

Explanation

A back door is a programming mechanism that allows administrative access to a system while bypassing the usual access control methods. It is often used by system administrators or developers for troubleshooting or maintenance purposes. However, it can also be exploited by attackers to gain unauthorized access to a system. Unlike a logic bomb, which is a malicious code that triggers a harmful action at a specific time or event, a back door is intentionally created to provide a secret entry point into a system. It is different from a Trojan horse, which disguises itself as a legitimate program to deceive users. A software exploit, on the other hand, is a vulnerability in a software program that can be exploited by an attacker to gain unauthorized access or control over the system.

33. It has come to your attention that numerous e-mails are received from an ex employee. You need to determine whether the e-mails originated internally?

This can be accomplished by viewing the from line of the e-mails.

This can be accomplished by reviewing anti-virus logs on the ex employees computer.

This can be accomplished by replying to the e-mail and checking the destination e-mail address.

This can be accomplished by looking at the source IP address in the SMTP header of the e-mails.

The correct answer is to look at the source IP address in the SMTP header of the emails. The SMTP header contains information about the origin of the email, including the source IP address. By examining the source IP address, it can be determined whether the emails originated internally or externally. This can help in identifying whether the ex-employee is still accessing the company's email system or if the emails are coming from an external source.

Explanation

The correct answer is to look at the source IP address in the SMTP header of the emails. The SMTP header contains information about the origin of the email, including the source IP address. By examining the source IP address, it can be determined whether the emails originated internally or externally. This can help in identifying whether the ex-employee is still accessing the company's email system or if the emails are coming from an external source.

34. Determine the programming method you should use to stop buffer overflow attacks?

You should make use of Automatic updates.

You should make use of Input validation.

You should make use of Signed applets.

You should make use of Nested loops.

Input validation is the programming method that should be used to stop buffer overflow attacks. Buffer overflow attacks occur when a program tries to store more data in a buffer than it can handle, leading to potential security vulnerabilities. Input validation involves checking and validating user input to ensure that it meets certain criteria and does not exceed the buffer's capacity. By implementing input validation, developers can prevent buffer overflow attacks by ensuring that only valid and safe input is accepted by the program.

Explanation

Input validation is the programming method that should be used to stop buffer overflow attacks. Buffer overflow attacks occur when a program tries to store more data in a buffer than it can handle, leading to potential security vulnerabilities. Input validation involves checking and validating user input to ensure that it meets certain criteria and does not exceed the buffer's capacity. By implementing input validation, developers can prevent buffer overflow attacks by ensuring that only valid and safe input is accepted by the program.

35. Which malicious software can be transmitted across computer networks without user intervention?

A worm can be transmitted without user intervention.

A virus can be transmitted without user intervention.

A logic bomb can be transmitted without user intervention.

A Trojan horse can be transmitted without user intervention.

A worm is a type of malicious software that can spread across computer networks without the need for user intervention. Unlike viruses or Trojan horses, worms are self-replicating and can exploit vulnerabilities in network protocols to automatically infect other computers. Once a worm gains access to a network, it can spread rapidly and cause significant damage by consuming network resources, stealing sensitive information, or carrying out other malicious activities. Therefore, the correct answer is that a worm can be transmitted without user intervention.

Explanation

A worm is a type of malicious software that can spread across computer networks without the need for user intervention. Unlike viruses or Trojan horses, worms are self-replicating and can exploit vulnerabilities in network protocols to automatically infect other computers. Once a worm gains access to a network, it can spread rapidly and cause significant damage by consuming network resources, stealing sensitive information, or carrying out other malicious activities. Therefore, the correct answer is that a worm can be transmitted without user intervention.

36. Which of the following is a DoS (Denial of Service) attack that exploits TCP's (Transmission Control Protocol) three-way handshake for new connections?

SYN (Synchronize) flood.

Ping of death attack.

Land attack.

Buffer overflow attack.

None of the Above

The SYN flood attack works when a source system floods and end system with TCP SYN requests, but intentionally does not send out acknowledgements (ACK). Since TCP needs confirmation, the receiving computer is stuck with half-open TCP sessions, just waiting for acknowledgement so it can reset the port. Meanwhile the connection buffer is being overflowed, making it difficult or impossible for valid users to connect, therefore their service is denied.

Explanation

The SYN flood attack works when a source system floods and end system with TCP SYN requests, but intentionally does not send out acknowledgements (ACK). Since TCP needs confirmation, the receiving computer is stuck with half-open TCP sessions, just waiting for acknowledgement so it can reset the port. Meanwhile the connection buffer is being overflowed, making it difficult or impossible for valid users to connect, therefore their service is denied.

37. Identify the methods of password guessing that needs the longest attack time?

Brute force needs the longest attack time.

Dictionary needs the longest attack time.

Rainbow needs the longest attack time.

Birthday needs the longest attack time.

Brute force is a method of password guessing where every possible combination of characters is tried until the correct password is found. This method requires the longest attack time because it systematically tries every possible option, which can be time-consuming, especially for longer and more complex passwords. Dictionary attacks, rainbow attacks, and birthday attacks are all more efficient methods that exploit weaknesses in password systems, such as common or easily guessable passwords, precomputed tables, or hash collisions, respectively.

Explanation

Brute force is a method of password guessing where every possible combination of characters is tried until the correct password is found. This method requires the longest attack time because it systematically tries every possible option, which can be time-consuming, especially for longer and more complex passwords. Dictionary attacks, rainbow attacks, and birthday attacks are all more efficient methods that exploit weaknesses in password systems, such as common or easily guessable passwords, precomputed tables, or hash collisions, respectively.

38. In which of the following attacks does the attacker pretend to be a legitimate user?

Aliasing

Spoofing

Flooding

Redirecting

None of the Above

A spoofing attack is simple an attempt by someone or something masquerading as someone else. This type of attack is usually considered an access attack.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 56

Explanation

A spoofing attack is simple an attempt by someone or something masquerading as someone else. This type of attack is usually considered an access attack.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 56

39. Identify the malicious code that enters a system and stay inactive until a user opens that particular program then starts to delete the contents of attached network drives and removable storage devices?

The malicious code is known as logic bomb.

The malicious code is known as Trojan horse.

The malicious code is known as honeypot.

The malicious code is known as worm.

A logic bomb is a type of malicious code that remains dormant within a system until a specific condition or trigger occurs, such as a user opening a particular program. Once activated, it carries out a destructive action, in this case deleting the contents of attached network drives and removable storage devices. Unlike a Trojan horse, which disguises itself as a legitimate program, a logic bomb is specifically designed to cause harm once triggered. A honeypot is a different concept altogether, referring to a trap set up to detect and monitor unauthorized access attempts. A worm, on the other hand, is a self-replicating malware that spreads across networks without the need for user interaction.

Explanation

A logic bomb is a type of malicious code that remains dormant within a system until a specific condition or trigger occurs, such as a user opening a particular program. Once activated, it carries out a destructive action, in this case deleting the contents of attached network drives and removable storage devices. Unlike a Trojan horse, which disguises itself as a legitimate program, a logic bomb is specifically designed to cause harm once triggered. A honeypot is a different concept altogether, referring to a trap set up to detect and monitor unauthorized access attempts. A worm, on the other hand, is a self-replicating malware that spreads across networks without the need for user interaction.

40. What is used by anti-virus software to detect unknown viruses?

Zero-day algorithm is used to detect unknown viruses.

Heuristic analysis is used to detect unknown viruses.

Random scanning is used to detect unknown viruses.

Quarantining is used to detect unknown viruses.

Heuristic analysis is used by anti-virus software to detect unknown viruses. This method involves analyzing the behavior and characteristics of files and programs to identify potential threats. It uses a set of rules and algorithms to determine if a file or program is suspicious or malicious based on its actions, structure, or code. By using heuristic analysis, anti-virus software can detect and block new and previously unknown viruses that may not have been identified by traditional virus definitions.

Explanation

Heuristic analysis is used by anti-virus software to detect unknown viruses. This method involves analyzing the behavior and characteristics of files and programs to identify potential threats. It uses a set of rules and algorithms to determine if a file or program is suspicious or malicious based on its actions, structure, or code. By using heuristic analysis, anti-virus software can detect and block new and previously unknown viruses that may not have been identified by traditional virus definitions.

41. In which of the following would an attacker impersonate a dissatisfied customer of a company and requesting a password change on the customer's account?

Hostile code.

Social engineering.

IP (Internet Protocol) spoofing.

Man in the middle attack.

Social engineering is using deception to engineer human emotions into granting access.

Explanation

Social engineering is using deception to engineer human emotions into granting access.

42. What results in poor programming techniques and lack of code review?

It can result in the Buffer overflow attack.

It can result in the Dictionary attack.

It can result in the Birthday attack.

It can result in the Common Gateway Interface (CGI) script attack.

Poor programming techniques and lack of code review can result in a buffer overflow attack. This type of attack occurs when a program writes data outside the allocated memory buffer, causing the program to crash or allowing an attacker to execute malicious code. Inadequate programming practices and the absence of code review can lead to vulnerabilities in the code, making it easier for attackers to exploit and carry out buffer overflow attacks.

Explanation

Poor programming techniques and lack of code review can result in a buffer overflow attack. This type of attack occurs when a program writes data outside the allocated memory buffer, causing the program to crash or allowing an attacker to execute malicious code. Inadequate programming practices and the absence of code review can lead to vulnerabilities in the code, making it easier for attackers to exploit and carry out buffer overflow attacks.

43. What is an attack whereby two different messages using the same hash function produce a common message digest known as?

Man in the middle attack.

Ciphertext only attack.

Birthday attack.

Brute force attack.

A birthday attack is based on the principle that amongst 23 people, the probability of 2 of them having the same birthday is greater the 50%. By that rational if an attacker examines the hashes of an entire organizations passwords, they'll come up with some common denominators.

Explanation

A birthday attack is based on the principle that amongst 23 people, the probability of 2 of them having the same birthday is greater the 50%. By that rational if an attacker examines the hashes of an entire organizations passwords, they'll come up with some common denominators.

44. What should a network administrator's first course of action be on receiving an e-mail alerting him to the presence of a virus on the system if a specific executable file exists?

Investigate the e-mail as a possible hoax with a reputable anti-virus vendor.

Immediately search for and delete the file if discovered.

Broadcast a message to the entire organization to alert users to the presence of a virus.

Locate and download a patch to repair the file.

If a virus threat is for real, the major anti-virus players like Symantec, McAfee, or Sophos will know about it before you, and they will have details on their sites. Incorrect answers: Searching for and deleting a file is not only a waste of time with today's OS's complex directory systems, but its also ineffective. One can miss a file, the file could be hidden, the wrong file can be deleted, and worst of all: when you delete a file it doesn't really get completely deleted, instead it gets sent to a 'recycle bin.' Broadcasting an alert and creating panic isn't the right thing to do, because it will waste bandwidth, and perhaps terrorizing the users is the original intent of the attack. The act of locating and downloading a patch isn't just time consuming, but there's a chance that the patch itself could be the virus, or the process of resetting the computer could activate the virus.

Explanation

If a virus threat is for real, the major anti-virus players like Symantec, McAfee, or Sophos will know about it before you, and they will have details on their sites. Incorrect answers: Searching for and deleting a file is not only a waste of time with today's OS's complex directory systems, but its also ineffective. One can miss a file, the file could be hidden, the wrong file can be deleted, and worst of all: when you delete a file it doesn't really get completely deleted, instead it gets sent to a 'recycle bin.' Broadcasting an alert and creating panic isn't the right thing to do, because it will waste bandwidth, and perhaps terrorizing the users is the original intent of the attack. The act of locating and downloading a patch isn't just time consuming, but there's a chance that the patch itself could be the virus, or the process of resetting the computer could activate the virus.

45. Identify the port that permits a user to login remotely on a computer?

Port 3389

Port 8080

Port 143

Port 23

Port 3389 is the correct answer because it is the default port used by Microsoft's Remote Desktop Protocol (RDP), which allows users to connect to a computer remotely and login. RDP is commonly used for remote administration and accessing files or applications on a remote computer.

Explanation

Port 3389 is the correct answer because it is the default port used by Microsoft's Remote Desktop Protocol (RDP), which allows users to connect to a computer remotely and login. RDP is commonly used for remote administration and accessing files or applications on a remote computer.

46. Identify the attack that consists of a PC sending PING packets with destination addresses set to the broadcast address and the source address set to the target PC's IP address?

You should identify a Smurf attack.

You should identify a XMAS Tree attack.

You should identify a Replay attack.

You should identify a Fraggle attack

A Smurf attack is a type of DDoS attack where an attacker sends a large number of ICMP ping requests (PING packets) with the source IP address set to the target PC's IP address and the destination IP address set to the broadcast address. This causes all the devices on the network to respond to the ping requests, overwhelming the target PC with an excessive amount of traffic and potentially causing it to crash or become unavailable.

Explanation

A Smurf attack is a type of DDoS attack where an attacker sends a large number of ICMP ping requests (PING packets) with the source IP address set to the target PC's IP address and the destination IP address set to the broadcast address. This causes all the devices on the network to respond to the ping requests, overwhelming the target PC with an excessive amount of traffic and potentially causing it to crash or become unavailable.

47. What would a user's best plan of action be on receiving an e-mail message warning of a virus that may have accidentally been sent in the past, and suggesting that the user to delete a specific file if it appears on the user's computer?

Check for the file and delete it immediately.

Check for the file, delete it immediately and copy the e-mail to all distribution lists.

Report the contents of the message to the network administrator.

Ignore the message. This is a virus hoax and no action is required

In such a scenario the most rational answer is to tell your network administrator. Most network administrators don't have much to do most of the day, so they live for an opportunity like this. Incorrect Answers: Deleting the file wouldn't be good, because deleting a file doesn't necessarily eliminate a problem, as it could put it to your email trash folder, or to your recycle bin. This will give you a false sense of security, and work against the process of containment. Copying the email to all distribution lists, is another mistake, because if indeed the email does contain a virus, you'll only spread it. Ignoring the problem isn't a good problem, although virus hoaxes are common, all it takes is one real virus to cause a mini-disaster.

Explanation

In such a scenario the most rational answer is to tell your network administrator. Most network administrators don't have much to do most of the day, so they live for an opportunity like this. Incorrect Answers: Deleting the file wouldn't be good, because deleting a file doesn't necessarily eliminate a problem, as it could put it to your email trash folder, or to your recycle bin. This will give you a false sense of security, and work against the process of containment. Copying the email to all distribution lists, is another mistake, because if indeed the email does contain a virus, you'll only spread it. Ignoring the problem isn't a good problem, although virus hoaxes are common, all it takes is one real virus to cause a mini-disaster.

48. Which of the following is used to describe an autonomous agent that copies itself into one or more host programs, then propagates when the host is run?

Trojan horse

Back door

Logic bomb

Virus

A virus is a piece of software designed to infect a computer system. I can go into this further, but the answer is obvious. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 76

Explanation

A virus is a piece of software designed to infect a computer system. I can go into this further, but the answer is obvious. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 76

49. What is used to verify the equipment status and modify the configuration or settings of network gadgets?

This can be accomplished by using SNMP.

This can be accomplished by using SMTP.

This can be accomplished by using CHAP.

This can be accomplished by using DHCP.

SNMP (Simple Network Management Protocol) is used to verify the equipment status and modify the configuration or settings of network gadgets. SNMP allows network administrators to monitor and manage network devices such as routers, switches, and servers. It provides a standardized way to collect and organize information about these devices, as well as the ability to remotely configure and control them. SNMP operates on the application layer of the TCP/IP protocol stack and uses a manager-agent model, where the network devices act as agents and the network administrator's workstation acts as the manager.

Explanation

SNMP (Simple Network Management Protocol) is used to verify the equipment status and modify the configuration or settings of network gadgets. SNMP allows network administrators to monitor and manage network devices such as routers, switches, and servers. It provides a standardized way to collect and organize information about these devices, as well as the ability to remotely configure and control them. SNMP operates on the application layer of the TCP/IP protocol stack and uses a manager-agent model, where the network devices act as agents and the network administrator's workstation acts as the manager.

50. Identify the malicious software that can be transmitted across computer networks without needing a client to distribute the software?

A Worm can be transmitted across computer networks without needing a client to distribute software.

A Virus can be transmitted across computer networks without needing a client to distribute software.

A Logic bomb can be transmitted across computer networks without needing a client to distribute software.

A Trojan horse can be transmitted across computer networks without needing a client to distribute software.

A Worm is a type of malicious software that can spread across computer networks without the need for a client to distribute it. Unlike viruses, worms are standalone programs that can replicate and spread themselves without attaching to other files or programs. This allows them to quickly infect multiple computers and networks, causing damage and disruption. Worms can exploit vulnerabilities in network protocols and security systems, enabling them to self-propagate and infect other devices. Therefore, out of the given options, a Worm is the correct answer for the question.

Explanation

A Worm is a type of malicious software that can spread across computer networks without the need for a client to distribute it. Unlike viruses, worms are standalone programs that can replicate and spread themselves without attaching to other files or programs. This allows them to quickly infect multiple computers and networks, causing damage and disruption. Worms can exploit vulnerabilities in network protocols and security systems, enabling them to self-propagate and infect other devices. Therefore, out of the given options, a Worm is the correct answer for the question.

51. What should the minimum length of a password be to deter dictionary password cracks?

6 characters

8 characters

10 characters

12 characters

16 characters

A password should be at least 8 characters long to deter dictionary password cracks. A longer password provides more combinations, making it harder for hackers to guess or crack the password using automated tools that rely on dictionary words or common combinations. Therefore, an 8-character minimum length helps to enhance the security of the password and protect against dictionary attacks.

Explanation

A password should be at least 8 characters long to deter dictionary password cracks. A longer password provides more combinations, making it harder for hackers to guess or crack the password using automated tools that rely on dictionary words or common combinations. Therefore, an 8-character minimum length helps to enhance the security of the password and protect against dictionary attacks.

52. Identify the malicious software that will replicate itself by connecting to other programs on the same host workstation?

A Worm will attach to another program.

A Virus will attach to another program.

A Logic bomb will attach to another program.

A Trojan horse will attach to another program.

A virus is a type of malicious software that can replicate itself by attaching to other programs on the same host workstation. Once the virus attaches itself to a program, it can spread to other programs and potentially infect the entire system. Unlike worms, viruses require a host program to spread and cannot replicate on their own. Logic bombs and Trojan horses are also types of malicious software, but they do not specifically replicate by attaching to other programs.

Explanation

A virus is a type of malicious software that can replicate itself by attaching to other programs on the same host workstation. Once the virus attaches itself to a program, it can spread to other programs and potentially infect the entire system. Unlike worms, viruses require a host program to spread and cannot replicate on their own. Logic bombs and Trojan horses are also types of malicious software, but they do not specifically replicate by attaching to other programs.

53. You are the network administrator at Certkiller .com. During a routing site audit of Certkiller 's wireless network, you discover an unauthorized Access Point under the desk of Sales department user. When questioned, she denies any knowledge of it, but informs you that her new boyfriend has been to visit her several times, including taking her to lunch one time. What type of attack have you become a victim of?

SYN Flood.

Distributed Denial of Service.

Man in the Middle attack.

TCP Flood.

None of the Above

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, be e-mail, or by a visit. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

Explanation

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, be e-mail, or by a visit. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

54. In which of the following does someone use an application to capture and manipulate packets as they are passing through your network?

DDos

Back Door

Man in the Middle

Spoofing

The method used in these attacks places a piece of software between a server and the user. The software intercepts and then sends the information to the server. The server responds back to the software, thinking it is the legitimate client. The attacking software then sends this information on to the server, etc. The man in the middle software may be recording this information, altering it, or in some other way compromising the security of your system.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 57

Explanation

The method used in these attacks places a piece of software between a server and the user. The software intercepts and then sends the information to the server. The server responds back to the software, thinking it is the legitimate client. The attacking software then sends this information on to the server, etc. The man in the middle software may be recording this information, altering it, or in some other way compromising the security of your system.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 57

55. Which of the following attacks exploits the session initiation between the Transport Control Program (TCP) client and server in a network?

Birthday Attack

SYN Attack

Buffer Overflow

Smurf

None of the Above

SYN flood is a DoS attack in which the hacker sends a barrage of SYN packets. The receiving station tries to respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are rejected until all current connections can be established. Change this if you want but in the SYN flood the hacker sends a SYN packet to the receiving station with a spoofed return address of some broadcast address on their network. The receiving station sends out this SYN packets (pings the broadcast address) which causes multiple servers or stations to respond to the ping, thus overloading the originator of the ping (the receiving station). Therefore, the hacker may send only 1 SYN packet, whereas the network of the attacked station is actually what does the barrage of return packets and overloads the receiving station.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 530

Explanation

SYN flood is a DoS attack in which the hacker sends a barrage of SYN packets. The receiving station tries to respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are rejected until all current connections can be established. Change this if you want but in the SYN flood the hacker sends a SYN packet to the receiving station with a spoofed return address of some broadcast address on their network. The receiving station sends out this SYN packets (pings the broadcast address) which causes multiple servers or stations to respond to the ping, thus overloading the originator of the ping (the receiving station). Therefore, the hacker may send only 1 SYN packet, whereas the network of the attacked station is actually what does the barrage of return packets and overloads the receiving station.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 530

56. Which of the following type of attacks exploits poor programming techniques and lack of code review?

CGI (Common Gateway Interface) script

Birthday

Buffer overflow

Dictionary

Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system. This exploitation is usually a result of a programming error in the development of the software.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135

Explanation

Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system. This exploitation is usually a result of a programming error in the development of the software.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135

57. Identify the ports utilized by e-mail users? (Choose TWO)

You should identify port 143

You should identify port 3389

You should identify port 110

You should identify port 334

You should identify port 23

The correct answer is to identify port 143 and port 110. Port 143 is used for the Internet Message Access Protocol (IMAP), which allows users to access their email on a remote mail server. Port 110 is used for the Post Office Protocol (POP3), which is another protocol for retrieving email from a remote server.

Explanation

The correct answer is to identify port 143 and port 110. Port 143 is used for the Internet Message Access Protocol (IMAP), which allows users to access their email on a remote mail server. Port 110 is used for the Post Office Protocol (POP3), which is another protocol for retrieving email from a remote server.

Submit

58. Which of the following attacks uses ICMP (Internet Control Message Protocol) and improperly formatted MTUs (Maximum Transmission Unit) to crash a target computer?

Man in the middle attack

Smurf attack

Ping of death attack

TCP SYN (Transmission Control Protocol / Synchronized) attack

None of the Above

Explanation: The Ping of Death attack involved sending IP packets of a size greater than 65,535 bytes to the target computer. IP packets of this size are illegal, but applications can be built that are capable of creating them. Carefully programmed operating systems could detect and safely handle illegal IP packets, but some failed to do this. Note: MTU packets that are bigger than the maximum size the underlying layer can handle are fragmented into smaller packets, which are then reassembled by the receiver. For ethernet style devices, the MTU is typically 1500. Incorrect Answers A: A man in the middle attack allows a third party to intercept and replace components of the data stream. B: The "smurf" attack, named after its exploit program, is one of the most recent in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. D: In a TCP SYN attack a sender transmits a volume of connections that cannot be completed. This causes the connection queues to fill up, thereby denying service to legitimate TCP users.

Explanation

Explanation: The Ping of Death attack involved sending IP packets of a size greater than 65,535 bytes to the target computer. IP packets of this size are illegal, but applications can be built that are capable of creating them. Carefully programmed operating systems could detect and safely handle illegal IP packets, but some failed to do this. Note: MTU packets that are bigger than the maximum size the underlying layer can handle are fragmented into smaller packets, which are then reassembled by the receiver. For ethernet style devices, the MTU is typically 1500. Incorrect Answers A: A man in the middle attack allows a third party to intercept and replace components of the data stream. B: The "smurf" attack, named after its exploit program, is one of the most recent in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. D: In a TCP SYN attack a sender transmits a volume of connections that cannot be completed. This causes the connection queues to fill up, thereby denying service to legitimate TCP users.

59. Which of the following is the best defense against a man in the middle attack?

Virtual LAN (Local Area Network)

GRE (Generic Route Encapsulation) tunnel IPIP (Internet Protocol-within-Internet Protocol Encapsulation Protocol)

PKI (Public Key Infrastructure)

Enforcement of badge system

PKI is a two-key system. Messages are encrypted with a public key. Messages are decrypted with a private key. If you want to send an encrypted message to someone, you would request their public key. You would encrypt the message using their public key and send it to them. They would then use their private key to decrypt the message.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 331

Explanation

PKI is a two-key system. Messages are encrypted with a public key. Messages are decrypted with a private key. If you want to send an encrypted message to someone, you would request their public key. You would encrypt the message using their public key and send it to them. They would then use their private key to decrypt the message.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 331

60. Identify the type of attack that CGI scripts are vulnerable to?

It is vulnerable to Buffer overflows.

It is vulnerable to Cross site scripting.

It is vulnerable to DNS spoofing.

It is vulnerable to SQL injection.

CGI scripts are vulnerable to Cross site scripting (XSS) attacks. XSS attacks occur when a malicious user injects malicious scripts into a trusted website, which are then executed by the victim's browser. This allows the attacker to steal sensitive information, such as login credentials, or perform actions on behalf of the victim. Buffer overflows, DNS spoofing, and SQL injection are also common types of attacks, but they are not specifically related to CGI scripts.

Explanation

CGI scripts are vulnerable to Cross site scripting (XSS) attacks. XSS attacks occur when a malicious user injects malicious scripts into a trusted website, which are then executed by the victim's browser. This allows the attacker to steal sensitive information, such as login credentials, or perform actions on behalf of the victim. Buffer overflows, DNS spoofing, and SQL injection are also common types of attacks, but they are not specifically related to CGI scripts.

61. What is the most common method of social engineering?

Looking through users' trash for information

Calling users and asking for information

E-mailing users and asking for information

E-mail

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, by e-mail, or by a visit.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

Explanation

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, by e-mail, or by a visit.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

62. What characteristic of TCP/IP (transmission Control Protocol/Internet Protocol) does TCP/IP (transmission Control Protocol/Internet Protocol) session hijacking exploit?

The fact that TCP/IP (transmission Control Protocol/Internet Protocol) has no authentication mechanism, and therefore allows connectionless packets from anyone

The fact that TCP/IP (transmission Control Protocol/Internet Protocol) allows packets to be tunneled to an alternate network

TCP/IP's connection orientated nature, and lack of natural security makes it easy to hijack a session by spoofing.

Explanation

TCP/IP's connection orientated nature, and lack of natural security makes it easy to hijack a session by spoofing.

63. Which type of attack is based on the probability of two different messages using the same hash function producing a common message digest?

Differential cryptanalysis

Differential linear cryptanalysis

Birthday attack

Statistical attack

A good hashing algorithm should not produce the same hash value for two different messages. If the algorithm does produce the same value for two distinctly different messages, it is referred to as a collision. If an attacker finds an instance of a collision, he has more information to use when trying to break the cryptographic methods used. A complex way of attacking a one-way hash function is called the birthday attack. If an attacker has one hash value and wants to find a message that hashes to the same hash value, this process could take him years. However, if he just wants to find any two messages with the same hashing value, it could take him only a couple hours.

Explanation

A good hashing algorithm should not produce the same hash value for two different messages. If the algorithm does produce the same value for two distinctly different messages, it is referred to as a collision. If an attacker finds an instance of a collision, he has more information to use when trying to break the cryptographic methods used. A complex way of attacking a one-way hash function is called the birthday attack. If an attacker has one hash value and wants to find a message that hashes to the same hash value, this process could take him years. However, if he just wants to find any two messages with the same hashing value, it could take him only a couple hours.

64. What are MITRE and CERT?

They are anti-virus software institutes.

They are virus and malware cataloging organizations.

They are virus broadcast monitoring tools.

They are spyware and virus distributing software.

MITRE and CERT are not anti-virus software institutes or virus broadcast monitoring tools. They are not spyware and virus distributing software either. MITRE and CERT are well-known organizations that focus on cataloging and analyzing viruses and malware. They provide information and resources to help in the identification and mitigation of cybersecurity threats.

Explanation

MITRE and CERT are not anti-virus software institutes or virus broadcast monitoring tools. They are not spyware and virus distributing software either. MITRE and CERT are well-known organizations that focus on cataloging and analyzing viruses and malware. They provide information and resources to help in the identification and mitigation of cybersecurity threats.

65. Which of the following attacks can be mitigated against by implementing the following ingress/egress traffic filtering?
* Any packet coming into the network must not have a source address of the internal network.
* Any packet coming into the network must have a destination address from the internal network.
* Any packet leaving the network must have a source address from the internal network.
* Any packet leaving the network must not have a destination address from the internal networks.
* Any packet coming into the network or leaving the network must not have a source or destination address of a private address or an address listed in RFC19lS reserved space.

SYN (Synchronize) flooding

Spoofing

DoS (Denial of Service) attacks

Dictionary attacks

None of the Above

By having strict addressing filters; an administrator prevents a spoofed address from gaining access.

Explanation

By having strict addressing filters; an administrator prevents a spoofed address from gaining access.

66. Which of the attacks can involve the misdirection of the domain name resolution and Internet traffic?

DoS (Denial of Service)

Spoofing

Brute force attack

Reverse DNS (Domain Name Service)

A spoofing attack is simply an attempt by someone or something masquerading as someone else.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 56

Explanation

A spoofing attack is simply an attempt by someone or something masquerading as someone else.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 56

67. What type of virus can hides itself by intercepting disk access requests?

Multipartite

Stealth

Interceptor

Polymorphic

A stealth virus will attempt to avoid detection by masking itself from applications. It may attach itself to the boot sector of the hard drive. When a system utility or program runs, the stealth virus redirects commands around itself in order to avoid detection. An infected file may report a file size different from what is actually present in order to avoid detection.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 80

Explanation

A stealth virus will attempt to avoid detection by masking itself from applications. It may attach itself to the boot sector of the hard drive. When a system utility or program runs, the stealth virus redirects commands around itself in order to avoid detection. An infected file may report a file size different from what is actually present in order to avoid detection.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 80

68. You receive an e-mail to reset the online banking username and password. When you attempt to access the link the URL appearing in the browser does not match the link. What is this known as?

This situation is known as redirecting.

This situation is known as spoofing.

This situation is known as hijacking.

This situation is known as phishing.

Phishing refers to the act of attempting to deceive individuals into providing sensitive information, such as usernames and passwords, by posing as a trustworthy entity. In this scenario, the email received is likely a phishing attempt, as the URL in the browser does not match the link provided. The intention is to trick the recipient into entering their login credentials on a fraudulent website, allowing the attacker to gain unauthorized access to their online banking account.

Explanation

Phishing refers to the act of attempting to deceive individuals into providing sensitive information, such as usernames and passwords, by posing as a trustworthy entity. In this scenario, the email received is likely a phishing attempt, as the URL in the browser does not match the link provided. The intention is to trick the recipient into entering their login credentials on a fraudulent website, allowing the attacker to gain unauthorized access to their online banking account.

69. Which of the following can be deterred against by increasing the keyspace and complexity of a password?

Dictionary

Brute force

Inference

Frontal

Increasing the keyspace and complexity of a password can deter against brute force attacks. Brute force attacks involve trying all possible combinations of characters until the correct password is found. By increasing the keyspace (the range of characters that can be used in the password) and complexity (the length and variety of characters used), it becomes exponentially more difficult and time-consuming for an attacker to guess the correct password through brute force methods.

Explanation

Increasing the keyspace and complexity of a password can deter against brute force attacks. Brute force attacks involve trying all possible combinations of characters until the correct password is found. By increasing the keyspace (the range of characters that can be used in the password) and complexity (the length and variety of characters used), it becomes exponentially more difficult and time-consuming for an attacker to guess the correct password through brute force methods.

70. Loki, NetCaZ, Masters Paradise and NetBus are examples of what type of attack?

Brute force

Spoofing

Man in the middle

Back door

None of the Above

Since backdoor's are publicly marketed/distributed software applications, they are characterized by having a trade name.

Explanation

Since backdoor's are publicly marketed/distributed software applications, they are characterized by having a trade name.

71. You are the network administrator at Certkiller .com. You discover that your domain name server is resolving the domain name to the wrong IP (Internet Protocol) address and thus misdirecting Internet traffic. You suspect a malicious attack. Which of the following would you suspect?

Reverse DNS (Domain Name Service)

Brute force attack

Spoofing

DoS (Denial of Service)

Spoofing is when you forge the source address of traffic, so it appears to come from somewhere else, preferably somewhere safe and trustworthy. Web spoofing is a process where someone creates a convincing copy of a legitimate website or a portion of the world wide web, so that when someone enters a site that they think is safe, they end up communicating directly with the hacker. To avoid this you should rely on certificates, IPSEC, and set up a filter to block internet traffic with an internal network address.

Explanation

Spoofing is when you forge the source address of traffic, so it appears to come from somewhere else, preferably somewhere safe and trustworthy. Web spoofing is a process where someone creates a convincing copy of a legitimate website or a portion of the world wide web, so that when someone enters a site that they think is safe, they end up communicating directly with the hacker. To avoid this you should rely on certificates, IPSEC, and set up a filter to block internet traffic with an internal network address.

72. You are the security administrator at Certkiller .com. You detect intruders accessing your internal network. The source IP (Internet Protocol) addresses originate from trusted networks. What type of attack are you experiencing?

Social engineering

TCP/IP (Transmission Control Protocol/Internet Protocol) hijacking

Smurfing

Spoofing

Spoofing is the process of trying to deceive, or to spoof, someone into believing that a source address is coming from somewhere else. Incorrect answers:
A: Social engineering deals with the human aspect of gaining access and passwords.
B: TCP/IP hijacking requires an existing session.
C: Smurfing is a legitimate kind of DoS attack that does involve spoofing, however it doesn't match the above description.

Explanation

Spoofing is the process of trying to deceive, or to spoof, someone into believing that a source address is coming from somewhere else. Incorrect answers:
A: Social engineering deals with the human aspect of gaining access and passwords.
B: TCP/IP hijacking requires an existing session.
C: Smurfing is a legitimate kind of DoS attack that does involve spoofing, however it doesn't match the above description.

73. Which type of attack can easily break a user's password if the user uses simple and meaningful things such as pet names or birthdays for their passwords?

Mickey Mouse attack

Random guess attack

Brute Force attack

Dictionary attack

Role Based Access Control attack

A dictionary attack is an attack which uses a dictionary of common words to attempt to find the password of a user.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 58

Explanation

A dictionary attack is an attack which uses a dictionary of common words to attempt to find the password of a user.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 58

74. Identify the attack that targets a web server if numerous computers send a lot of FIN packets at the same time with spoofed source IP addresses?

This attack is known as SYN flood.

This attack is known as DDoS

This attack is known as Brute force.

This attack is known as XMAS tree scan.

not-available-via-ai

Explanation

not-available-via-ai

75. What is a program that can infect other programs by modifying them to include a version of it called?

Replicator

Virus

Trojan horse

Logic bomb

A virus can do many things and including itself in a program is one of them. A virus is a program intended to damage a computer system. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 533

Explanation

A virus can do many things and including itself in a program is one of them. A virus is a program intended to damage a computer system. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 533

76. Which of the following are characteristics of a computer virus?

Find mechanism, initiation mechanism and propagate.

Learning mechanism, contamination mechanism and exploit.

Search mechanism, connection mechanism and integrate.

Replication mechanism, activation mechanism and objective.

Replication mechanism: To replicate a virus needs to attach itself to the right code, where it can replicate and spread past security systems into other systems. Activation mechanism: Most viruses require the user to actually do something. During the 80's and early 90's most viruses were activated when you booted from a floppy disk, or inserted a new floppy disk into an infected drive. Nowadays most computer virus's come as email forwards, and they require the user to execute. Objective: many viruses have no objective at all, but some have the objective to delete data, hog up memory, or crash the system.

Explanation

Replication mechanism: To replicate a virus needs to attach itself to the right code, where it can replicate and spread past security systems into other systems. Activation mechanism: Most viruses require the user to actually do something. During the 80's and early 90's most viruses were activated when you booted from a floppy disk, or inserted a new floppy disk into an infected drive. Nowadays most computer virus's come as email forwards, and they require the user to execute. Objective: many viruses have no objective at all, but some have the objective to delete data, hog up memory, or crash the system.

77. You implement IDS on the Certkiller .com network. You discover traffic from an internal host IP address accessing internal network resources from the Internet. What is causing this?

This occurred since a user without permission is spoofing internal IP addresses.

This occurred since information is accessed by a user from a remote login.

This occurred since traffic is routed outside the internal network.

This is normal behavior according to the IP RFC.

The correct answer is that this occurred since a user without permission is spoofing internal IP addresses. This means that someone is pretending to have an internal IP address in order to access internal network resources from the Internet. This is a security concern as it indicates unauthorized access and potential malicious activity.

Explanation

The correct answer is that this occurred since a user without permission is spoofing internal IP addresses. This means that someone is pretending to have an internal IP address in order to access internal network resources from the Internet. This is a security concern as it indicates unauthorized access and potential malicious activity.

78. Malicious port scanning determines the _______.

Computer name

Fingerprint of the operating system

Physical cabling topology of a network

User ID and passwords

All of the Above

Malicious port scanning is an attempt to find an unused port that the system won't acknowledge. Several programs now can use port scanning for advanced host detection and operating system fingerprinting. With knowledge of the operating system, the hacker can look up known vulnerabilities and exploits for that particular system.

Explanation

Malicious port scanning is an attempt to find an unused port that the system won't acknowledge. Several programs now can use port scanning for advanced host detection and operating system fingerprinting. With knowledge of the operating system, the hacker can look up known vulnerabilities and exploits for that particular system.

79. Which of the following determines which operating system is installed on a system by analyzing its response to certain network traffic?

OS (Operating System) scanning

Reverse engineering.

Fingerprinting

Host hijacking.

None of the Above

Fingerprinting is the act of inspecting returned information from a server (ie. One method is ICMP Message quoting where the ICMP quotes back part of the original message with every ICMP error message. Each operating system will quote definite amount of message to the ICMP error messages. The peculiarity in the error messages received from various types of operating systems helps us in identifying the remote host's OS.

Explanation

Fingerprinting is the act of inspecting returned information from a server (ie. One method is ICMP Message quoting where the ICMP quotes back part of the original message with every ICMP error message. Each operating system will quote definite amount of message to the ICMP error messages. The peculiarity in the error messages received from various types of operating systems helps us in identifying the remote host's OS.

80. Which of the following is most common method of accomplishing DDoS (Distributed Denial of Service) attacks?

Internal host computers simultaneously failing.

Overwhelming and shutting down multiple services on a server.

Multiple servers or routers monopolizing and over whelming the bandwidth of a particular server or router.

An individual e-mail address list being used to distribute a virus.

A distributed denial of service attack takes place from within, and is usually the doing of a disgruntled worker. They set up a zombie software that takes over numerous servers, and routers within the network to overwhelm the systems bandwidth. A and B are incorrect because a DDoS doesn't fail or shut down the servers, it merely compromises them.

Explanation

A distributed denial of service attack takes place from within, and is usually the doing of a disgruntled worker. They set up a zombie software that takes over numerous servers, and routers within the network to overwhelm the systems bandwidth. A and B are incorrect because a DDoS doesn't fail or shut down the servers, it merely compromises them.

81. Which of the following is an effective method of preventing computer viruses from spreading?

Require root/administrator access to run programs.

Enable scanning of e-mail attachments.

Prevent the execution of .vbs files.

Install a host based IDS (Intrusion Detection System)

Viruses get into your computer in one of three ways. They may enter your computer on a contaminated floppy or CD-ROM, through e-mail, or as a part of another program.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 76

Explanation

Viruses get into your computer in one of three ways. They may enter your computer on a contaminated floppy or CD-ROM, through e-mail, or as a part of another program.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 76

82. Which port is used by Kerberos by default?

Kerberos makes use of port 139

Kerberos makes use of port 443

Kerberos makes use of port 23

Kerberos makes use of port 88

None of the Above

Kerberos is a network authentication protocol that uses port 88 by default. This port is specifically assigned for Kerberos services, allowing clients and servers to communicate and authenticate each other securely. Port 88 is commonly used in Windows Active Directory environments and is essential for the functioning of Kerberos-based authentication systems.

Explanation

Kerberos is a network authentication protocol that uses port 88 by default. This port is specifically assigned for Kerberos services, allowing clients and servers to communicate and authenticate each other securely. Port 88 is commonly used in Windows Active Directory environments and is essential for the functioning of Kerberos-based authentication systems.

83. Why is certificate expiration important?

Renewing the log files will keep it from getting too large.

If given sufficient tile brute force techniques will probably to break the key.

It will use more processing power when the encryption key is used long.

It prevents the server from using the identical key for two sessions.

not-available-via-ai

Explanation

not-available-via-ai

84. You run Nmap against a server on the Certkiller .com network. You discover more open ports than you anticipated. What should you do?

Your first step should be to examine the process using the ports.

Your first step should be to leave the ports open and to monitor the traffic for malicious activity.

Your first step should be to run Nmap again and to monitor it to see if different results are obtained.

The correct answer is to examine the process using the ports. This is the most logical and effective step to take when faced with unexpected open ports. By examining the process using the ports, you can determine if any unauthorized or malicious activity is taking place. This will help you identify and address any potential security vulnerabilities or threats.

Explanation

The correct answer is to examine the process using the ports. This is the most logical and effective step to take when faced with unexpected open ports. By examining the process using the ports, you can determine if any unauthorized or malicious activity is taking place. This will help you identify and address any potential security vulnerabilities or threats.

85. Which of the following is the best defense against man in the middle attacks?

A firewall

Strong encryption

Strong passwords

Strong authentication

Strong encryption is the best defense against man-in-the-middle attacks because it ensures that the data being transmitted between two parties is encrypted and cannot be intercepted or modified by an attacker. Encryption converts the data into a secure format that can only be decrypted by the intended recipient, making it extremely difficult for an attacker to access or manipulate the information. Firewalls, strong passwords, and strong authentication can provide additional layers of security, but they do not directly address the issue of intercepting and tampering with data in transit like strong encryption does.

Explanation

Strong encryption is the best defense against man-in-the-middle attacks because it ensures that the data being transmitted between two parties is encrypted and cannot be intercepted or modified by an attacker. Encryption converts the data into a secure format that can only be decrypted by the intended recipient, making it extremely difficult for an attacker to access or manipulate the information. Firewalls, strong passwords, and strong authentication can provide additional layers of security, but they do not directly address the issue of intercepting and tampering with data in transit like strong encryption does.

86. What is happening when a user downloads and installs a new screen saver and the program starts to rename and delete random files?

This program illustrates a Virus.

This program illustrates a Trojan horse.

This program illustrates a Worm.

This program illustrates a Logic bomb.

When a user downloads and installs a new screen saver and the program starts to rename and delete random files, it indicates that the program is acting as a Trojan horse. A Trojan horse is a type of malware that disguises itself as a legitimate program but performs malicious actions in the background. In this case, the screen saver program is pretending to be harmless but is actually causing harm by renaming and deleting files without the user's knowledge or consent.

Explanation

When a user downloads and installs a new screen saver and the program starts to rename and delete random files, it indicates that the program is acting as a Trojan horse. A Trojan horse is a type of malware that disguises itself as a legitimate program but performs malicious actions in the background. In this case, the screen saver program is pretending to be harmless but is actually causing harm by renaming and deleting files without the user's knowledge or consent.

87. Identify common utilization of Internet-exposed network services?

Active content is a common utilization.

Illicit servers are a common utilization.

Trojan horse programs are a common utilization.

Buffer overflows is a common utilization. Buffer overflows is a common utilization.

not-available-via-ai

Explanation

not-available-via-ai

88. As the security administrator you monitor traces from IDS and detect the subsequent data:

Date Time Source IP Destination IP Port Type
10/21 0845 192.168.155.28 10.1.20.1 20 SYN
10/21 0850 192.168.155.28 10.1.20.1 21 SYN
10/21 0900 192.168.155.28 10.1.20.1 23 SYN
10/21 0910 192.168.155.28 10.1.20.1 25 SYN

You need to determine what will occur?

An expected TCP/IP traffic will occur.

A Port scanning will occur.

A SYN Flood will occur.

A Denial of Service (DoS) will occur.

The given traces indicate that the source IP address (192.168.155.28) is sending SYN packets to the destination IP address (10.1.20.1) on different ports (20, 21, 23, 25). This behavior suggests that the source IP is scanning the destination IP for open ports. Port scanning is a common technique used by attackers to identify potential vulnerabilities in a system. Therefore, the correct answer is that a port scanning will occur.

Explanation

The given traces indicate that the source IP address (192.168.155.28) is sending SYN packets to the destination IP address (10.1.20.1) on different ports (20, 21, 23, 25). This behavior suggests that the source IP is scanning the destination IP for open ports. Port scanning is a common technique used by attackers to identify potential vulnerabilities in a system. Therefore, the correct answer is that a port scanning will occur.

89. How can you determine whether the workstations on the internal network are functioning as zombies participating in external DDoS attacks?

You should use AV server logs to confirm the suspicion.

You should use HIDS logs to confirm the suspicion.

You should use Proxy logs to confirm the suspicion.

You should use Firewall logs to confirm the suspicion.

The correct answer is to use Firewall logs to confirm the suspicion. Firewall logs can provide information about the network traffic and connections that are being allowed or blocked by the firewall. By analyzing these logs, you can identify any suspicious or abnormal traffic patterns that may indicate the presence of zombies participating in external DDoS attacks. This can help you determine whether the workstations on the internal network are functioning as zombies.

Explanation

The correct answer is to use Firewall logs to confirm the suspicion. Firewall logs can provide information about the network traffic and connections that are being allowed or blocked by the firewall. By analyzing these logs, you can identify any suspicious or abnormal traffic patterns that may indicate the presence of zombies participating in external DDoS attacks. This can help you determine whether the workstations on the internal network are functioning as zombies.

90. Which device should you contemplate on choosing in order to protect an internal network segment from traffic external to the segment?

You should choose DMZ to provide security to the network segment.

You should choose Internet content filter provide security to the network segment.

You should choose NIPS provide security to the network segment.

You should choose HIDS provide security to the network segment.

NIPS stands for Network Intrusion Prevention System. It is a device that is specifically designed to protect network segments from external traffic. It monitors network traffic for any suspicious activity or potential threats and takes proactive measures to prevent them from entering the network segment. By choosing NIPS, the internal network segment can be effectively protected from any unauthorized access or malicious attacks from the external network.

Explanation

NIPS stands for Network Intrusion Prevention System. It is a device that is specifically designed to protect network segments from external traffic. It monitors network traffic for any suspicious activity or potential threats and takes proactive measures to prevent them from entering the network segment. By choosing NIPS, the internal network segment can be effectively protected from any unauthorized access or malicious attacks from the external network.

91. Which of the following fingerprinting techniques exploits the fact that operating systems differ in the amount of information that is quoted when ICMP (Internet Control Message Protocol) errors are encountered?

TCP (Transmission Control Protocol) options.

ICMP (Internet Control Message Protocol) error message quenching.

Fragmentation handling.

ICMP (Internet Control Message Protocol) message quoting

None of the Above

ICMP Message quoting: The ICMP quotes back part of the original message with every ICMP error message. Each operating system will quote definite amount of message to the ICMP error messages. The peculiarity in the error messages received from various types of operating systems helps us in identifying the remote host's OS.

Explanation

ICMP Message quoting: The ICMP quotes back part of the original message with every ICMP error message. Each operating system will quote definite amount of message to the ICMP error messages. The peculiarity in the error messages received from various types of operating systems helps us in identifying the remote host's OS.

92. What can be sued for credit card information theft? (Choose TWO)

A Worm will permit credit card theft.

A SPIM will permit credit card theft.

An Adware will permit credit card theft.

A Phishing will permit credit card theft.

A Virus will permit credit card theft.

not-available-via-ai

Explanation

not-available-via-ai

Submit

93. You are the security administrator at Certkiller .com. All Certkiller users have a token and 4-digit personal identification number (PIN) that are used to access their computer systems. The token performs off-line checking for the correct PIN. To which of the following type of attack is Certkiller vulnerable?

Smurf

Man-in-the-middle

Brute force

Birthday

Explanation: Brute force attacks are performed with tools that cycle through many possible character, number, and symbol combinations to guess a password. Since the token allows offline checking of PIN, the cracker can keep trying PINS until it is cracked.

Explanation

Explanation: Brute force attacks are performed with tools that cycle through many possible character, number, and symbol combinations to guess a password. Since the token allows offline checking of PIN, the cracker can keep trying PINS until it is cracked.

94. What type of program will record system keystrokes in a text file and e-mail it to the author, and will also delete system logs every five days or whenever a backup is performed?

Virus

Back door.

Logic bomb.

Worm.

A logic bomb is a special kind of virus or Trojan horse that is set to go off following a preset time interval, or following a pre-set combination of keyboard strokes. Some unethical advertisers use logic bombs to deliver the right pop-up advertisement following a keystroke, and some disgruntled employees set up logic bombs to go off to sabotage their company's computers if they feel termination is imminent.

Explanation

A logic bomb is a special kind of virus or Trojan horse that is set to go off following a preset time interval, or following a pre-set combination of keyboard strokes. Some unethical advertisers use logic bombs to deliver the right pop-up advertisement following a keystroke, and some disgruntled employees set up logic bombs to go off to sabotage their company's computers if they feel termination is imminent.

95. Which of the following best describes TCP/IP (Transmission Control Protocol/Internet Protocol) session hijacking?

A detailed site on how to hijack a TCP/IP a session can be found at: http://staff.washington.edu/dittrich/talks/qsm-sec/script.html

Explanation

A detailed site on how to hijack a TCP/IP a session can be found at: http://staff.washington.edu/dittrich/talks/qsm-sec/script.html

96. It has come to your attention that the telephone account for the employees in your department is extremely high. You check the print out and discover that 4,500 text messages is sent daily to random numbers. What is the best option to stop this excessive text messaging?

This can be accomplished by installing personal firewalls on the mobile phones.

This can be accomplished by installing HIDS on the mobile phones.

This can be accomplished by installing logging software on the mobile phones.

This can be accomplished by installing antivirus software on the mobile phones.

Installing antivirus software on the mobile phones is the best option to stop the excessive text messaging. Antivirus software can detect and block any malicious apps or software that may be causing the excessive texting. It can also prevent any unauthorized or suspicious activity on the phones, including sending text messages to random numbers. By installing antivirus software, the phones will be protected from any potential threats or unauthorized activities, ultimately reducing the excessive text messaging.

Explanation

Installing antivirus software on the mobile phones is the best option to stop the excessive text messaging. Antivirus software can detect and block any malicious apps or software that may be causing the excessive texting. It can also prevent any unauthorized or suspicious activity on the phones, including sending text messages to random numbers. By installing antivirus software, the phones will be protected from any potential threats or unauthorized activities, ultimately reducing the excessive text messaging.

97. Identify the techniques apart from bribery and forgery that attackers use to socially engineer people? (Choose TWO)

Flattery is a most common method.

Dumpster diving is a most common method.

Phreaking is a most common method.

Assuming a position of authority is a most common method.

Who is search is a most common method.

not-available-via-ai

Explanation

not-available-via-ai

Submit

98. Which of the following is a DoS exploit that sends more traffic to a node than anticipated?

Ping of death

Buffer Overflow

Logic Bomb

Smurf

None of the Above

Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135

Explanation

Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135

99. What is a piece of malicious code that has no productive purpose but can replicate itself and exist only to damage computer systems or create further vulnerabilities called?

Logic Bomb

Worm

Trojan Horse

SYN flood

Virus

A virus is a piece of software designed to infect a computer system. The virus may do nothing more than reside on the computer. A virus may also damage the data on your hard disk, destroy your operating system, and possibly spread to other systems.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 76

Explanation

A virus is a piece of software designed to infect a computer system. The virus may do nothing more than reside on the computer. A virus may also damage the data on your hard disk, destroy your operating system, and possibly spread to other systems.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 76

100. What is an attach in which the attacker spoofs the source IP address in an ICMP ECHO broadcast packet so it seems to have originated at the victim's system, in order to flood it with REPLY packets called?

SYN flood attack

Smurf attack

Ping of Dead Attack

Denial of Service (DOS) Attack

A Smurf attack is a type of denial of service (DOS) attack where the attacker spoofs the source IP address in an ICMP ECHO broadcast packet to make it appear as if it originated from the victim's system. The attacker then sends a large number of these packets to a network's broadcast address, causing all devices on the network to respond with ICMP REPLY packets to the victim's system. This flood of REPLY packets overwhelms the victim's system, resulting in a denial of service.

Explanation

A Smurf attack is a type of denial of service (DOS) attack where the attacker spoofs the source IP address in an ICMP ECHO broadcast packet to make it appear as if it originated from the victim's system. The attacker then sends a large number of these packets to a network's broadcast address, causing all devices on the network to respond with ICMP REPLY packets to the victim's system. This flood of REPLY packets overwhelms the victim's system, resulting in a denial of service.

CompTIA And Security Exam 2