CompTIA Security+ Practice Exam (2)

1. Why does social engineering attacks often succeed?

Strong passwords are not required

Lack of security awareness

Multiple logins are allowed

Audit logs are not monitored frequently

Social engineering attacks work because of the availability heuristic, law of reciprocity, and law of consistency. In the past people have had experiences where a co-worker with a legitimate problem asked for help and been grateful for it. So by consistency, they feel the urge to help others again the way they've helped out somebody in the past. By availability, when someone asks for help, they associate that ask for help for every legitimate cry for help, and times when they needed help themselves and were helped; so essentially they're being a good Samaritan. If an awareness program were to be implemented where employees could be aware of social engineering tactics, they would be more likely to think about them, and be more suspect of an attack when someone does ask for a favor. With this knowledge in intuition, an employee will make a smarter decision.

Explanation

Social engineering attacks work because of the availability heuristic, law of reciprocity, and law of consistency. In the past people have had experiences where a co-worker with a legitimate problem asked for help and been grateful for it. So by consistency, they feel the urge to help others again the way they've helped out somebody in the past. By availability, when someone asks for help, they associate that ask for help for every legitimate cry for help, and times when they needed help themselves and were helped; so essentially they're being a good Samaritan. If an awareness program were to be implemented where employees could be aware of social engineering tactics, they would be more likely to think about them, and be more suspect of an attack when someone does ask for a favor. With this knowledge in intuition, an employee will make a smarter decision.

2. How can you monitor the online activities of a user?

Viruses will permit monitoring of online activities.

Spy ware will permit monitoring of online activities.

Logic bomb will permit monitoring of online activities.

Worms will permit monitoring of online activities.

Spyware is a type of software that is designed to collect information about a user's online activities without their knowledge or consent. It can track websites visited, keystrokes typed, and even capture screenshots or record audio. This makes it an effective tool for monitoring someone's online activities. Viruses, logic bombs, and worms are malicious software that can cause harm to a computer system, but they do not specifically enable monitoring of online activities.

Explanation

Spyware is a type of software that is designed to collect information about a user's online activities without their knowledge or consent. It can track websites visited, keystrokes typed, and even capture screenshots or record audio. This makes it an effective tool for monitoring someone's online activities. Viruses, logic bombs, and worms are malicious software that can cause harm to a computer system, but they do not specifically enable monitoring of online activities.

3. Which of the following is the most effective defense against a social engineering attack?

Marking of documents

Escorting of guests

Badge security system

Training and awareness

The only preventative measure in dealing with social engineering attacks is to educate your users and staff to never give out passwords and user Ids over the phone, via e-mail, or to anyone who is not positively verified as being who they say they are. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

Explanation

The only preventative measure in dealing with social engineering attacks is to educate your users and staff to never give out passwords and user Ids over the phone, via e-mail, or to anyone who is not positively verified as being who they say they are. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

4. Which of the following occurs when a string of data is sent to a buffer that is larger than the buffer was designed to handle?

Brute Force attack

Spoofing attack

Buffer overflow

Man in the middle attack

SYN flood

Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135

Explanation

Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135

5. Which of the following attacks attempts to crack passwords

SMURF

Dictionary

Teardrop

Spamming

Dictionaries may be used in a cracking program to determine passwords. A short dictionary attack involves trying a list of hundreds or thousands of words that are frequently chosen as passwords against several systems. Although most systems resist such attacks, some do not. In one case, one system in five yielded to a particular dictionary attack.

Explanation

Dictionaries may be used in a cracking program to determine passwords. A short dictionary attack involves trying a list of hundreds or thousands of words that are frequently chosen as passwords against several systems. Although most systems resist such attacks, some do not. In one case, one system in five yielded to a particular dictionary attack.

6. Identify the attack where the purpose is to stop a workstation or service from functioning?

This attack is known as non-repudiation.

This attack is known as TCP/IP hijacking.

This attack is known as denial of service (DoS).

This attack is known as brute force.

Denial of Service (DoS) attack is a type of attack where the purpose is to stop a workstation or service from functioning. It is achieved by overwhelming the target system with a flood of illegitimate requests or by exploiting vulnerabilities in the system to exhaust its resources. This attack is not related to non-repudiation, TCP/IP hijacking, or brute force.

Explanation

Denial of Service (DoS) attack is a type of attack where the purpose is to stop a workstation or service from functioning. It is achieved by overwhelming the target system with a flood of illegitimate requests or by exploiting vulnerabilities in the system to exhaust its resources. This attack is not related to non-repudiation, TCP/IP hijacking, or brute force.

7. With regards to the use of Instant Messaging, which of the following type of attack can best be guarded against by user awareness training?

Social engineering

Stealth

Ambush

Multi-prolonged

The only preventative measure in dealing with social engineering attacks is to educate your users and staff to never give out passwords and user Ids over the phone, via e-mail, or to anyone who is not positively verified as being who they say they are.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

Explanation

The only preventative measure in dealing with social engineering attacks is to educate your users and staff to never give out passwords and user Ids over the phone, via e-mail, or to anyone who is not positively verified as being who they say they are.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

8. Which of the following type of attack CANNOT be deterred solely through technical means?

Dictionary.

Man in the middle.

DoS (Denial of Service).

Social engineering.

Because of human rights laws, it is unlawful to use technology to directly control people's emotions and behaviors. For this reason social engineering attacks cannot be deterred through technical means.

Explanation

Because of human rights laws, it is unlawful to use technology to directly control people's emotions and behaviors. For this reason social engineering attacks cannot be deterred through technical means.

9. The system administrator of the company has resigned. When the administrator's user ID is deleted, the system suddenly begins deleting files. What type of malicious code is this?

Logic bomb

Virus

Worm

When the system administrator's user ID is deleted and the system starts deleting files, it indicates the presence of a logic bomb. A logic bomb is a type of malicious code that is intentionally inserted into a system and remains dormant until triggered by a specific event or condition. In this case, the logic bomb was programmed to activate when the administrator's user ID was deleted, causing the system to initiate the deletion of files.

Explanation

When the system administrator's user ID is deleted and the system starts deleting files, it indicates the presence of a logic bomb. A logic bomb is a type of malicious code that is intentionally inserted into a system and remains dormant until triggered by a specific event or condition. In this case, the logic bomb was programmed to activate when the administrator's user ID was deleted, causing the system to initiate the deletion of files.

10. What is the scenario named where a user receives an e-mail requesting personal data as well as bank account details?

This can be described as a hoax.

This can be described as packet sniffing.

This can be described as phishing.

This can be described as spam.

Phishing is a type of cyber attack where the attacker sends fraudulent emails or messages to trick the recipient into revealing sensitive information such as personal data and bank account details. The attacker often pretends to be a trustworthy entity in order to deceive the user. In this scenario, the user receiving an email requesting personal data and bank account details is a clear example of a phishing attempt.

Explanation

Phishing is a type of cyber attack where the attacker sends fraudulent emails or messages to trick the recipient into revealing sensitive information such as personal data and bank account details. The attacker often pretends to be a trustworthy entity in order to deceive the user. In this scenario, the user receiving an email requesting personal data and bank account details is a clear example of a phishing attempt.

11. Which of the following is the major difference between a worm and a Trojan horse?

Worms are spread via e-mail while Trojan horses are not.

Worms are self replicating while Trojan horses are not.

Worms are a form of malicious code while Trojan horses are not.

There is no difference.

A worm is different from a virus. Worms reproduce themselves, are self-contained and do not need a host application to be transported. The Trojan horse program may be installed as part of an installation process. They do not reproduce or self replicate.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, pp 83, 85

Explanation

A worm is different from a virus. Worms reproduce themselves, are self-contained and do not need a host application to be transported. The Trojan horse program may be installed as part of an installation process. They do not reproduce or self replicate.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, pp 83, 85

12. In which of the following would an attacker impersonate a dissatisfied customer of a company and requesting a password change on the customer's account?

Hostile code.

Social engineering.

IP (Internet Protocol) spoofing.

Man in the middle attack.

Social engineering is using deception to engineer human emotions into granting access.

Explanation

Social engineering is using deception to engineer human emotions into granting access.

13. You are the network administrator at Certkiller .com. During a routing site audit of Certkiller 's wireless network, you discover an unauthorized Access Point under the desk of Sales department user. When questioned, she denies any knowledge of it, but informs you that her new boyfriend has been to visit her several times, including taking her to lunch one time. What type of attack have you become a victim of?

Halloween attack

Phone tag

Replay attack

Social Engineering

IP Spoofing.

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, be e-mail, or by a visit. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

Explanation

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, be e-mail, or by a visit. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

14. What is used in a distributed denial of service (DDOS) attack?

DDOS makes use of Botnet.

DDOS makes use of Phishing.

DDOS makes use of Adware.

DDOS makes use of Trojan.

A distributed denial of service (DDOS) attack uses a botnet, which is a network of compromised computers or devices that are controlled by an attacker. The attacker uses the botnet to flood a target system or network with a large amount of traffic, overwhelming its resources and causing it to become unavailable to legitimate users. This is done by infecting and taking control of multiple devices, such as computers, servers, or IoT devices, and coordinating them to send a massive amount of requests or data to the target. The use of a botnet allows the attacker to amplify the impact of the attack and make it more difficult to mitigate.

Explanation

A distributed denial of service (DDOS) attack uses a botnet, which is a network of compromised computers or devices that are controlled by an attacker. The attacker uses the botnet to flood a target system or network with a large amount of traffic, overwhelming its resources and causing it to become unavailable to legitimate users. This is done by infecting and taking control of multiple devices, such as computers, servers, or IoT devices, and coordinating them to send a massive amount of requests or data to the target. The use of a botnet allows the attacker to amplify the impact of the attack and make it more difficult to mitigate.

15. It has come to your attention that numerous e-mails are received from an ex employee. You need to determine whether the e-mails originated internally?

This can be accomplished by viewing the from line of the e-mails.

This can be accomplished by reviewing anti-virus logs on the ex employees computer.

This can be accomplished by replying to the e-mail and checking the destination e-mail address.

This can be accomplished by looking at the source IP address in the SMTP header of the e-mails.

By looking at the source IP address in the SMTP header of the emails, it is possible to determine whether the emails originated internally. The source IP address reveals the location from where the emails were sent, allowing for identification of whether they were sent from within the organization or from an external source. This method is reliable as it provides concrete evidence about the origin of the emails.

Explanation

By looking at the source IP address in the SMTP header of the emails, it is possible to determine whether the emails originated internally. The source IP address reveals the location from where the emails were sent, allowing for identification of whether they were sent from within the organization or from an external source. This method is reliable as it provides concrete evidence about the origin of the emails.

16. Which programming mechanism should be used to permit administrative access whilst bypassing the usual access control methods?

It is known as a logic bomb.

It is known as a back door.

It is known as a Trojan horse.

It is known as software exploit.

A back door is a programming mechanism that allows administrative access to a system while bypassing the usual access control methods. It is typically used by system administrators or developers to gain unauthorized access to a system for legitimate purposes, such as troubleshooting or maintenance. However, back doors can also be exploited by malicious individuals to gain unauthorized access to a system and carry out malicious activities. Therefore, it is important for system administrators to regularly monitor and secure their systems to prevent unauthorized access through back doors.

Explanation

A back door is a programming mechanism that allows administrative access to a system while bypassing the usual access control methods. It is typically used by system administrators or developers to gain unauthorized access to a system for legitimate purposes, such as troubleshooting or maintenance. However, back doors can also be exploited by malicious individuals to gain unauthorized access to a system and carry out malicious activities. Therefore, it is important for system administrators to regularly monitor and secure their systems to prevent unauthorized access through back doors.

17. A server or application that accepts more input than the server or application is expecting is known as:

It is known as a Denial of service (DoS).

It is known as a Buffer overflow.

It is known as a Brute force.

It is known as a Syntax error.

A server or application that accepts more input than it is expecting can lead to a buffer overflow. This occurs when the input data exceeds the allocated buffer size, causing the excess data to overwrite adjacent memory locations. This can result in the corruption of data, crashing of the server or application, and even potential security vulnerabilities.

Explanation

A server or application that accepts more input than it is expecting can lead to a buffer overflow. This occurs when the input data exceeds the allocated buffer size, causing the excess data to overwrite adjacent memory locations. This can result in the corruption of data, crashing of the server or application, and even potential security vulnerabilities.

18. What would a user's best plan of action be on receiving an e-mail message warning of a virus that may have accidentally been sent in the past, and suggesting that the user to delete a specific file if it appears on the user's computer?

Check for the file and delete it immediately.

Check for the file, delete it immediately and copy the e-mail to all distribution lists.

Report the contents of the message to the network administrator.

Ignore the message. This is a virus hoax and no action is required

In such a scenario the most rational answer is to tell your network administrator. Most network administrators don't have much to do most of the day, so they live for an opportunity like this. Incorrect Answers: Deleting the file wouldn't be good, because deleting a file doesn't necessarily eliminate a problem, as it could put it to your email trash folder, or to your recycle bin. This will give you a false sense of security, and work against the process of containment. Copying the email to all distribution lists, is another mistake, because if indeed the email does contain a virus, you'll only spread it. Ignoring the problem isn't a good problem, although virus hoaxes are common, all it takes is one real virus to cause a mini-disaster.

Explanation

In such a scenario the most rational answer is to tell your network administrator. Most network administrators don't have much to do most of the day, so they live for an opportunity like this. Incorrect Answers: Deleting the file wouldn't be good, because deleting a file doesn't necessarily eliminate a problem, as it could put it to your email trash folder, or to your recycle bin. This will give you a false sense of security, and work against the process of containment. Copying the email to all distribution lists, is another mistake, because if indeed the email does contain a virus, you'll only spread it. Ignoring the problem isn't a good problem, although virus hoaxes are common, all it takes is one real virus to cause a mini-disaster.

19. Which malicious software can be transmitted across computer networks without user intervention?

A worm can be transmitted without user intervention.

A virus can be transmitted without user intervention.

A logic bomb can be transmitted without user intervention.

A Trojan horse can be transmitted without user intervention.

A worm is a type of malicious software that can spread across computer networks without any user intervention. Unlike viruses or Trojan horses, worms do not require any action from the user, such as opening an infected file or clicking on a malicious link. They can exploit vulnerabilities in computer systems or network protocols to automatically replicate and spread to other computers. This makes worms highly effective in quickly infecting a large number of computers and causing widespread damage.

Explanation

A worm is a type of malicious software that can spread across computer networks without any user intervention. Unlike viruses or Trojan horses, worms do not require any action from the user, such as opening an infected file or clicking on a malicious link. They can exploit vulnerabilities in computer systems or network protocols to automatically replicate and spread to other computers. This makes worms highly effective in quickly infecting a large number of computers and causing widespread damage.

20. Which of the following is an example of the theft of network passwords without the use of software tools?

Trojan programs.

Social engineering.

Sniffing.

Hacking.

Social engineering is any means of using people to seek out information. These people practice espionage to: break in without detection, disguise themselves in, trick others into giving them access, or trick others into giving them information.

Explanation

Social engineering is any means of using people to seek out information. These people practice espionage to: break in without detection, disguise themselves in, trick others into giving them access, or trick others into giving them information.

21. Identify the malicious software that can be transmitted across computer networks without needing a client to distribute the software?

A Worm can be transmitted across computer networks without needing a client to distribute software.

A Virus can be transmitted across computer networks without needing a client to distribute software.

A Logic bomb can be transmitted across computer networks without needing a client to distribute software.

A Trojan horse can be transmitted across computer networks without needing a client to distribute software.

A worm is a type of malicious software that can self-replicate and spread across computer networks without the need for a client to distribute it. Unlike viruses, which require a host file or program to attach themselves to, worms can independently move from one system to another through network connections. They exploit vulnerabilities in operating systems or network protocols to propagate and can cause significant damage by consuming network bandwidth, slowing down systems, or even deleting files. Therefore, a worm is the correct answer as it fits the description of being able to spread across computer networks without relying on a client.

Explanation

A worm is a type of malicious software that can self-replicate and spread across computer networks without the need for a client to distribute it. Unlike viruses, which require a host file or program to attach themselves to, worms can independently move from one system to another through network connections. They exploit vulnerabilities in operating systems or network protocols to propagate and can cause significant damage by consuming network bandwidth, slowing down systems, or even deleting files. Therefore, a worm is the correct answer as it fits the description of being able to spread across computer networks without relying on a client.

22. Identify the malicious code that enters the system via a freely distributed game that is purposely installed and played?

It can enter a system by means of a logic bomb.

It can enter a system by means of a Trojan horse.

It can enter a system by means of a worm.

It can enter a system by means of an e-mail attachment.

A Trojan horse is a type of malicious code that disguises itself as a harmless program or file. In this scenario, the malicious code enters the system through a freely distributed game that is intentionally installed and played by the user. The user may be unaware that the game contains a hidden Trojan horse, which allows the malicious code to gain unauthorized access to the system and potentially cause harm or steal sensitive information.

Explanation

A Trojan horse is a type of malicious code that disguises itself as a harmless program or file. In this scenario, the malicious code enters the system through a freely distributed game that is intentionally installed and played by the user. The user may be unaware that the game contains a hidden Trojan horse, which allows the malicious code to gain unauthorized access to the system and potentially cause harm or steal sensitive information.

23. Identify a port scanning tool?

Nmap is port scanning tool.

Cain & Abel is port scanning tool.

L0phtcrack is port scanning tool.

John the Ripper is port scanning tool.

Nmap is a widely used and highly regarded port scanning tool. It is designed to scan and discover open ports on a network, providing information about the services running on those ports. Nmap offers a range of scanning techniques and advanced features, making it a powerful tool for network administrators and security professionals.

Explanation

Nmap is a widely used and highly regarded port scanning tool. It is designed to scan and discover open ports on a network, providing information about the services running on those ports. Nmap offers a range of scanning techniques and advanced features, making it a powerful tool for network administrators and security professionals.

24. What is an application that appears to perform a useful function but instead contains some sort of malicious code called?

Worm

SYN flood

Virus

Trojan Horse

Logic Bomb

A Trojan horse attaches itself to another file, such as a word processing document. Trojan horses may also arrive as part of an e-mail for free game, software, or other file. When the Trojan horse activates and performs its task, it infects all of the word processing or template files. Consequently, every new file will carry the Trojan horse. The Trojan horse may not be visible because it masks itself inside of a legitimate program.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 80

Explanation

A Trojan horse attaches itself to another file, such as a word processing document. Trojan horses may also arrive as part of an e-mail for free game, software, or other file. When the Trojan horse activates and performs its task, it infects all of the word processing or template files. Consequently, every new file will carry the Trojan horse. The Trojan horse may not be visible because it masks itself inside of a legitimate program.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 80

25. Which program replicate independently across networks?

Spyware will replicate independently.

Worm will replicate independently.

Trojan horse will replicate independently.

Virus will replicate independently.

Worms are a type of malware that can replicate and spread independently across networks without the need for any user action. Unlike viruses, which require a host file or program to attach themselves to, worms are standalone programs that can self-replicate and spread to other computers or devices connected to the same network. Spyware, Trojan horses, and viruses may also replicate, but they typically require some form of user action or interaction to spread.

Explanation

Worms are a type of malware that can replicate and spread independently across networks without the need for any user action. Unlike viruses, which require a host file or program to attach themselves to, worms are standalone programs that can self-replicate and spread to other computers or devices connected to the same network. Spyware, Trojan horses, and viruses may also replicate, but they typically require some form of user action or interaction to spread.

26. Identify the malicious code that does not need human involvement to install itself and to spread?

A Virus does not need human involvement.

A Trojan horse does not need human involvement.

A Logic bomb does not need human involvement.

A Worm does not need human involvement.

A worm is a type of malicious code that can self-replicate and spread across computer networks without any human involvement. Unlike viruses or Trojan horses, worms can exploit vulnerabilities in computer systems to automatically install themselves and propagate to other connected devices. They can spread rapidly and cause significant damage by consuming network bandwidth, overloading servers, or compromising sensitive data. Therefore, a worm is the correct answer as it is capable of independently infecting and spreading without the need for human interaction.

Explanation

A worm is a type of malicious code that can self-replicate and spread across computer networks without any human involvement. Unlike viruses or Trojan horses, worms can exploit vulnerabilities in computer systems to automatically install themselves and propagate to other connected devices. They can spread rapidly and cause significant damage by consuming network bandwidth, overloading servers, or compromising sensitive data. Therefore, a worm is the correct answer as it is capable of independently infecting and spreading without the need for human interaction.

27. You configure a computer to act as a zombie set in order to attack a web server on a specific date. What would this contaminated computer be part of?

The computer is part of a DDoS attack.

The computer is part of a TCP/IP hijacking.

The computer is part of a spoofing attack.

The computer is part of a man-in-the-middle attack.

The given correct answer suggests that the contaminated computer is part of a DDoS attack. A DDoS (Distributed Denial of Service) attack is a malicious attempt to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of internet traffic from multiple sources. In this scenario, the computer has been configured to act as a "zombie" or part of a botnet, which is a network of infected computers controlled by an attacker. These infected computers, including the one in question, are used to send a massive amount of traffic to the target web server, causing it to become overwhelmed and unavailable to legitimate users.

Explanation

The given correct answer suggests that the contaminated computer is part of a DDoS attack. A DDoS (Distributed Denial of Service) attack is a malicious attempt to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of internet traffic from multiple sources. In this scenario, the computer has been configured to act as a "zombie" or part of a botnet, which is a network of infected computers controlled by an attacker. These infected computers, including the one in question, are used to send a massive amount of traffic to the target web server, causing it to become overwhelmed and unavailable to legitimate users.

28. Which of the following can distribute itself without using a host file?

Virus.

Trojan horse.

Logic bomb.

Worm.

Worms are dangerous because they can enter a system by exploiting a 'hole' in an operating system. They don't' need a host file, and they don't need any user intervention to replicate by themselves. Some infamous worms were: Morris, Badtrans, Nimda, and Code Red.

Explanation

Worms are dangerous because they can enter a system by exploiting a 'hole' in an operating system. They don't' need a host file, and they don't need any user intervention to replicate by themselves. Some infamous worms were: Morris, Badtrans, Nimda, and Code Red.

29. What is a piece of code that appears to do something useful while performing a harmful and unexpected function like stealing passwords called?

Virus

Logic bomb

Worm

Trojan horse

Trojan horses are programs that enter a system or network under the guise of another program. A Trojan Horse may be included as an attachment or as part of an installation program. The Trojan Horse could create a back door or replace a valid program during installation. The Trojan Program would then accomplish its mission under the guise of another program. Trojan Horses can be used to compromise the security of your system and they can exist on a system for years before they are detected.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 84

Explanation

Trojan horses are programs that enter a system or network under the guise of another program. A Trojan Horse may be included as an attachment or as part of an installation program. The Trojan Horse could create a back door or replace a valid program during installation. The Trojan Program would then accomplish its mission under the guise of another program. Trojan Horses can be used to compromise the security of your system and they can exist on a system for years before they are detected.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 84

30. What is a program that appears to be useful but contains hidden code that allows unauthorized individuals to exploit or destroy data is commonly known?

A virus

A Trojan horse

A worm

A back door

A Trojan horse is a program that appears to be useful but contains hidden code that allows unauthorized individuals to exploit or destroy data. Unlike a virus or a worm, a Trojan horse does not replicate itself. Instead, it tricks the user into believing it is a legitimate program and once installed, it can give unauthorized access to the attacker or cause harm to the user's data. A back door, on the other hand, refers to a hidden entry point in a system that allows unauthorized access, but it is not specifically designed to appear useful like a Trojan horse.

Explanation

A Trojan horse is a program that appears to be useful but contains hidden code that allows unauthorized individuals to exploit or destroy data. Unlike a virus or a worm, a Trojan horse does not replicate itself. Instead, it tricks the user into believing it is a legitimate program and once installed, it can give unauthorized access to the attacker or cause harm to the user's data. A back door, on the other hand, refers to a hidden entry point in a system that allows unauthorized access, but it is not specifically designed to appear useful like a Trojan horse.

31. In which of the following does someone use an application to capture and manipulate packets as they are passing through your network?

DDos

Back Door

Man in the Middle

Spoofing

The method used in these attacks places a piece of software between a server and the user. The software intercepts and then sends the information to the server. The server responds back to the software, thinking it is the legitimate client. The attacking software then sends this information on to the server, etc. The man in the middle software may be recording this information, altering it, or in some other way compromising the security of your system.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 57

Explanation

The method used in these attacks places a piece of software between a server and the user. The software intercepts and then sends the information to the server. The server responds back to the software, thinking it is the legitimate client. The attacking software then sends this information on to the server, etc. The man in the middle software may be recording this information, altering it, or in some other way compromising the security of your system.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 57

32. Which of the following is a security breach that does not usually result in the theft of information or other security loss but the lack of legitimate use of that system?

CRL

DoS

ACL

MD2

None of the above

DOS attacks prevent access to resources by users authorized to use those resources. An attacker may attempt to bring down an e-commerce website to prevent or deny usage by legitimate customers.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 53

Explanation

DOS attacks prevent access to resources by users authorized to use those resources. An attacker may attempt to bring down an e-commerce website to prevent or deny usage by legitimate customers.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 53

33. In which of the following attacks does the attacker pretend to be a legitimate user?

Aliasing

Spoofing

Flooding

Redirecting

None of the Above

A spoofing attack is simple an attempt by someone or something masquerading as someone else. This type of attack is usually considered an access attack.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 56

Explanation

A spoofing attack is simple an attempt by someone or something masquerading as someone else. This type of attack is usually considered an access attack.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 56

34. What is usually the goal of TCP (transmission Control Protocol) session hijacking?

Taking over a legitimate TCP (transmission Control Protocol) connection.

Predicting the TCP (transmission Control Protocol) sequence number.

Identifying the TCP (transmission Control Protocol) port for future exploitation.

Identifying source addresses for malicious use.

None of the Above

The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered in a way that intercepts legitimate packets and allows a third party host to insert acceptable packets. Thus hijacking the conversation, and continuing the conversation under the disguise of the legitimate party, and taking advantage of the trust bond.

Explanation

The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered in a way that intercepts legitimate packets and allows a third party host to insert acceptable packets. Thus hijacking the conversation, and continuing the conversation under the disguise of the legitimate party, and taking advantage of the trust bond.

35. Identify the methods of password guessing that needs the longest attack time?

Brute force needs the longest attack time.

Dictionary needs the longest attack time.

Rainbow needs the longest attack time.

Birthday needs the longest attack time.

Brute force is a method of password guessing where all possible combinations of characters are tried until the correct password is found. This method requires the longest attack time because it systematically checks every possible combination, which can be time-consuming and resource-intensive. Dictionary, rainbow, and birthday attacks are more efficient methods that exploit patterns or precomputed tables, making them faster than brute force.

Explanation

Brute force is a method of password guessing where all possible combinations of characters are tried until the correct password is found. This method requires the longest attack time because it systematically checks every possible combination, which can be time-consuming and resource-intensive. Dictionary, rainbow, and birthday attacks are more efficient methods that exploit patterns or precomputed tables, making them faster than brute force.

36. What do intruders use most often to gain unauthorized-access to a system?

Brute force attack.

Key logging

Trojan horse.

Social engineering.

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, by e-mail, or by a visit. The answer is not written in the book, but the easiest way to gain information would be social engineering.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

Explanation

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, by e-mail, or by a visit. The answer is not written in the book, but the easiest way to gain information would be social engineering.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

37. Which of the following measures can be used to guard against a social engineering attack?

Education, limit available information and security policy.

Education, firewalls and security policy.

Security policy, firewalls and incident response.

Security policy, system logging and incident response.

A seems to be the best answer. The other answers involving objects and social engineering are verbal attacks.

Explanation

A seems to be the best answer. The other answers involving objects and social engineering are verbal attacks.

38. In an IP (Internet Protocol) spoofing attack, what field of an IP (Internet Protocol) packet does the attacker manipulate?

The version field.

The source address field.

The source port field.

The destination address field.

In IP Spoofing a hacker tries to gain access to a network by pretending his or her machine has the same network address as the internal network.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 515

Explanation

In IP Spoofing a hacker tries to gain access to a network by pretending his or her machine has the same network address as the internal network.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 515

39. What is the process of forging an IP (Internet Protocol) address to impersonate another machine called?

TCP/IP (Transmission Control Protocol/Internet Protocol) hijacking

IP (Internet Protocol) spoofing

Replay

Man in the middle

The word spoofing was popularized in the air-force. When a fighter jet notices an enemy missile (air-to-air or surface-to-air) coming, the pilot will fire off a flair or a chaff (depending on whether or not the missile is heat seeking or radar guided) to spoof (trick) the missile into going after the wrong target. IP spoofing works the same way, and is commonly used by computer hackers because it's easy to implement, it takes advantage of someone else's trust relationship, it makes it harder to identify the source of the true attack, and it focuses attention away to an innocent 3rd party.

Explanation

The word spoofing was popularized in the air-force. When a fighter jet notices an enemy missile (air-to-air or surface-to-air) coming, the pilot will fire off a flair or a chaff (depending on whether or not the missile is heat seeking or radar guided) to spoof (trick) the missile into going after the wrong target. IP spoofing works the same way, and is commonly used by computer hackers because it's easy to implement, it takes advantage of someone else's trust relationship, it makes it harder to identify the source of the true attack, and it focuses attention away to an innocent 3rd party.

40. Which of the following is a DoS (Denial of Service) attack that exploits TCP's (Transmission Control Protocol) three-way handshake for new connections?

SYN (Synchronize) flood.

Ping of death attack.

Land attack.

Buffer overflow attack.

None of the Above

The SYN flood attack works when a source system floods and end system with TCP SYN requests, but intentionally does not send out acknowledgements (ACK). Since TCP needs confirmation, the receiving computer is stuck with half-open TCP sessions, just waiting for acknowledgement so it can reset the port. Meanwhile the connection buffer is being overflowed, making it difficult or impossible for valid users to connect, therefore their service is denied.

Explanation

The SYN flood attack works when a source system floods and end system with TCP SYN requests, but intentionally does not send out acknowledgements (ACK). Since TCP needs confirmation, the receiving computer is stuck with half-open TCP sessions, just waiting for acknowledgement so it can reset the port. Meanwhile the connection buffer is being overflowed, making it difficult or impossible for valid users to connect, therefore their service is denied.

41. Which type of attack is based on the probability of two different messages using the same hash function producing a common message digest?

Differential cryptanalysis

Differential linear cryptanalysis

Birthday attack

Statistical attack

A good hashing algorithm should not produce the same hash value for two different messages. If the algorithm does produce the same value for two distinctly different messages, it is referred to as a collision. If an attacker finds an instance of a collision, he has more information to use when trying to break the cryptographic methods used. A complex way of attacking a one-way hash function is called the birthday attack. If an attacker has one hash value and wants to find a message that hashes to the same hash value, this process could take him years. However, if he just wants to find any two messages with the same hashing value, it could take him only a couple hours.

Explanation

A good hashing algorithm should not produce the same hash value for two different messages. If the algorithm does produce the same value for two distinctly different messages, it is referred to as a collision. If an attacker finds an instance of a collision, he has more information to use when trying to break the cryptographic methods used. A complex way of attacking a one-way hash function is called the birthday attack. If an attacker has one hash value and wants to find a message that hashes to the same hash value, this process could take him years. However, if he just wants to find any two messages with the same hashing value, it could take him only a couple hours.

42. What is used to verify the equipment status and modify the configuration or settings of network gadgets?

This can be accomplished by using SNMP.

This can be accomplished by using SMTP.

This can be accomplished by using CHAP.

This can be accomplished by using DHCP.

SNMP (Simple Network Management Protocol) is used to verify the equipment status and modify the configuration or settings of network gadgets. SNMP allows network administrators to monitor and manage network devices remotely. It provides a standardized way to collect and organize information about network devices, such as routers, switches, and servers. With SNMP, administrators can monitor device performance, track network traffic, and make configuration changes as needed. SNMP uses a manager-agent model, where the manager collects information from agents running on network devices.

Explanation

SNMP (Simple Network Management Protocol) is used to verify the equipment status and modify the configuration or settings of network gadgets. SNMP allows network administrators to monitor and manage network devices remotely. It provides a standardized way to collect and organize information about network devices, such as routers, switches, and servers. With SNMP, administrators can monitor device performance, track network traffic, and make configuration changes as needed. SNMP uses a manager-agent model, where the manager collects information from agents running on network devices.

43. Determine the programming method you should use to stop buffer overflow attacks?

You should make use of Automatic updates.

You should make use of Input validation.

You should make use of Signed applets.

You should make use of Nested loops.

To stop buffer overflow attacks, input validation should be used. This involves checking and validating user input to ensure it meets the expected format and length. By validating input, the program can prevent malicious users from inputting data that could overflow the buffer and potentially execute arbitrary code. Automatic updates, signed applets, and nested loops are not directly related to preventing buffer overflow attacks.

Explanation

To stop buffer overflow attacks, input validation should be used. This involves checking and validating user input to ensure it meets the expected format and length. By validating input, the program can prevent malicious users from inputting data that could overflow the buffer and potentially execute arbitrary code. Automatic updates, signed applets, and nested loops are not directly related to preventing buffer overflow attacks.

44. What should a network administrator's first course of action be on receiving an e-mail alerting him to the presence of a virus on the system if a specific executable file exists?

Investigate the e-mail as a possible hoax with a reputable anti-virus vendor.

Immediately search for and delete the file if discovered.

Broadcast a message to the entire organization to alert users to the presence of a virus.

Locate and download a patch to repair the file.

If a virus threat is for real, the major anti-virus players like Symantec, McAfee, or Sophos will know about it before you, and they will have details on their sites. Incorrect answers: Searching for and deleting a file is not only a waste of time with today's OS's complex directory systems, but its also ineffective. One can miss a file, the file could be hidden, the wrong file can be deleted, and worst of all: when you delete a file it doesn't really get completely deleted, instead it gets sent to a 'recycle bin.' Broadcasting an alert and creating panic isn't the right thing to do, because it will waste bandwidth, and perhaps terrorizing the users is the original intent of the attack. The act of locating and downloading a patch isn't just time consuming, but there's a chance that the patch itself could be the virus, or the process of resetting the computer could activate the virus.

Explanation

If a virus threat is for real, the major anti-virus players like Symantec, McAfee, or Sophos will know about it before you, and they will have details on their sites. Incorrect answers: Searching for and deleting a file is not only a waste of time with today's OS's complex directory systems, but its also ineffective. One can miss a file, the file could be hidden, the wrong file can be deleted, and worst of all: when you delete a file it doesn't really get completely deleted, instead it gets sent to a 'recycle bin.' Broadcasting an alert and creating panic isn't the right thing to do, because it will waste bandwidth, and perhaps terrorizing the users is the original intent of the attack. The act of locating and downloading a patch isn't just time consuming, but there's a chance that the patch itself could be the virus, or the process of resetting the computer could activate the virus.

45. What results in poor programming techniques and lack of code review?

It can result in the Buffer overflow attack.

It can result in the Dictionary attack.

It can result in the Birthday attack.

It can result in the Common Gateway Interface (CGI) script attack.

Poor programming techniques and lack of code review can result in a buffer overflow attack. This type of attack occurs when a program writes data to a buffer, but exceeds the buffer's capacity, causing the excess data to overwrite adjacent memory locations. This can lead to the execution of malicious code or the corruption of data, potentially compromising the security and stability of the system. Therefore, it is important to follow good programming practices and conduct regular code reviews to prevent such vulnerabilities.

Explanation

Poor programming techniques and lack of code review can result in a buffer overflow attack. This type of attack occurs when a program writes data to a buffer, but exceeds the buffer's capacity, causing the excess data to overwrite adjacent memory locations. This can lead to the execution of malicious code or the corruption of data, potentially compromising the security and stability of the system. Therefore, it is important to follow good programming practices and conduct regular code reviews to prevent such vulnerabilities.

46. Identify the malicious code that enters a system and stay inactive until a user opens that particular program then starts to delete the contents of attached network drives and removable storage devices?

The malicious code is known as logic bomb.

The malicious code is known as Trojan horse.

The malicious code is known as honeypot.

The malicious code is known as worm.

A logic bomb is a type of malicious code that remains inactive until a specific condition is met, in this case, until a user opens a particular program. Once activated, it starts deleting the contents of attached network drives and removable storage devices. Unlike a Trojan horse, which disguises itself as a legitimate program, a logic bomb is specifically designed to cause harm once triggered. A honeypot is a trap set up to detect, deflect, or counteract attempts at unauthorized use of information systems, while a worm is a self-replicating program that spreads over a network without any user interaction. Therefore, the correct answer is logic bomb.

Explanation

A logic bomb is a type of malicious code that remains inactive until a specific condition is met, in this case, until a user opens a particular program. Once activated, it starts deleting the contents of attached network drives and removable storage devices. Unlike a Trojan horse, which disguises itself as a legitimate program, a logic bomb is specifically designed to cause harm once triggered. A honeypot is a trap set up to detect, deflect, or counteract attempts at unauthorized use of information systems, while a worm is a self-replicating program that spreads over a network without any user interaction. Therefore, the correct answer is logic bomb.

47. What is used by anti-virus software to detect unknown viruses?

Zero-day algorithm is used to detect unknown viruses.

Heuristic analysis is used to detect unknown viruses.

Random scanning is used to detect unknown viruses.

Quarantining is used to detect unknown viruses.

Heuristic analysis is used by anti-virus software to detect unknown viruses. This technique involves analyzing the behavior and characteristics of files and programs to identify potential threats. It uses a set of rules and algorithms to determine if a file or program is malicious or suspicious. By comparing the file or program to known patterns and behaviors of viruses, heuristic analysis can detect and block unknown viruses that have not yet been identified by signature-based detection methods. This allows anti-virus software to provide protection against new and emerging threats.

Explanation

Heuristic analysis is used by anti-virus software to detect unknown viruses. This technique involves analyzing the behavior and characteristics of files and programs to identify potential threats. It uses a set of rules and algorithms to determine if a file or program is malicious or suspicious. By comparing the file or program to known patterns and behaviors of viruses, heuristic analysis can detect and block unknown viruses that have not yet been identified by signature-based detection methods. This allows anti-virus software to provide protection against new and emerging threats.

48. You are the network administrator at Certkiller .com. During a routing site audit of Certkiller 's wireless network, you discover an unauthorized Access Point under the desk of Sales department user. When questioned, she denies any knowledge of it, but informs you that her new boyfriend has been to visit her several times, including taking her to lunch one time. What type of attack have you become a victim of?

SYN Flood.

Distributed Denial of Service.

Man in the Middle attack.

TCP Flood.

None of the Above

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, be e-mail, or by a visit. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

Explanation

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, be e-mail, or by a visit. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

49. Which of the following network attacks misuses TCP's (Transmission Control Protocol) three way handshake to overload servers and deny access to legitimate users?

Man in the middle.

Smurf

Teardrop

SYN (Synchronize)

SYN flood is a DoS attack in which the hacker sends a barrage of SYN packets. The receiving station tries to respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are rejected until all current connections can be established.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 530

Explanation

SYN flood is a DoS attack in which the hacker sends a barrage of SYN packets. The receiving station tries to respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are rejected until all current connections can be established.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 530

50. Which of the following type of attacks exploits poor programming techniques and lack of code review?

CGI (Common Gateway Interface) script

Birthday

Buffer overflow

Dictionary

Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system. This exploitation is usually a result of a programming error in the development of the software.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135

Explanation

Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system. This exploitation is usually a result of a programming error in the development of the software.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135

51. What should the minimum length of a password be to deter dictionary password cracks?

6 characters

8 characters

10 characters

12 characters

16 characters

To deter dictionary password cracks, a minimum length of 8 characters is recommended. This is because shorter passwords are easier to crack using dictionary attacks, where an attacker systematically tries all words in a dictionary or common passwords. By having a longer password, it increases the number of possible combinations, making it more difficult and time-consuming for attackers to guess the correct password.

Explanation

To deter dictionary password cracks, a minimum length of 8 characters is recommended. This is because shorter passwords are easier to crack using dictionary attacks, where an attacker systematically tries all words in a dictionary or common passwords. By having a longer password, it increases the number of possible combinations, making it more difficult and time-consuming for attackers to guess the correct password.

52. You implement IDS on the Certkiller .com network. You discover traffic from an internal host IP address accessing internal network resources from the Internet. What is causing this?

This occurred since a user without permission is spoofing internal IP addresses.

This occurred since information is accessed by a user from a remote login.

This occurred since traffic is routed outside the internal network.

This is normal behavior according to the IP RFC.

The correct answer is that this occurred since a user without permission is spoofing internal IP addresses. This explanation suggests that someone within the network is pretending to have a different IP address in order to gain unauthorized access to internal resources. This is a common tactic used by hackers to bypass security measures and gain access to sensitive information.

Explanation

The correct answer is that this occurred since a user without permission is spoofing internal IP addresses. This explanation suggests that someone within the network is pretending to have a different IP address in order to gain unauthorized access to internal resources. This is a common tactic used by hackers to bypass security measures and gain access to sensitive information.

53. Identify the attack that consists of a PC sending PING packets with destination addresses set to the broadcast address and the source address set to the target PC's IP address?

You should identify a Smurf attack.

You should identify a XMAS Tree attack.

You should identify a Replay attack.

You should identify a Fraggle attack

A Smurf attack is a type of distributed denial of service (DDoS) attack where the attacker sends a large number of ICMP Echo Request (PING) packets with the source IP address spoofed as the target PC's IP address to the broadcast address of a network. This causes all devices on the network to respond to the target PC, overwhelming its resources and causing it to become unreachable.

Explanation

A Smurf attack is a type of distributed denial of service (DDoS) attack where the attacker sends a large number of ICMP Echo Request (PING) packets with the source IP address spoofed as the target PC's IP address to the broadcast address of a network. This causes all devices on the network to respond to the target PC, overwhelming its resources and causing it to become unreachable.

54. Which of the following is used to describe an autonomous agent that copies itself into one or more host programs, then propagates when the host is run?

Trojan horse

Back door

Logic bomb

Virus

A virus is a piece of software designed to infect a computer system. I can go into this further, but the answer is obvious. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 76

Explanation

A virus is a piece of software designed to infect a computer system. I can go into this further, but the answer is obvious. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 76

55. What is an attack whereby two different messages using the same hash function produce a common message digest known as?

Man in the middle attack.

Ciphertext only attack.

Birthday attack.

Brute force attack.

A birthday attack is based on the principle that amongst 23 people, the probability of 2 of them having the same birthday is greater the 50%. By that rational if an attacker examines the hashes of an entire organizations passwords, they'll come up with some common denominators.

Explanation

A birthday attack is based on the principle that amongst 23 people, the probability of 2 of them having the same birthday is greater the 50%. By that rational if an attacker examines the hashes of an entire organizations passwords, they'll come up with some common denominators.

56. What are MITRE and CERT?

They are anti-virus software institutes.

They are virus and malware cataloging organizations.

They are virus broadcast monitoring tools.

They are spyware and virus distributing software.

MITRE and CERT are not anti-virus software institutes or virus broadcast monitoring tools. They are not spyware and virus distributing software either. MITRE and CERT are well-known organizations that focus on cataloging and analyzing viruses and malware. They provide resources, research, and assistance to help understand and combat cyber threats.

Explanation

MITRE and CERT are not anti-virus software institutes or virus broadcast monitoring tools. They are not spyware and virus distributing software either. MITRE and CERT are well-known organizations that focus on cataloging and analyzing viruses and malware. They provide resources, research, and assistance to help understand and combat cyber threats.

57. Which of the following determines which operating system is installed on a system by analyzing its response to certain network traffic?

OS (Operating System) scanning

Reverse engineering.

Fingerprinting

Host hijacking.

None of the Above

Fingerprinting is the act of inspecting returned information from a server (ie. One method is ICMP Message quoting where the ICMP quotes back part of the original message with every ICMP error message. Each operating system will quote definite amount of message to the ICMP error messages. The peculiarity in the error messages received from various types of operating systems helps us in identifying the remote host's OS.

Explanation

Fingerprinting is the act of inspecting returned information from a server (ie. One method is ICMP Message quoting where the ICMP quotes back part of the original message with every ICMP error message. Each operating system will quote definite amount of message to the ICMP error messages. The peculiarity in the error messages received from various types of operating systems helps us in identifying the remote host's OS.

58. Which of the following is most common method of accomplishing DDoS (Distributed Denial of Service) attacks?

Internal host computers simultaneously failing.

Overwhelming and shutting down multiple services on a server.

Multiple servers or routers monopolizing and over whelming the bandwidth of a particular server or router.

An individual e-mail address list being used to distribute a virus.

A distributed denial of service attack takes place from within, and is usually the doing of a disgruntled worker. They set up a zombie software that takes over numerous servers, and routers within the network to overwhelm the systems bandwidth. A and B are incorrect because a DDoS doesn't fail or shut down the servers, it merely compromises them.

Explanation

A distributed denial of service attack takes place from within, and is usually the doing of a disgruntled worker. They set up a zombie software that takes over numerous servers, and routers within the network to overwhelm the systems bandwidth. A and B are incorrect because a DDoS doesn't fail or shut down the servers, it merely compromises them.

59. Which type of attack can easily break a user's password if the user uses simple and meaningful things such as pet names or birthdays for their passwords?

Mickey Mouse attack

Random guess attack

Brute Force attack

Dictionary attack

Role Based Access Control attack

A dictionary attack is an attack which uses a dictionary of common words to attempt to find the password of a user.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 58

Explanation

A dictionary attack is an attack which uses a dictionary of common words to attempt to find the password of a user.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 58

60. What is happening when a user downloads and installs a new screen saver and the program starts to rename and delete random files?

This program illustrates a Virus.

This program illustrates a Trojan horse.

This program illustrates a Worm.

This program illustrates a Logic bomb.

When a user downloads and installs a new screen saver and the program starts to rename and delete random files, it indicates that the program is a Trojan horse. A Trojan horse is a type of malware that disguises itself as a harmless program but actually contains malicious code. In this case, the screen saver program is designed to perform harmful actions on the user's computer, such as renaming and deleting files. Unlike viruses or worms, Trojan horses do not replicate themselves but rely on the user to unknowingly install them.

Explanation

When a user downloads and installs a new screen saver and the program starts to rename and delete random files, it indicates that the program is a Trojan horse. A Trojan horse is a type of malware that disguises itself as a harmless program but actually contains malicious code. In this case, the screen saver program is designed to perform harmful actions on the user's computer, such as renaming and deleting files. Unlike viruses or worms, Trojan horses do not replicate themselves but rely on the user to unknowingly install them.

61. Malicious port scanning determines the _______.

Computer name

Fingerprint of the operating system

Physical cabling topology of a network

User ID and passwords

All of the Above

Malicious port scanning is an attempt to find an unused port that the system won't acknowledge. Several programs now can use port scanning for advanced host detection and operating system fingerprinting. With knowledge of the operating system, the hacker can look up known vulnerabilities and exploits for that particular system.

Explanation

Malicious port scanning is an attempt to find an unused port that the system won't acknowledge. Several programs now can use port scanning for advanced host detection and operating system fingerprinting. With knowledge of the operating system, the hacker can look up known vulnerabilities and exploits for that particular system.

62. You are the network administrator at Certkiller .com. You discover that your domain name server is resolving the domain name to the wrong IP (Internet Protocol) address and thus misdirecting Internet traffic. You suspect a malicious attack. Which of the following would you suspect?

Reverse DNS (Domain Name Service)

Brute force attack

Spoofing

DoS (Denial of Service)

Spoofing is when you forge the source address of traffic, so it appears to come from somewhere else, preferably somewhere safe and trustworthy. Web spoofing is a process where someone creates a convincing copy of a legitimate website or a portion of the world wide web, so that when someone enters a site that they think is safe, they end up communicating directly with the hacker. To avoid this you should rely on certificates, IPSEC, and set up a filter to block internet traffic with an internal network address.

Explanation

Spoofing is when you forge the source address of traffic, so it appears to come from somewhere else, preferably somewhere safe and trustworthy. Web spoofing is a process where someone creates a convincing copy of a legitimate website or a portion of the world wide web, so that when someone enters a site that they think is safe, they end up communicating directly with the hacker. To avoid this you should rely on certificates, IPSEC, and set up a filter to block internet traffic with an internal network address.

63. What is a program that can infect other programs by modifying them to include a version of it called?

Replicator

Virus

Trojan horse

Logic bomb

A virus can do many things and including itself in a program is one of them. A virus is a program intended to damage a computer system. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 533

Explanation

A virus can do many things and including itself in a program is one of them. A virus is a program intended to damage a computer system. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 533

64. Identify the ports utilized by e-mail users? (Choose TWO)

You should identify port 143

You should identify port 3389

You should identify port 110

You should identify port 334

You should identify port 23

The correct answer is to identify port 143 and port 110. Port 143 is used for the Internet Message Access Protocol (IMAP), which allows email clients to retrieve emails from a mail server. Port 110 is used for the Post Office Protocol version 3 (POP3), which also allows email clients to retrieve emails from a mail server.

Explanation

The correct answer is to identify port 143 and port 110. Port 143 is used for the Internet Message Access Protocol (IMAP), which allows email clients to retrieve emails from a mail server. Port 110 is used for the Post Office Protocol version 3 (POP3), which also allows email clients to retrieve emails from a mail server.

Submit

65. Which of the following attacks exploits the session initiation between the Transport Control Program (TCP) client and server in a network?

Birthday Attack

SYN Attack

Buffer Overflow

Smurf

None of the Above

SYN flood is a DoS attack in which the hacker sends a barrage of SYN packets. The receiving station tries to respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are rejected until all current connections can be established. Change this if you want but in the SYN flood the hacker sends a SYN packet to the receiving station with a spoofed return address of some broadcast address on their network. The receiving station sends out this SYN packets (pings the broadcast address) which causes multiple servers or stations to respond to the ping, thus overloading the originator of the ping (the receiving station). Therefore, the hacker may send only 1 SYN packet, whereas the network of the attacked station is actually what does the barrage of return packets and overloads the receiving station.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 530

Explanation

SYN flood is a DoS attack in which the hacker sends a barrage of SYN packets. The receiving station tries to respond to each SYN request for a connection, thereby tying up all the resources. All incoming connections are rejected until all current connections can be established. Change this if you want but in the SYN flood the hacker sends a SYN packet to the receiving station with a spoofed return address of some broadcast address on their network. The receiving station sends out this SYN packets (pings the broadcast address) which causes multiple servers or stations to respond to the ping, thus overloading the originator of the ping (the receiving station). Therefore, the hacker may send only 1 SYN packet, whereas the network of the attacked station is actually what does the barrage of return packets and overloads the receiving station.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 530

66. What characteristic of TCP/IP (transmission Control Protocol/Internet Protocol) does TCP/IP (transmission Control Protocol/Internet Protocol) session hijacking exploit?

The fact that TCP/IP (transmission Control Protocol/Internet Protocol) has no authentication mechanism, thus allowing a clear text password of 16 bytes

The fact that TCP/IP (transmission Control Protocol/Internet Protocol) allows a packet to be spoofed and inserted into a stream, thereby enabling commands to be executed on the remote host

The fact that TCP/IP (transmission Control Protocol/Internet Protocol) has no authentication mechanism, and therefore allows connectionless packets from anyone

The fact that TCP/IP (transmission Control Protocol/Internet Protocol) allows packets to be tunneled to an alternate network

TCP/IP's connection orientated nature, and lack of natural security makes it easy to hijack a session by spoofing.

Explanation

TCP/IP's connection orientated nature, and lack of natural security makes it easy to hijack a session by spoofing.

67. Which of the following is the best defense against a man in the middle attack?

Virtual LAN (Local Area Network)

GRE (Generic Route Encapsulation) tunnel IPIP (Internet Protocol-within-Internet Protocol Encapsulation Protocol)

PKI (Public Key Infrastructure)

Enforcement of badge system

PKI is a two-key system. Messages are encrypted with a public key. Messages are decrypted with a private key. If you want to send an encrypted message to someone, you would request their public key. You would encrypt the message using their public key and send it to them. They would then use their private key to decrypt the message.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 331

Explanation

PKI is a two-key system. Messages are encrypted with a public key. Messages are decrypted with a private key. If you want to send an encrypted message to someone, you would request their public key. You would encrypt the message using their public key and send it to them. They would then use their private key to decrypt the message.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 331

68. Which of the following is the best defense against man in the middle attacks?

A firewall

Strong encryption

Strong passwords

Strong authentication

Strong encryption is the best defense against man-in-the-middle attacks because it ensures that the data being transmitted between two parties is encrypted and cannot be intercepted or tampered with by an attacker. Encryption algorithms scramble the data in such a way that it can only be decrypted and understood by the intended recipient with the correct decryption key. This prevents attackers from gaining access to sensitive information or altering the data being transmitted. Firewalls, strong passwords, and strong authentication can provide additional layers of security, but strong encryption is the most effective defense against man-in-the-middle attacks.

Explanation

Strong encryption is the best defense against man-in-the-middle attacks because it ensures that the data being transmitted between two parties is encrypted and cannot be intercepted or tampered with by an attacker. Encryption algorithms scramble the data in such a way that it can only be decrypted and understood by the intended recipient with the correct decryption key. This prevents attackers from gaining access to sensitive information or altering the data being transmitted. Firewalls, strong passwords, and strong authentication can provide additional layers of security, but strong encryption is the most effective defense against man-in-the-middle attacks.

69. You receive an e-mail to reset the online banking username and password. When you attempt to access the link the URL appearing in the browser does not match the link. What is this known as?

This situation is known as redirecting.

This situation is known as spoofing.

This situation is known as hijacking.

This situation is known as phishing.

Phishing is the act of tricking individuals into revealing sensitive information by disguising as a trustworthy entity. In this scenario, the email is attempting to deceive the recipient by providing a link that appears to be for resetting the online banking credentials, but the URL displayed in the browser does not match the actual link. This is a classic phishing technique used to steal personal information.

Explanation

Phishing is the act of tricking individuals into revealing sensitive information by disguising as a trustworthy entity. In this scenario, the email is attempting to deceive the recipient by providing a link that appears to be for resetting the online banking credentials, but the URL displayed in the browser does not match the actual link. This is a classic phishing technique used to steal personal information.

70. What is the most common method of social engineering?

Looking through users' trash for information

Calling users and asking for information

E-mailing users and asking for information

E-mail

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, by e-mail, or by a visit.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

Explanation

Social engineering is a process where an attacker attempts to acquire information about your network and system by talking to people in the organization. A social engineering attack may occur over the phone, by e-mail, or by a visit.

Reference:
Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 87

71. Which port is used by Kerberos by default?

Kerberos makes use of port 139

Kerberos makes use of port 443

Kerberos makes use of port 23

Kerberos makes use of port 88

None of the Above

Kerberos is a network authentication protocol that uses port 88 by default. This port is specifically reserved for Kerberos communication. It allows for secure authentication between clients and servers in a network environment.

Explanation

Kerberos is a network authentication protocol that uses port 88 by default. This port is specifically reserved for Kerberos communication. It allows for secure authentication between clients and servers in a network environment.

72. Which of the following is an effective method of preventing computer viruses from spreading?

Require root/administrator access to run programs.

Enable scanning of e-mail attachments.

Prevent the execution of .vbs files.

Install a host based IDS (Intrusion Detection System)

Viruses get into your computer in one of three ways. They may enter your computer on a contaminated floppy or CD-ROM, through e-mail, or as a part of another program.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 76

Explanation

Viruses get into your computer in one of three ways. They may enter your computer on a contaminated floppy or CD-ROM, through e-mail, or as a part of another program.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 76

73. Which of the following can be deterred against by increasing the keyspace and complexity of a password?

Dictionary

Brute force

Inference

Frontal

Increasing the keyspace and complexity of a password can deter against brute force attacks. Brute force attacks involve systematically trying every possible combination of characters until the correct password is found. By increasing the keyspace, which refers to the number of possible characters that can be used in a password, and the complexity, which refers to the combination of uppercase and lowercase letters, numbers, and special characters, the time and effort required to guess the correct password through brute force is significantly increased, making it more difficult for attackers to gain unauthorized access.

Explanation

Increasing the keyspace and complexity of a password can deter against brute force attacks. Brute force attacks involve systematically trying every possible combination of characters until the correct password is found. By increasing the keyspace, which refers to the number of possible characters that can be used in a password, and the complexity, which refers to the combination of uppercase and lowercase letters, numbers, and special characters, the time and effort required to guess the correct password through brute force is significantly increased, making it more difficult for attackers to gain unauthorized access.

74. Which of the following best describes TCP/IP (Transmission Control Protocol/Internet Protocol) session hijacking?

The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered in a way that intercepts legitimate packets and allows a third party host to insert acceptable packets.

The TCP/IP (Transmission Control Protocol/Internet Protocol) session state is altered allowing third party hosts to create new IP (Internet Protocol) addresses.

The TCP/IP (Transmission Control Protocol/Internet Protocol) session state remains unaltered allowing third party hosts to insert packets acting as the server.

The TCP/IP (Transmission Control Protocol/Internet Protocol) session state remains unaltered allowing third party hosts to insert packets acting as the client.

A detailed site on how to hijack a TCP/IP a session can be found at: http://staff.washington.edu/dittrich/talks/qsm-sec/script.html

Explanation

A detailed site on how to hijack a TCP/IP a session can be found at: http://staff.washington.edu/dittrich/talks/qsm-sec/script.html

75. Identify the attack that targets a web server if numerous computers send a lot of FIN packets at the same time with spoofed source IP addresses?

This attack is known as SYN flood.

This attack is known as DDoS

This attack is known as Brute force.

This attack is known as XMAS tree scan.

not-available-via-ai

Explanation

not-available-via-ai

76. Identify the malicious software that will replicate itself by connecting to other programs on the same host workstation?

A Worm will attach to another program.

A Virus will attach to another program.

A Logic bomb will attach to another program.

A Trojan horse will attach to another program.

A virus is a type of malicious software that is capable of replicating itself and attaching to other programs on the same host workstation. Unlike worms, which can spread independently, viruses require a host program to attach to and replicate. Therefore, a virus is the correct answer to the question.

Explanation

A virus is a type of malicious software that is capable of replicating itself and attaching to other programs on the same host workstation. Unlike worms, which can spread independently, viruses require a host program to attach to and replicate. Therefore, a virus is the correct answer to the question.

77. Which of the attacks can involve the misdirection of the domain name resolution and Internet traffic?

DoS (Denial of Service)

Spoofing

Brute force attack

Reverse DNS (Domain Name Service)

A spoofing attack is simply an attempt by someone or something masquerading as someone else.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 56

Explanation

A spoofing attack is simply an attempt by someone or something masquerading as someone else.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 56

78. Why is certificate expiration important?

Renewing the log files will keep it from getting too large.

If given sufficient tile brute force techniques will probably to break the key.

It will use more processing power when the encryption key is used long.

It prevents the server from using the identical key for two sessions.

not-available-via-ai

Explanation

not-available-via-ai

79. Which of the following is a DoS exploit that sends more traffic to a node than anticipated?

Ping of death

Buffer Overflow

Logic Bomb

Smurf

None of the Above

Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135

Explanation

Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause an application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 135

80. Which of the following attacks can be mitigated against by implementing the following ingress/egress traffic filtering?
* Any packet coming into the network must not have a source address of the internal network.
* Any packet coming into the network must have a destination address from the internal network.
* Any packet leaving the network must have a source address from the internal network.
* Any packet leaving the network must not have a destination address from the internal networks.
* Any packet coming into the network or leaving the network must not have a source or destination address of a private address or an address listed in RFC19lS reserved space.

SYN (Synchronize) flooding

Spoofing

DoS (Denial of Service) attacks

Dictionary attacks

None of the Above

By having strict addressing filters; an administrator prevents a spoofed address from gaining access.

Explanation

By having strict addressing filters; an administrator prevents a spoofed address from gaining access.

81. Which of the following attacks uses ICMP (Internet Control Message Protocol) and improperly formatted MTUs (Maximum Transmission Unit) to crash a target computer?

Man in the middle attack

Smurf attack

Ping of death attack

TCP SYN (Transmission Control Protocol / Synchronized) attack

None of the Above

Explanation: The Ping of Death attack involved sending IP packets of a size greater than 65,535 bytes to the target computer. IP packets of this size are illegal, but applications can be built that are capable of creating them. Carefully programmed operating systems could detect and safely handle illegal IP packets, but some failed to do this. Note: MTU packets that are bigger than the maximum size the underlying layer can handle are fragmented into smaller packets, which are then reassembled by the receiver. For ethernet style devices, the MTU is typically 1500. Incorrect Answers A: A man in the middle attack allows a third party to intercept and replace components of the data stream. B: The "smurf" attack, named after its exploit program, is one of the most recent in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. D: In a TCP SYN attack a sender transmits a volume of connections that cannot be completed. This causes the connection queues to fill up, thereby denying service to legitimate TCP users.

Explanation

Explanation: The Ping of Death attack involved sending IP packets of a size greater than 65,535 bytes to the target computer. IP packets of this size are illegal, but applications can be built that are capable of creating them. Carefully programmed operating systems could detect and safely handle illegal IP packets, but some failed to do this. Note: MTU packets that are bigger than the maximum size the underlying layer can handle are fragmented into smaller packets, which are then reassembled by the receiver. For ethernet style devices, the MTU is typically 1500. Incorrect Answers A: A man in the middle attack allows a third party to intercept and replace components of the data stream. B: The "smurf" attack, named after its exploit program, is one of the most recent in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. D: In a TCP SYN attack a sender transmits a volume of connections that cannot be completed. This causes the connection queues to fill up, thereby denying service to legitimate TCP users.

82. Identify the port that permits a user to login remotely on a computer?

Port 3389

Port 8080

Port 143

Port 23

Port 3389 is the correct answer because it is the default port for Remote Desktop Protocol (RDP), which allows users to connect and login remotely to a computer. RDP is a proprietary protocol developed by Microsoft and is commonly used for remote administration and accessing resources on a remote computer.

Explanation

Port 3389 is the correct answer because it is the default port for Remote Desktop Protocol (RDP), which allows users to connect and login remotely to a computer. RDP is a proprietary protocol developed by Microsoft and is commonly used for remote administration and accessing resources on a remote computer.

83. Which of the following are characteristics of a computer virus?

Find mechanism, initiation mechanism and propagate.

Learning mechanism, contamination mechanism and exploit.

Search mechanism, connection mechanism and integrate.

Replication mechanism, activation mechanism and objective.

Replication mechanism: To replicate a virus needs to attach itself to the right code, where it can replicate and spread past security systems into other systems. Activation mechanism: Most viruses require the user to actually do something. During the 80's and early 90's most viruses were activated when you booted from a floppy disk, or inserted a new floppy disk into an infected drive. Nowadays most computer virus's come as email forwards, and they require the user to execute. Objective: many viruses have no objective at all, but some have the objective to delete data, hog up memory, or crash the system.

Explanation

Replication mechanism: To replicate a virus needs to attach itself to the right code, where it can replicate and spread past security systems into other systems. Activation mechanism: Most viruses require the user to actually do something. During the 80's and early 90's most viruses were activated when you booted from a floppy disk, or inserted a new floppy disk into an infected drive. Nowadays most computer virus's come as email forwards, and they require the user to execute. Objective: many viruses have no objective at all, but some have the objective to delete data, hog up memory, or crash the system.

84. Identify the techniques apart from bribery and forgery that attackers use to socially engineer people? (Choose TWO)

Flattery is a most common method.

Dumpster diving is a most common method.

Phreaking is a most common method.

Assuming a position of authority is a most common method.

Who is search is a most common method.

Flattery is a common social engineering technique where attackers use compliments and praise to manipulate individuals into divulging sensitive information or performing certain actions. Assuming a position of authority is another common technique where attackers pretend to be someone in a position of power or authority to gain trust and manipulate individuals into providing information or performing actions they wouldn't normally do.

Explanation

Flattery is a common social engineering technique where attackers use compliments and praise to manipulate individuals into divulging sensitive information or performing certain actions. Assuming a position of authority is another common technique where attackers pretend to be someone in a position of power or authority to gain trust and manipulate individuals into providing information or performing actions they wouldn't normally do.

Submit

85. You run Nmap against a server on the Certkiller .com network. You discover more open ports than you anticipated. What should you do?

Your first step should be to close all the ports and to monitor it to see if a process tries to reopen the port.

Your first step should be to examine the process using the ports.

Your first step should be to leave the ports open and to monitor the traffic for malicious activity.

Your first step should be to run Nmap again and to monitor it to see if different results are obtained.

The correct answer suggests that the first step should be to examine the process using the ports. By doing so, you can identify which process is responsible for opening the unexpected ports. This will help you determine if the process is legitimate or if it may be a sign of malicious activity. Once you have identified the process, you can take appropriate actions such as terminating it or further investigating its behavior.

Explanation

The correct answer suggests that the first step should be to examine the process using the ports. By doing so, you can identify which process is responsible for opening the unexpected ports. This will help you determine if the process is legitimate or if it may be a sign of malicious activity. Once you have identified the process, you can take appropriate actions such as terminating it or further investigating its behavior.

86. Which of the following fingerprinting techniques exploits the fact that operating systems differ in the amount of information that is quoted when ICMP (Internet Control Message Protocol) errors are encountered?

TCP (Transmission Control Protocol) options.

ICMP (Internet Control Message Protocol) error message quenching.

Fragmentation handling.

ICMP (Internet Control Message Protocol) message quoting

None of the Above

ICMP Message quoting: The ICMP quotes back part of the original message with every ICMP error message. Each operating system will quote definite amount of message to the ICMP error messages. The peculiarity in the error messages received from various types of operating systems helps us in identifying the remote host's OS.

Explanation

ICMP Message quoting: The ICMP quotes back part of the original message with every ICMP error message. Each operating system will quote definite amount of message to the ICMP error messages. The peculiarity in the error messages received from various types of operating systems helps us in identifying the remote host's OS.

87. How can you determine whether the workstations on the internal network are functioning as zombies participating in external DDoS attacks?

You should use AV server logs to confirm the suspicion.

You should use HIDS logs to confirm the suspicion.

You should use Proxy logs to confirm the suspicion.

You should use Firewall logs to confirm the suspicion.

Firewall logs can be used to determine whether the workstations on the internal network are functioning as zombies participating in external DDoS attacks. Firewall logs contain information about the network traffic and can provide insights into the connections made by the workstations. By analyzing the logs, suspicious or malicious connections can be identified, indicating the presence of zombies participating in DDoS attacks. This makes Firewall logs a suitable source of information for confirming the suspicion.

Explanation

Firewall logs can be used to determine whether the workstations on the internal network are functioning as zombies participating in external DDoS attacks. Firewall logs contain information about the network traffic and can provide insights into the connections made by the workstations. By analyzing the logs, suspicious or malicious connections can be identified, indicating the presence of zombies participating in DDoS attacks. This makes Firewall logs a suitable source of information for confirming the suspicion.

88. What type of program will record system keystrokes in a text file and e-mail it to the author, and will also delete system logs every five days or whenever a backup is performed?

Virus

Back door.

Logic bomb.

Worm.

A logic bomb is a special kind of virus or Trojan horse that is set to go off following a preset time interval, or following a pre-set combination of keyboard strokes. Some unethical advertisers use logic bombs to deliver the right pop-up advertisement following a keystroke, and some disgruntled employees set up logic bombs to go off to sabotage their company's computers if they feel termination is imminent.

Explanation

A logic bomb is a special kind of virus or Trojan horse that is set to go off following a preset time interval, or following a pre-set combination of keyboard strokes. Some unethical advertisers use logic bombs to deliver the right pop-up advertisement following a keystroke, and some disgruntled employees set up logic bombs to go off to sabotage their company's computers if they feel termination is imminent.

89. As the security administrator you monitor traces from IDS and detect the subsequent data:

Date Time Source IP Destination IP Port Type
10/21 0845 192.168.155.28 10.1.20.1 20 SYN
10/21 0850 192.168.155.28 10.1.20.1 21 SYN
10/21 0900 192.168.155.28 10.1.20.1 23 SYN
10/21 0910 192.168.155.28 10.1.20.1 25 SYN

You need to determine what will occur?

An expected TCP/IP traffic will occur.

A Port scanning will occur.

A SYN Flood will occur.

A Denial of Service (DoS) will occur.

The given traces show a pattern where the source IP (192.168.155.28) is scanning the destination IP (10.1.20.1) on different ports (20, 21, 23, 25) using SYN packets. This indicates that the source IP is actively probing the destination IP for open ports, which is characteristic of port scanning. Port scanning is a technique used by attackers to identify potential vulnerabilities in a target system. Therefore, the correct answer is that a port scanning will occur.

Explanation

The given traces show a pattern where the source IP (192.168.155.28) is scanning the destination IP (10.1.20.1) on different ports (20, 21, 23, 25) using SYN packets. This indicates that the source IP is actively probing the destination IP for open ports, which is characteristic of port scanning. Port scanning is a technique used by attackers to identify potential vulnerabilities in a target system. Therefore, the correct answer is that a port scanning will occur.

90. It has come to your attention that the telephone account for the employees in your department is extremely high. You check the print out and discover that 4,500 text messages is sent daily to random numbers. What is the best option to stop this excessive text messaging?

This can be accomplished by installing personal firewalls on the mobile phones.

This can be accomplished by installing HIDS on the mobile phones.

This can be accomplished by installing logging software on the mobile phones.

This can be accomplished by installing antivirus software on the mobile phones.

Installing antivirus software on the mobile phones is the best option to stop the excessive text messaging. Antivirus software can detect and block any malicious software or apps that may be responsible for sending the text messages to random numbers. By installing antivirus software, it can help protect the mobile phones from any potential threats and prevent unauthorized activities such as excessive text messaging.

Explanation

Installing antivirus software on the mobile phones is the best option to stop the excessive text messaging. Antivirus software can detect and block any malicious software or apps that may be responsible for sending the text messages to random numbers. By installing antivirus software, it can help protect the mobile phones from any potential threats and prevent unauthorized activities such as excessive text messaging.

91. Loki, NetCaZ, Masters Paradise and NetBus are examples of what type of attack?

Brute force

Spoofing

Man in the middle

Back door

None of the Above

Since backdoor's are publicly marketed/distributed software applications, they are characterized by having a trade name.

Explanation

Since backdoor's are publicly marketed/distributed software applications, they are characterized by having a trade name.

92. Identify common utilization of Internet-exposed network services?

Active content is a common utilization.

Illicit servers are a common utilization.

Trojan horse programs are a common utilization.

Buffer overflows is a common utilization. Buffer overflows is a common utilization.

not-available-via-ai

Explanation

not-available-via-ai

93. What can be sued for credit card information theft? (Choose TWO)

A Worm will permit credit card theft.

A SPIM will permit credit card theft.

An Adware will permit credit card theft.

A Phishing will permit credit card theft.

A Virus will permit credit card theft.

Adware and phishing are two methods that can be used for credit card information theft. Adware refers to malicious software that displays unwanted advertisements and can also collect sensitive information such as credit card details. Phishing, on the other hand, involves tricking individuals into revealing their credit card information through fraudulent websites or emails that appear to be from legitimate sources. Both of these methods can enable criminals to steal credit card information.

Explanation

Adware and phishing are two methods that can be used for credit card information theft. Adware refers to malicious software that displays unwanted advertisements and can also collect sensitive information such as credit card details. Phishing, on the other hand, involves tricking individuals into revealing their credit card information through fraudulent websites or emails that appear to be from legitimate sources. Both of these methods can enable criminals to steal credit card information.

Submit

94. You are the security administrator at Certkiller .com. All Certkiller users have a token and 4-digit personal identification number (PIN) that are used to access their computer systems. The token performs off-line checking for the correct PIN. To which of the following type of attack is Certkiller vulnerable?

Smurf

Man-in-the-middle

Brute force

Birthday

Explanation: Brute force attacks are performed with tools that cycle through many possible character, number, and symbol combinations to guess a password. Since the token allows offline checking of PIN, the cracker can keep trying PINS until it is cracked.

Explanation

Explanation: Brute force attacks are performed with tools that cycle through many possible character, number, and symbol combinations to guess a password. Since the token allows offline checking of PIN, the cracker can keep trying PINS until it is cracked.

95. What is a piece of malicious code that has no productive purpose but can replicate itself and exist only to damage computer systems or create further vulnerabilities called?

Logic Bomb

Worm

Trojan Horse

SYN flood

Virus

A virus is a piece of software designed to infect a computer system. The virus may do nothing more than reside on the computer. A virus may also damage the data on your hard disk, destroy your operating system, and possibly spread to other systems.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 76

Explanation

A virus is a piece of software designed to infect a computer system. The virus may do nothing more than reside on the computer. A virus may also damage the data on your hard disk, destroy your operating system, and possibly spread to other systems.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 76

96. What is an attach in which the attacker spoofs the source IP address in an ICMP ECHO broadcast packet so it seems to have originated at the victim's system, in order to flood it with REPLY packets called?

SYN flood attack

Smurf attack

Ping of Dead Attack

Denial of Service (DOS) Attack

A smurf attack is a type of denial of service (DOS) attack where the attacker spoofs the source IP address in an ICMP ECHO broadcast packet to make it appear as if it originated from the victim's system. The attacker then sends a large number of these packets to multiple hosts on a network, causing them to flood the victim's system with ICMP REPLY packets. This overwhelms the victim's system and can lead to a loss of network connectivity and a denial of service.

Explanation

A smurf attack is a type of denial of service (DOS) attack where the attacker spoofs the source IP address in an ICMP ECHO broadcast packet to make it appear as if it originated from the victim's system. The attacker then sends a large number of these packets to multiple hosts on a network, causing them to flood the victim's system with ICMP REPLY packets. This overwhelms the victim's system and can lead to a loss of network connectivity and a denial of service.

97. Which device should you contemplate on choosing in order to protect an internal network segment from traffic external to the segment?

You should choose DMZ to provide security to the network segment.

You should choose Internet content filter provide security to the network segment.

You should choose NIPS provide security to the network segment.

You should choose HIDS provide security to the network segment.

A NIPS (Network Intrusion Prevention System) is designed to protect a network segment from traffic external to the segment. It monitors network traffic and detects and prevents any malicious activity or attacks. By choosing a NIPS, the internal network segment can be safeguarded from potential threats and unauthorized access, ensuring the security of the network.

Explanation

A NIPS (Network Intrusion Prevention System) is designed to protect a network segment from traffic external to the segment. It monitors network traffic and detects and prevents any malicious activity or attacks. By choosing a NIPS, the internal network segment can be safeguarded from potential threats and unauthorized access, ensuring the security of the network.