1. Threats, Attacks, and Vulnerabilities

Domain 1 Questions

1. After conducting a vulnerability scan of her network, Wendy discovered the issue shown here on several servers. What is the most significant direct impact of this vulnerability?
   

   Figure 1.1

   A. Attackers may eavesdrop on network communications.

   B. Attackers may use this information to gain administrative privileges.

   C. Encryption will not protect credentials for this account.

   D. Automated attacks are more likely to succeed.

2. Pete is investigating a domain hijacking attack against his company that successfully redirected web traffic to a third-party website. Which one of the following techniques is the most effective way to carry out a domain hijacking attack?

   A. ARP poisoning

   B. Network eavesdropping

   C. DNS poisoning

   D. Social engineering

3. Which one of the following characters is the most important to restrict when performing input validation to protect against XSS attacks?

   A. <

   B. !

   C. $

   D. '

4. Darren is investigating an attack that took place on his network. When he visits the victim's machine and types www.mybank.com into the address bar, he is directed to a phishing site designed to look like a legitimate banking site. He then tries entering the IP address of the bank directly into the address bar and the legitimate site loads. What type of attack is likely taking place?

   A. IP spoofing

   B. DNS poisoning

   C. ARP spoofing

   D. Typosquatting

5. Which one of the following technologies must be enabled on a wireless network for a Pixie Dust attack to succeed?

   A. SSID broadcasting

   B. WPS

   C. WPA

   D. WEP

6. During forensic analysis, Drew discovered that an attacker intercepted traffic headed to networked printers by modifying the printer drivers. His analysis revealed that the attacker modified the code of the driver to transmit copies of printed documents to a secure repository. What type of attack took place?

   A. Refactoring

   B. Shimming

   C. Swapping

   D. Recoding

7. What type of scan can best help identify cases of system sprawl in an organization?

   A. Database scan

   B. Web application scan

   C. Detailed scan

   D. Discovery scan

8. Scott is reviewing a list of cryptographic cipher suites supported by his organization's website. Which one of the following algorithms is not secure and may expose traffic to eavesdropping attacks?

   A. ECC

   B. 3DES

   C. AES

   D. DES

9. Brenda is selecting the tools that she will use in a penetration test and would like to begin with passive techniques. Which one of the following is not normally considered a passive reconnaissance technique?

   A. Social engineering

   B. Wireless network eavesdropping

   C. Open source intelligence

   D. Domain name searches

10. Scott is a security administrator for a federal government agency. He recently learned of a website that advertises jobs for former government employees. When he accessed the site, the site launched code in his browser that attempted to install malicious software on his system. What type of attack took place?

    A. Denial of service

    B. Watering hole

    C. Spyware

    D. Trojan horse

11. Paul received an email warning him that a new virus is circulating on the internet and that he needs to apply a patch to correct the problem. The message is branded with a Microsoft header. The virus message is actually a hoax and the patch contains malicious code. What principle of social engineering best describes what the attacker is trying to exploit by including the Microsoft header?

    A. Consensus

    B. Scarcity

    C. Trust

    D. Intimidation

12. Kristen conducts a vulnerability scan against her organization's network and discovers a file server with the vulnerability shown here. Which one of the following actions is the best way to remediate this vulnerability?
    

    Figure 1.2

    A. Discontinue the file transfer service

    B. Require strong passwords

    C. Switch to SFTP

    D. Require multifactor authentication

13. Frank is the new CISO at a mid-sized business. Upon entering his role, he learns that the organization has not conducted any security training for their sales team. Which one of the following attacks is most likely to be enabled by this control gap?

    A. Buffer overflow

    B. Social engineering

    C. Denial of service

    D. ARP poisoning

14. After conducting security testing, Bruce identifies a memory leak issue on one of his servers that runs an internally developed application. Which one of the following team members is most likely able to correct this issue?

    A. Developer

    B. System administrator

    C. Storage administrator

    D. Security analyst

15. Greg recently detected a system on his network that occasionally begins sending streams of TCP SYN packets to port 80 at a single IP address for several hours and then stops. It later resumes, but directs the packets to a different address. What type of attack is taking place?

    A. Port scanning

    B. DDoS

    C. IP scanning

    D. SQL injection

16. During a security assessment, Ryan learns that the Accounts Receivable department prints out records containing customer credit card numbers and files them in unlocked filing cabinets. Which one of the following approaches is most appropriate for resolving the security issues this situation raises?

    A. Physically secure paper records

    B. Encrypt sensitive information

    C. Modify business process

    D. Monitor areas containing sensitive records

17. Jaime is concerned that users in her organization may fall victim to DNS poisoning attacks. Which one of the following controls would be most helpful in protecting against these attacks?

    A. DNSSEC

    B. Redundant DNS servers

    C. Off-site DNS servers

    D. Firewall rules

18. Irene is reviewing the logs from a security incident and discovers many entries in her database query logs that appear similar to the ones shown here. What type of attack was attempted against her server?
    

    Figure 1.3

    A. Error-based SQL injection

    B. Timing-based SQL injection

    C. TOC/TOU

    D. LDAP injection

19. Carl is concerned that his organization's public DNS servers may be used in an amplification attack against a third party. What is the most effective way for Carl to prevent these servers from being used in an amplification attack?

    A. Disable open resolution

    B. Block external DNS requests

    C. Block internal DNS requests

    D. Block port 53 at the firewall

20. What is the purpose of a DNS amplification attack?

    A. Resource exhaustion

    B. Host redirection

    C. Record poisoning

    D. Man-in-the-middle attack

21. Angie is investigating a piece of malware found on a Windows system in her organization. She determines that the malware forced a running program to load code stored in a library. What term best describes this attack?

    A. DLL injection

    B. SQL injection

    C. Pointer dereference

    D. Buffer overflow

22. Which one of the following threat sources is likely to have the highest level of sophistication?

    A. Organized crime

    B. Hacktivist

    C. APT

    D. Script kiddie

23. In which of the following types of penetration test does the attacker not have any access to any information about the target environment prior to beginning the attack?

    A. Grey box

    B. White box

    C. Red box

    D. Black box

24. Bill is securing a set of terminals that are being used to access a highly sensitive web application. He would like to protect against a man-in-the-browser attack. Which one of the following actions would be most effective in meeting Bill's goal?

    A. Disabling browser extensions

    B. Requiring multifactor authentication

    C. Requiring TLS encryption

    D. Disabling certificate pinning

25. Kevin runs a vulnerability scan on a system on his network and identifies a SQL injection vulnerability. Which one of the following security controls is likely not present on the network?

    A. TLS

    B. DLP

    C. IDS

    D. WAF

26. Maureen is implementing TLS encryption to protect transactions that are being run against her company's web services infrastructure. Which one of the following cipher suites would not be an appropriate choice?

    A. AES256-CCM

    B. ADH-RC4-MD5

    C. ECDHE-RSA-AES256-SHA384

    D. DH-RSA-AES256-GCM-SHA384

27. Val runs a vulnerability scan of her network and finds issues similar to the one shown here on many systems. What action should Val take?
    

    Figure 1.4

    A. Immediately replace all certificates

    B. Conduct a risk assessment

    C. No action is necessary

    D. Replace certificates as they expire

28. Barry would like to identify the mail server being used by an organization. Which one of the following DNS record types identifies a mail server?

    A. MX

    B. A

    C. CNAME

    D. SOA

29. Gina runs a vulnerability scan of a server in her organization and receives the results shown here. What corrective action could Gina take to resolve these issues without disrupting the service?
    

    Figure 1.5

    A. Update RDP encryption

    B. Update HTTPS encryption

    C. Disable the network port

    D. No action is necessary

30. Carl is a help desk technician and received a call from an executive who received a suspicious email message. The content of the email appears as follows. What type of attack most likely took place?
    

    Figure 1.6

    A. Whaling

    B. Spear phishing

    C. Vishing

    D. Phishing

31. Dan is a cybersecurity analyst. Each day, he retrieves log files from a wide variety of security devices and correlates the information they contain, searching for unusual patterns of activity. What security control is likely lacking in Dan's environment?

    A. Firewall management tools

    B. IPS

    C. SIEM

    D. NAC

32. Which one of the following security controls would be MOST effective in combatting buffer overflow attacks?

    A. IDS

    B. VPN

    C. DLP

    D. ASLR

33. Mary believes that her network was the target of a wireless networking attack. Based upon the Wireshark traffic capture shown here, what type of attack likely took place?
    

    Figure 1.7

    A. Disassociation

    B. IV accumulation

    C. Replay

    D. Bluesnarfing

34. Gary is concerned about the susceptibility of his organization to phishing attacks. Which one of the following controls will best defend against this type of attack?

    A. Encryption

    B. User training

    C. Firewall

    D. Background checks

35. In which one of the following types of spoofing attack is the attacker often able to establish two-way communication with another device?

    A. Email spoofing

    B. MAC spoofing

    C. IP spoofing

    D. RFID spoofing

36. Rob is conducting a penetration test against a wireless network and would like to gather network traffic containing successful authentication attempts, but the network is not heavily trafficked and he wants to speed up the information gathering process. What technique can he use?

    A. Replay

    B. Brute force

    C. Rainbow table

    D. Disassociation

37. Joe considers himself a hacker but generally does not develop his own exploits or customize exploits that have been developed by others. Instead, he downloads exploits from hacker sites and attempts to apply them to large numbers of servers around the internet until he finds one that is vulnerable. What type of hacker is Joe?

    A. 31337 h4x0r

    B. APT

    C. Script kiddie

    D. Penetration tester

38. Julie is beginning a penetration test against a client and would like to begin with passive reconnaissance. Which one of the following tools may be used for passive reconnaissance?

    A. Metasploit

    B. Nmap

    C. Nessus

    D. Aircrack-ng

39. Jake is responsible for the security of his organization's digital certificates and their associated keys. Which one of the following file types is normally shared publicly?

    A. PEM file

    B. CRT file

    C. CSR file

    D. KEY file

40. Which one of the following malware tools is commonly used by attackers to escalate their access to administrative privileges once they have already compromised a normal user account on a system?

    A. Bot

    B. Rootkit

    C. RAT

    D. Logic bomb

41. Paul has detected the vulnerability shown here in one of his systems. He has several other high priority projects waiting for his attention and needs to prioritize this issue. What should he do?
    

    Figure 1.8

    A. Immediately prioritize the remediation of this vulnerability over all other tasks.

    B. Take no action.

    C. Complete the pressing tasks on his current projects and then correct this vulnerability.

    D. Hire a vendor to remediate the vulnerability.

42. Gary recently gained access to a salted and hashed password file from a popular website and he would like to exploit it in an attack. Which one of the following attacks would be most productive if the website has a password policy requiring complex passwords?

    A. Offline brute force

    B. Online brute force

    C. Dictionary

    D. Rainbow table

43. Vivian is investigating a website outage that brought down her company's e-commerce platform for several hours. During her investigation, she noticed that the logs are full of millions of connection attempts from systems around the world, but those attempts were never completed. What type of attack likely took place?

    A. Cross-site scripting

    B. DDoS

    C. DoS

    D. Cross-site request forgery

44. In which one of the following attacks against Bluetooth technology is the attacker able to steal information from the device?

    A. Blueballing

    B. Bluejacking

    C. Bluesnarfing

    D. Bluefeeding

45. What is the most dangerous consequence that commonly occurs as the result of a buffer overflow attack?

    A. Account enumeration

    B. Denial of service

    C. Information disclosure

    D. Arbitrary command execution

46. Which one of the following would not be considered an OSINT tool?

    A. Website perusal

    B. WHOIS lookups

    C. Google searches

    D. Vulnerability scans

47. Which one of the following is not a likely consequence of system sprawl?

    A. Improper input validation

    B. Undocumented assets

    C. Excess costs

    D. Unsupported systems

48. Tonya is developing a web application and is embedding a session ID in the application that is exchanged with each network communication. What type of attack is Tonya most likely trying to prevent?

    A. Man-in-the-middle

    B. Replay

    C. Buffer overflow

    D. SQL injection

49. Carla found the following page on her web server. What type of attacker most likely waged this attack?
    

    Figure 1.9

    Note

    The above question is included as an example of a security attack. The publisher does not endorse the political message conveyed by the image, nor wish to cause any offence.

    A. Hactivist

    B. APT

    C. Script kiddie

    D. Organized crime

50. Which one of the following attackers is most likely to understand the design of an organization's business processes?

    A. Script kiddie

    B. APT

    C. Insider

    D. Hacktivist

51. Kevin is configuring a vulnerability scan of his network. He would like the scan to be a non-intrusive scan and is using the configuration settings shown here. Which setting should he modify?
    

    Figure 1.10

    A. Enable safe checks.

    B. Stop scanning hosts that become unresponsive during the scan.

    C. Scan IP addresses in a random order.

    D. Slow down the scan when network congestion is detected.

52. Frank is responsible for administering his organization's domain names. He recently received a message from their registrar indicating that a transfer request was underway for one of their domains, but Frank was not aware of any request taking place. What type of attack may be occurring?

    A. DNS spoofing

    B. IP spoofing

    C. Domain hijacking

    D. ARP spoofing

53. Morgan is a web developer who's responsible for implementing an authentication system. She knows that she should store hashed versions of passwords rather than the passwords themselves but chooses to use unsalted passwords. What type of attack does this make the application more susceptible to?

    A. Offline brute force attack

    B. Online brute force attack

    C. Rainbow table

    D. Collision

54. Kelly detected an attack on her network where the attacker used aircrack-ng to create a wireless network bearing her company's SSID. The attacker then boosted the power of that access point so that it was the strongest signal in an executive office area, prompting executive devices to connect to it. What type of attack took place?

    A. Bluesnarfing

    B. Jamming

    C. Evil twin

    D. WPS

55. Which one of the following attributes is NOT a characteristic of APT attackers?

    A. Patience

    B. Large amounts of money

    C. Sophisticated exploits

    D. Brute force

56. Which one of the following security controls is most effective against zero-day attacks?

    A. Vulnerability scans

    B. Signature-based antivirus software

    C. Application control

    D. Intrusion prevention systems

57. Chris is investigating a security incident at his organization where an attacker entered the building wearing a company uniform and demanded that the receptionist provide him access to a network closet. He told the receptionist that he needed to access the closet immediately to prevent a major network disaster. Which one of the following principles of social engineering did the attacker NOT exploit?

    A. Consensus

    B. Authority

    C. Intimidation

    D. Urgency

58. Ann works for an organization that recently opted to discontinue the support service on their network devices to control costs. They realized that it would be less expensive to replace devices when they fail than to use the costly replacement plan that was included in their support contract. What should be Ann's primary concern from a security perspective?

    A. Time required to replace a failed device

    B. Cost of replacing devices

    C. Lack of access to vendor patches

    D. Lack of access to vendor support personnel

59. Which one of the following controls would be LEAST effective against a privilege escalation attack?

    A. HIPS

    B. Patching

    C. Data Execution Prevention

    D. Firewall rule

60. Warren is conducting a penetration test and has gained access to a critical file server containing sensitive information. He is now installing a rootkit on that server. What phase of the penetration test is Warren conducting?

    A. Active reconnaissance

    B. Persistence

    C. Escalation of privilege

    D. Pivot

61. Which one of the following security vulnerabilities is NOT a common result of improper input handling?

    A. DDoS

    B. SQL injection

    C. Cross-site scripting

    D. Buffer overflow

62. What type of access must an attacker have to successfully carry out an ARP poisoning attack against a target?

    A. Access to the target's LAN

    B. Administrative access on the target's system

    C. Normal user access on the target's system

    D. Access to the target's network firewall

63. Which one of the following cryptographic attacks may be used to find collisions in a hash function?

    A. Birthday attack

    B. Meet-in-the-middle attack

    C. Man-in-the-middle attack

    D. Chosen plaintext attack

64. Bob is charged with protecting the service shown here from an attack being waged by Mal. What control would best protect against this threat?
    

    Figure 1.11

    A. Adding TLS encryption

    B. Changing the hash algorithm

    C. Changing Alice's password

    D. Using a shadow password file

65. After running a vulnerability scan, Charlie identified 10 Windows XP systems running on the network. Those systems support critical business hardware that is over 10 years old and it is not possible to replace the hardware. What is the primary issue that Charlie needs to address?

    A. Obsolete operating system

    B. Incorrectly configured firewall

    C. Outdated hardware

    D. User security awareness

66. Patty is approached by an end user who is trying to visit a banking website and sees the following error message. What type of attack is most likely taking place?
    

    Figure 1.12

    A. Social engineering

    B. This is a routine error and no attack is likely

    C. Man-in-the-middle

    D. Certificate pinning

67. During a security review, Terry identified a system that is using the RC4 cipher with a 40-bit key to protect communications between systems using the Remote Desktop Protocol. Which one of the following findings would be appropriate for Terry to include in his report on the risk of this service?

    A. There is not enough information to reach a conclusion.

    B. The key length is too short and should be increased to 1,024 bits.

    C. RC4 is an insecure cipher and should not be used.

    D. The system is using a secure cipher with an appropriate key length.

68. Joan is trying to break a cryptographic algorithm where she has the encryption key but does not have the decryption key. She is generating a series of encrypted messages and using them in her cryptanalysis. Which term best describes Joan's attack?

    A. Known plaintext

    B. Chosen plaintext

    C. Chosen ciphertext

    D. Known ciphertext

69. Kristen is investigating wireless signal interference in her building and suspects that jamming might be taking place. Which one of the following actions can help her rule out the intentional jamming of her wireless signal?

    A. Moving antenna locations

    B. Changing the Wi-Fi channel

    C. Changing power levels

    D. Testing a variety of devices

70. While investigating a security incident, Ryan discovers that the attacker entered the information shown here in the login box for a web application. What type of attack was likely taking place?
    

    Figure 1.13

    A. LDAP injection

    B. Blind SQL injection

    C. SQL injection

    D. Cross-site scripting

71. Melanie is designing an authentication scheme for a web application and wishes to protect the site against session hijacking attacks. She would like to ensure that cookies containing session credentials are only sent via encrypted connections. What attribute should she set on cookies that are used for session identification?

    A. Expire

    B. HttpOnly

    C. SameSite

    D. Secure

72. Ken is conducting a penetration test of one of his organization's clients. He gains access to a web server located in the DMZ using a buffer overflow attack and is now attempting to gain access to systems on the internal network. What stage of the attack has Ken reached?

    A. Reconnaissance

    B. Pivot

    C. Persistence

    D. Escalation of privilege

73. Rob is troubleshooting a production application in his organization. He discovers that after the application has been running for about a week, it begins producing repeated errors. When he reboots the system, it works fine for another week, until the errors start recurring. What is the most likely cause of this issue?

    A. Insider attack

    B. Logic bomb

    C. Buffer overflow

    D. Memory leak

74. Vince runs the MD5 hash function against three files on his system. He knows that each of the three files contains log entries from different days. What has occurred?
    

    Figure1.14

    A. Use of a secure hash function

    B. Decryption

    C. Collision

    D. Syntax error

75. After running an Nmap scan of a new web server being commissioned on her network, Karen discovered the results shown here. Which port should Karen prioritize for investigation and remediation?
    

    Figure 1.15

    A. 443

    B. 22

    C. 80

    D. 23

76. The POODLE attack rendered the SSL protocol insecure and prompted many websites to replace SSL with TLS. What type of attack is POODLE?

    A. Disassociation

    B. Downgrade

    C. Bluesnarfing

    D. Evil twin

77. Vince is investigating the compromise of a user's account credentials. The user reports that, in addition to her corporate account, the passwords to many of her online banking and bill payment accounts were also compromised. Vince examines her computer and determines that there is an unusual piece of hardware connected between the keyboard and the computer. What type of attack has most likely taken place?

    A. Bot

    B. Spyware

    C. Keylogger

    D. Adware

78. Larry is evaluating a dynamic web application that uses a web server with a database back end, as shown in the following diagram. The web server is configured to connect to the database server with a database administrative account. Which one of the following statements is correct about this configuration?
    

    Figure 1.16

    A. The web server should use an OS administrator account to connect to the database.

    B. The web server should use a limited privilege account to connect to the database.

    C. This configuration is reasonable.

    D. The web server should not connect directly to the database server.

79. Which one of the following attacks allows the theft of information from a mobile device over a wireless connection that directly connects the attacker to the device?

    A. Bluejacking

    B. Evil twin

    C. Bluesnarfing

    D. Session hijacking

80. In a recent social engineering attack, the attacker found an employee of the target company at his gym and struck up a friendship there for several months before trying to slowly extract sensitive corporate information from the employee. What principle of social engineering is the attacker trying to exploit?

    A. Consensus

    B. Authority

    C. Urgency

    D. Familiarity

81. During a penetration test, the testers sent the following email to a clerk in an organization's Accounts Payable department. What type of attack took place?
    

    Figure 1.17

    A. Spear phishing

    B. Whaling

    C. Vishing

    D. Smishing

82. Which one of the following device types is most susceptible to a pass-the-hash attack?

    A. VPN concentrator

    B. Network firewall

    C. Windows server

    D. Hardware security module

83. Vince is concerned about the execution of SQL injection attacks against the database supporting his organization's e-commerce website. Which one of the following controls would NOT be an effective defense against these attacks?

    A. Parameterized queries

    B. WAF

    C. Indexing

    D. Stored procedures

84. Norm is concerned that his organization may be the target of a theft of trade secrets by a competitor working with an insider to steal sensitive files. What security control would be the most helpful in detecting attempts to remove that sensitive information from the organization?

    A. IPS

    B. DLP

    C. Firewall

    D. TLS

85. Elliott is frustrated by the number of false positive reports being returned by his vulnerability scans. Which one of the following actions is MOST likely to reduce the number of false positive reports?

    A. Implement credentialed scanning

    B. Decrease the scan's sensitivity

    C. Disable safe checks

    D. Increase the size of the target network

86. During a recent security investigation, Cam discovered the device shown here sewn into a briefcase belonging to a senior executive. What type of transmission was most likely used to communicate with this device?
    

    Figure 1.18

    A. Cellular

    B. Bluetooth

    C. Wi-Fi

    D. RFID

87. Dave discovers that a piece of malware running on a system has been loading the feeds of strange Twitter accounts that contain tweets similar to the one shown here. What type of malware likely exists on this system?
    

    Figure 1.19

    A. Trojan horse

    B. Virus

    C. Worm

    D. Botnet

88. Rick would like to use vulnerability scanning results as part of a penetration test he is undertaking. The penetration test is scoped as a black box test. Which one of the following scan reports would be the most useful and appropriate for Rick to obtain from management before conducting the test?

    A. Internal scan report

    B. External scan report

    C. Credentialed scan report

    D. Agent-based scan report

89. After running a vulnerability scan, Carl detects a missing patch on a Windows server. When he investigates the server, he determines that the patch is actually applied. What condition has occurred?

    A. True positive

    B. False negative

    C. False positive

    D. True negative

90. After conducting a vulnerability scan, Kaiden discovers the vulnerability shown here on several of his organization's web servers. What is the most likely direct impact of these vulnerabilities?
    

    Figure 1.20

    A. An attacker can disrupt access to the web server.

    B. An attacker can obtain information about the inner functioning of the web application.

    C. An attacker can steal information from the database supporting this application.

    D. An attacker can gain administrative access to the web server.

91. Carla noticed unusual spikes in network activity and, upon further investigation, determined that there is an usually high number of outbound DNS query responses. She also noticed that the query responses are significantly larger than the queries themselves. What type of attack should Carla suspect?

    A. Cross-site scripting

    B. Amplification

    C. DNS poisoning

    D. Pass-the-hash

92. Shortly after Trish's organization fired a software developer, code on a server activated that determined that the developer was no longer employed and deleted the source code from her projects. What type of attack did Trish's organization experience?

    A. Logic bomb

    B. Trojan horse

    C. Worm

    D. RAT

93. Dawn is conducting the reconnaissance phase of a penetration test and would like to identify the registered owner of a domain name. Which one of the following tools would be the most likely to provide her with this information?

    A. Whois

    B. Nslookup

    C. Dig

    D. Ping

94. Which one of the following controls is the most effective way to protect against security-related architectural and design weaknesses?

    A. Deploying intrusion prevention systems

    B. Carefully maintaining network firewall rules

    C. Implementing employee background checks

    D. Including security team members in the project management process

95. Barry is the administrator of a message board that's used by his organization's clients to communicate with each other. One client posted a message on the board that contained script code that caused the browsers of other users to carry out malicious actions when they viewed the message. What type of attack took place?

    A. XSRF

    B. Reflected XSS

    C. DOM XSS

    D. Stored XSS

96. Mal is an attacker associated with an advanced persistent threat (APT) organization. Her team recently discovered a new security vulnerability in a major operating system and has not informed anyone of this vulnerability. What type of attack is Mal's organization in a position to wage?

    A. SQL injection

    B. Zero-day

    C. Man-in-the-browser

    D. Spoofing

97. Which one of the following technologies would be the most useful in preventing man-in-the-middle attacks?

    A. TLS

    B. SSL

    C. Digital certificates

    D. Input validation

98. Harold is examining the web server's logs after detecting unusual activity on the system. He finds the log excerpt shown here. What type of attack did someone attempt against this system based upon the data shown in these logs?
    

    Figure 1.21

    A. Cross-site scripting

    B. Domain hijacking

    C. SQL injection

    D. Directory traversal

99. Which one of the following attacks exploits a race condition in a software implementation?

    A. Integer overflow

    B. Buffer overflow

    C. SQL injection

    D. TOC/TOU

100. Which one of the following devices is capable of carrying out a rogue AP attack against a Wi-Fi network with minimal configuration?

     A. Switch

     B. Router

     C. Orange

     D. Pineapple

101. Carla's firm is preparing to deploy a large network of Internet of Things sensors. Which one of the following is the least common security concern with IoT deployments?

     A. Data encryption

     B. Patches to embedded operating systems

     C. Network segmentation

     D. Multifactor authentication

102. Hank ran a vulnerability scan of one of his organization's web servers and found the two vulnerabilities shown here. What is the most expedient way for Hank to correct this issue?
     

     Figure 1.22

     A. Modify the ciphers used by SSL/TLS

     B. Upgrade to SSL 3.0

     C. Upgrade to TLS 1.2

     D. Replace the digital certificate

103. Mal is engaging in an IP spoofing attack against a target organization over the internet. Which one of the following limitations does the attack have if Mal has complete control of her own network?

     A. Mal will not be able to receive responses to requests.

     B. Mal will not be able to send packets onto the internet with spoofed addresses.

     C. Mal will not be able to insert a spoofed IP address into her network traffic.

     D. Mal will not be able to conduct a denial of service attack.

104. Nate is the first person to arrive in the office one morning and he discovers that a piece of malware is spreading from system to system on his network, exploiting the MS08-067 vulnerability in Microsoft Windows. What term best describes this malware?

     A. Virus

     B. Trojan horse

     C. Worm

     D. Logic bomb

105. Noah is a cybersecurity analyst for a mid-sized business. He is working with the user of a machine that is exhibiting suspicious behavior. The anomalous activity began immediately after the user downloaded and installed software from the internet and Noah suspects that it contained malware. What term best describes the malware in this situation?

     A. Trojan horse

     B. Virus

     C. Worm

     D. Logic bomb

Domain 1 Answers and Explanations

1. D. Most automated attacks assume that a Windows system still contains a default account named Administrator and try to exploit that account. Changing the name makes it less likely that these attacks will stumble upon the account.
2. D. In a domain hijacking attack, the attacker changes the registration of a domain with the registrar. DNS and ARP poisoning attacks may redirect web traffic, but they would do so by providing bogus address information, not by hijacking the domain. Network eavesdropping could theoretically be used to steal credentials that are used to alter information with a registrar, but this is unlikely. The most likely source of a domain hijacking attack is using social engineering with the registrar to gain access to the account being used to manage registration information.
3. A. Cross-site scripting relies upon embedding HTML tags in stored or reflected input. The < and > characters are used to denote HTML tags and should be carefully managed when seen in user input.
4. B. The fact that the legitimate server responds to requests made by an IP address indicates that the attacker is not performing IP spoofing or ARP spoofing. There is no indication that the URL is incorrect, so Darren can rule out typosquatting. The most likely attack in this scenario is DNS poisoning. Darren can verify this by manually changing the system to a different DNS server, clearing the system's DNS cache, and attempting to resolve the name again.
5. B. Pixie Dust attacks are a specialized attack that's used to retrieve the Wi-Fi Protected Setup (WPS) PIN code for a network. Pixie Dust attacks will not work if WPS is not enabled on the network.
6. A. The two major categories of attack against device drivers are shimming and refactoring. In a shimming attack, the attacker wraps his or her own malicious code around the legitimate driver. Shimming attacks do not require access to the driver's source code. In a refactoring attack, such as this one, the attacker actually modifies the original driver's source code.
7. D. Discovery scans are designed to identify systems on the network and can be used to detect undocumented assets that are the result of system sprawl.
8. D. The Data Encryption Standard (DES) is an outdated, insecure algorithm that should not be used in modern applications. Triple DES (3DES) is a secure alternative that uses three rounds of DES encryption. The Advanced Encryption Standard (AES) and Elliptic Curve Cryptosystem (ECC) are also modern, secure cipher suites.
9. A. Social engineering is an active technique because it involves interaction with the target organization. Attackers may conduct open source intelligence gathering, including domain name searches, using only external resources that will not alert the target organization. Wireless network eavesdropping may also be conducted from a location outside of the organization's facilities without alerting the organization to their presence or interacting with target systems.
10. B. This is an example of a watering hole attack. These attacks place malicious code on a website frequented by members of the target audience. There is not sufficient information to determine whether the malicious code was spyware or a Trojan horse, or whether it delivered a denial of service payload.
11. C. The social engineer is using the Microsoft header in an attempt to exploit the trust that the recipient has for Microsoft. This attack also exploits the principles of authority, familiarity, and urgency. There is no note of scarcity or consensus in the message. The attacker is indeed trying to intimidate the recipient, but the intimidation is contained within the virus hoax message, not the Microsoft header.
12. C. The root cause of this issue is that FTP is an insecure protocol and Kristen can resolve this problem by replacing it with a secure alternative, such as SFTP. Requiring strong passwords or multifactor authentication would not resolve this problem as an attacker could still eavesdrop on those connections and obtain user passwords. Discontinuing the file transfer service would resolve the vulnerability, but it is not a good solution because it would unnecessarily disrupt whatever business processes take place on this server.
13. B. Social engineering attacks depend on user error, and training can dramatically reduce the success rate of these attacks. Buffer overflow attacks, denial of service attacks, and ARP poisoning attacks are not generally preventable by end users and, therefore, training the sales team would not be an effective defense against them.
14. A. A memory leak is a software flaw and, since this is an internally developed application, the developer is the person who's the most likely to be able to correct it. If the issue were in a commercially purchased application, a system administrator may be able to correct the issue by applying a patch, but that is not the case in this scenario.
15. B. This is a clear example of a distributed denial of service (DDoS) attack. The system is flooding the target with connection requests, hoping to overwhelm it. The port and IP address are not changing, so this is not indicative of a scanning attack. There is no indication that the connection is completed, so it cannot be a SQL injection attack.
16. C. All of the controls mentioned in this question would improve the security of this scenario. However, the best way to handle sensitive information is to not retain it in the first place. It is unlikely that there is a valid business reason for storing copies of records containing customer credit card information. Therefore, the most appropriate solution would be to modify the business process to avoid this inappropriate data retention.
17. A. DNS poisoning works by injecting false information into a user's local DNS servers. Adding redundant or off-site DNS servers would not reduce the likelihood of a successful attack. Blocking DNS traffic with firewall rules would disrupt the service for legitimate users. The DNSSEC protocol adds a verification layer to ensure that DNS updates come from trusted sources, reducing the likelihood of a successful DNS poisoning attack.
18. B. This is an example of a SQL injection attack because the attacker is inserting his or her own commands into a SQL database query. This particular example is slowing down responses when the answer is correct to ferret out the characters of a password, one by one. That is an example of a timing-based SQL injection attack.
19. A. All of the possible answers have the effect of blocking some DNS requests. The most effective technique to prevent DNS amplification is to disable open resolution so that external users may not make arbitrary recursive requests against the server. Blocking internal requests would have no effect on the attack. Blocking all external requests or blocking port 53 at the firewall would prevent all external requests, preventing the server from fulfilling its purpose as a public DNS server.
20. A. DNS amplification is a denial of service technique that sends small queries with spoofed source addresses to DNS servers, generating much larger, amplified responses back to the spoofed address. The purpose is to consume all of the bandwidth available to the target system, resulting in a resource exhaustion denial of service attack.
21. A. This attack is a DLL injection attack. In a DLL injection, the attacker forces an existing process to load a dynamically linked library that contains unauthorized code.
22. C. Advanced persistent threats (APTs) are characterized by a high level of sophistication and significant financial and technical resources. Other attackers, including script kiddies, criminals, and hacktivists, are not likely to have anywhere near the same sophistication as an APT attacker (such as a national government).
23. D. In a black box attack, the attacker does not have access to any information about the target environment before beginning the attack. In a grey box attack, the attacker has limited information. In a white box attack, the attacker has full knowledge of the target environment before beginning the attack.
24. A. In a man-in-the-browser attack, the attacker manages to gain a foothold inside the user's browser, normally by exploiting a browser extension. This gives him or her access to all of the information that's accessed with the browser, regardless of whether the site uses strong authentication or transport encryption (such as TLS). Certificate pinning is a technique that's used to protect against inauthentic digital certificates and would not protect against a man-in-the-browser attack.
25. D. A web application firewall (WAF), if present, would likely block SQL injection attack attempts, making SQL injection vulnerabilities invisible to a vulnerability scanner. A data loss prevention system (DLP) does not protect against web application vulnerabilities such as SQL injection. An intrusion detection system (IDS) might identify a SQL injection exploit attempt, but it is not able to block the attack. Transport layer security (TLS) encrypts web content but encryption would not prevent an attacker from engaging in SQL injection attacks.
26. B. The key to this question is focusing on the encryption algorithms used by each option. Three of the four options use AES 256-bit encryption, which provides strong cryptography. One uses RC4 encryption, which is a weak implementation of cryptography and should be avoided.
27. B. The use of self-signed certificates is not, by itself, cause for alarm. It is acceptable to use self-signed certificates for internal use. Val should conduct a risk assessment to identify whether this use is appropriate and replace any certificates used by external users.
28. A. The MX record identifies the mail server for a domain. A records are used to identify domain names associated with IP addresses, while CNAMES are used to create aliases. Start of Authority (SOA) records contain information about the authoritative servers for a DNS zone.
29. A. These vulnerabilities both relate to the encryption of the service running on port 3389, which is used by the Remote Desktop Protocol (RDP). Upgrading this encryption should resolve these vulnerabilities. There is no indication that an HTTPS service is running on this device. Disabling the network port would disrupt the service. Gina should take action because this is an easily corrected vulnerability.
30. D. This is most likely a straightforward phishing attack. The message is generic and not targeted at a specific user, as you would find in a spear phishing attack. Although the user is an executive, there is no indication that the message was specifically sent to this user because of his status as an executive, so it is not likely to be a whaling attack. The attack was sent over email, not the telephone, so it is not an example of vishing.
31. C. If Dan's organization used a security information and event management (SIEM) solution, Dan would not need to gather information from this wide variety of sources. Instead, the SIEM would collect and correlate this information, providing Dan with a single place to review correlated data.
32. D. Address space layout randomization (ASLR) is a security technique that randomizes the location of objects in memory, making a buffer overflow attack less likely to succeed. Virtual private networks (VPN) provide transport encryption and data loss prevention (DLP) systems provide protection against data exfiltration. Neither would be effective against buffer overflow attacks. Intrusion detection systems (IDS) may identify a buffer overflow attack but would not prevent it from succeeding.
33. A. The message shown in the capture is a deauthentication message. These messages are often used in disassociation attacks, where the attacker attempts to force the disconnection of a client from a legitimate access point. IV attacks use cryptanalysis on the initialization vectors (IVs) that are used in establishing a Wi-Fi session. Replay attacks attempt to reuse credentials captured during a legitimate session to establish unauthorized wireless connections. Bluesnarfing attacks leverage Bluetooth technology, which is not in use in this scenario.
34. B. Phishing is a form of social engineering, and its effectiveness depends upon the susceptibility of users to this type of attack. While some technical controls, such as email content filtering, may be useful against phishing attacks, the most effective defense is user awareness training.
35. B. In a MAC spoofing attack, the local switch is normally fooled into believing the spoofed address and will route reply traffic back to the device spoofing an address. IP spoofing and email spoofing work at the application layer and, in most cases, the attacker will not receive any responses to spoofed messages. RFID spoofing is not a common type of attack.
36. D. Disassociation attacks intentionally disconnect a wireless user from their access point to force a reauthentication that the attacker may collect with a wireless eavesdropping tool. Brute force attacks, rainbow table attacks, and replay attacks do not gather network traffic and, therefore, would not be useful in this scenario.
37. C. Joe is a script kiddie because he does not leverage his own knowledge but merely applies tools written by others. Advanced persistent threats or elite hackers (31337 h4x0r) use sophisticated, customized tools. Joe is not a penetration tester because he does not have authorization to perform the scans.
38. D. Nmap, Nessus, and Metasploit are all active reconnaissance tools that interact with their target environments. Aircrack-ng may be used to passively gather information about a wireless network and crack a pre-shared key.
39. B. Jake may safely share the CRT file, which contains a copy of the organization's public X.509 certificate. The KEY and PEM files contain copies of the organization's private keys, which must be kept secret and secure. The CSR file is a certificate signing request, which is sent to the CA when requesting a signed digital certificate. There is no need to share this file publicly.
40. B. Rootkits are specialized attack tools that allow an attacker to escalate privileges. They exploit system vulnerabilities to leverage a normal user account to gain administrative privileges on the system.
41. B. This is a very low priority vulnerability. The report shows that it has a severity of one on a five-point scale, placing it into the category of informational messages. There are likely hundreds or thousands of similar issues elsewhere on the network. Therefore, there is no need for Paul to take any action.
42. A. In this case, Gary should use an offline bruteforce attack against the password file. An online attack would not leverage the password file that he obtained and would likely be slower and attract attention. A dictionary attack is not effective against a site with a strong password complexity policy. A rainbow table attack suffers the same deficiency as a dictionary attack with the added problem that the site uses salted hashes, rendering the rainbow table ineffective.
43. B. This is a clear example of a distributed denial of service (DDoS) attack. The half-open connections indicate the use of a denial of service attack. The fact that the requests came from all over the world makes it clear that it is more than a standard denial of service attack. There is no indication that there was a web application flaw, such as cross-site request forgery or cross-site scripting.
44. C. In a bluesnarfing attack, the attacker establishes a Bluetooth connection to a target device and then retrieves information from that device. Bluejacking attacks only allow the attacker to display a message on the device. Blueballing attacks allow an attacker to break an existing Bluetooth connection between two devices. Bluefeeding attacks do not exist.
45. D. While any of these actions may result from a buffer overflow attack, they are all the result of the more general arbitrary command's execution capability. After a successful buffer overflow, the attacker can typically execute any commands they would like on the system. This effectively gives the attacker full control of the device.
46. D. Open source intelligence (OSINT) includes the use of any publicly available information. This includes domain registration records found in WHOIS entries, the contents of public websites, and the use of Google searches. Vulnerability scans are an active reconnaissance technique and are not considered OSINT.
47. A. System sprawl may lead to undocumented systems that are running without the knowledge of the IT organization. These systems may serve no useful purpose, contributing to excess costs. They may also have no assigned IT support personnel, leading to unpatched systems and security vulnerabilities. Input validation is an application security technique and system sprawl would not necessarily lead to increased failures to perform proper input validation.
48. B. Session tokens, or session IDs, are used to prevent an eavesdropper from stealing authentication credentials and reusing them in a different session in what is known as a replay attack. The use of session IDs would not prevent an attacker from carrying out an application layer attack, such as a buffer overflow or injection. It also would not be effective against a man-in-the-middle attack, as the attacker could simply establish a secure session with the server and would, therefore, have access to the session ID.
49. A. This website defacement attack has a clear political message, making the attacker a hacktivist. It is unlikely that an advanced persistent threat or organized crime ring conducted this attack because there is no obvious non-activist motive. There is not enough information to conclude that the attack was waged by a script kiddie because we do not know how the site was compromised.
50. C. Insider attacks are particularly dangerous because they involve internal employees, contractors, or other individuals with access to systems and knowledge of business processes. Other attackers are less likely to have access to this information.
51. A. Enabling safe checks tells the scanner to only use scan plugins that are non-intrusive. The other settings would not change the plugins that are used by the scanner. Configuring the scanner to stop scanning hosts that become unresponsive implies that the scan has already disrupted the host. Changing the order or speed of the scan would not change the tests that are performed.
52. C. This is not likely to be a spoofing attack because there is no evidence that an attacker is falsifying address information in network traffic. However, it is quite possible that an attacker is attempting to steal a domain registration using a domain hijacking attack. Frank should contact the registrar and cancel the request. He should also consider locking the domain to prevent any future unauthorized transfer.
53. C. In a rainbow table attack, the attacker computes the hash values of common passwords and then searches the password file for those values. Adding a random salt to the password eliminates the performance benefit of this attack. Brute force attacks (online or offline) would not be more or less effective either way. The use of salting does not decrease the likelihood of a collision.
54. C. In this attack, the perpetrator created a false wireless network, otherwise known as an evil twin. Although the attacker boosted the power of the signal to make the evil twin signal stronger than other signals, there is no indication of attempts to jam signals from legitimate access points. There is no indication in the scenario that Bluetooth or WPS technology was involved.
55. D. Advanced persistent threat (APT) attackers are sophisticated attackers who generally have the support of a nation-state or other large organization that provides them with significant financial resources and sophisticated tools. They often pursue their targets very patiently until they are able to exploit a vulnerability. APT attackers operate stealthily and would avoid using brute force techniques.
56. C. Zero-day attacks are attacks that are not previously known to the security community. Therefore, signature-based controls, such as vulnerability scans, antivirus software, and intrusion prevention systems, are not effective against these attacks. Application control software may use whitelisting to limit software running on a system to a list of known good applications. This technique may prevent zero-day malware from running on the protected system.
57. A. The attacker entered the building wearing a uniform, which is a sign of authority. He threatened the receptionist (intimidation) with an impending network outage (urgency). There is no indication that he tried to build consensus.
58. C. While all of these concerns are legitimate, the lack of access to vendor patches should be Ann's primary security concern. Most vendors require a valid support agreement to obtain firmware updates and devices without those updates may have serious security vulnerabilities. Ann should consider pursuing a less costly support agreement that does not include the expensive hardware replacement feature but does provide access to security updates.
59. D. Patching operating systems will address security vulnerabilities that may allow privilege escalation attacks. Host intrusion prevention systems (HIPS) may detect and block privilege escalation attempts. Data Execution Prevention (DEP) prevents the system from executing unauthorized code that could result in privilege escalation. Firewalls do not offer an effective defense because an attacker attempting privilege escalation already has a foothold on the system.
60. C. Warren is using a rootkit to attempt to gain administrative privileges on the server. This is an example of an escalation of privilege attack.
61. A. SQL injection, cross-site scripting, and buffer overflow attacks all occur when applications do not properly screen user-provided input for potentially malicious content. DDoS attacks use botnets of compromised systems to conduct a brute force resource exhaustion attack against a common target.
62. A. ARP poisoning attacks work by broadcasting false MAC address information on the local area network (LAN). ARP traffic does not travel over the internet or across broadcast domains, so the attacker must have access to the local network segment to carry out an ARP poisoning attack. The attacker does not need access to the target system or any network devices, including firewalls.
63. A. A birthday attack is used to find collisions in a hash function. If successful, a birthday attack may be used to find substitute content that matches a digital signature. It takes its name from the mathematical birthday problem, which states that it only takes 70 people in a room to have a 99.9% probability that two will share the same birthday.
64. A. The image shows an example of a replay attack, where Mal obtains a copy of Alice's hashed password by sniffing a network connection and then reuses that hash to log in to the server. Changing Alice's password or the hash algorithm would prevent Mal from using the hash he already captured, but he could just repeat the attack to obtain the new hash. Using a shadow password file is good practice but it would not be effective against this attack because Mal is not accessing a password store on the server. Using TLS encryption to protect the session would prevent Mal from sniffing the hashed password.
65. A. While any of these issues may exist, the pressing issue that Charlie must resolve is the fact that the computers are running Windows XP, an end-of-life operating system. Microsoft no longer releases security patches for the OS, and this may cause a critical security issue. If Charlie cannot upgrade the operating system, he should implement other compensating controls, such as placing these systems on an isolated network.
66. C. This is a serious error, indicating that the name on the certificate does not match the name on the server and that the certificate was not issued by a trusted CA. It is very possible that a man-in-the-middle attack is taking place and that the certificate is being presented by an attacker. Patty should warn the user not to visit the site and investigate further.
67. C. The RC4 cipher has inherent security vulnerabilities and is not considered secure, regardless of the key length. Therefore, Terry should include a recommendation in his report that the cipher is replaced with a secure alternative.
68. B. This is a tricky question because any of the answers other than chosen ciphertext could be correct. We can rule out that answer because Joan cannot choose her own ciphertext. She can, however, choose the plaintext that's used to create the ciphertext. When she does choose her own plaintext, she must, therefore, have knowledge of the plaintext. Once she encrypts the message, she also has access to the ciphertext. However, the best term to describe this attack is a chosen plaintext attack because it is the most specific of the three names. Every chosen plaintext attack is also a known plaintext and a known ciphertext attack.
69. B. While all of these are reliable troubleshooting tools, changing the Wi-Fi channel is the best way to detect intentional interference. If Kristen changes the channel and the interference initially goes away but later reappears, it is possible that an attacker is intentionally jamming her network.
70. A. The code shown here is a clear example of an LDAP injection attack. The attacker is attempting to bypass the password security controls of the application by modifying the LDAP query to accept any password provided by the attacker as authentic.
71. D. The Secure attribute instructs the browser to only transmit the cookie via an encrypted HTTPS connection. The HttpOnly attribute does not affect encryption but rather restricts scripts from accessing the cookie via DOM objects. The SameSite attribute prevents the cookie from being shared with other domains, while the Expire attribute sets an expiration date for the cookie.
72. B. Ken is at the pivot stage of the attack. He has gained a foothold in one system and is now attempting to use that access to pivot, or gain access to, other systems.
73. D. The symptoms described here are the classic symptoms of a memory leak. The system is slowly depleting memory as it runs until it finally runs out of available memory, resulting in errors. When Rob reboots the system, it clears out available memory and begins the cycle anew.
74. C. Files 1 and 3 have identical hash values but different content. This is a security issue known as a collision and indicates that the hash function is not secure. There is no syntax error as the hashes were computed properly. Hash functions produce message digests. They do not perform encryption or decryption.
75. D. Port 23 is used by telnet, an insecure protocol for administrative connections to a server. This service should be disabled and replaced with SSH, which uses port 22. Ports 80 and 443 are commonly open on a web server.
76. B. POODLE is a downgrading attack that forces sites using SSL to revert to insecure cipher suites, rendering their communications susceptible to eavesdropping attacks.
77. C. While any type of malware could be responsible for the symptoms described by the user, the compelling piece of evidence in this scenario is that Vince discovered an unusual hardware device attached to the keyboard. This is most likely a keylogger.
78. B. This is a common and reasonable architecture for a dynamic web application where the web server initiates a connection to the database server. However, the connection should not take place with an administrative account. Instead, the database administrator should create a limited privilege service account that restricts the activity performed by the web application. This limits the impact of an attack that compromises the web server and takes over the database connection.
79. C. Bluesnarfing attacks use Bluetooth connections to steal information stored on the target device. Bluejacking attacks also exploit Bluetooth connections but they only allow people to send messages to the device and do not allow the theft of information. Evil twin attacks set up false SSIDs but do not necessarily directly connect the attacker to the target device. Session hijacking attacks do not necessarily take place over a wireless connection and involve a third-party website rather than a direct connection.
80. D. This is a clear example of familiarity and liking. The attacker built up a relationship over time with the employee until they had a strong bond. He then leveraged that relationship to slowly extract information from the target.
81. A. This is an example of a spear phishing attack that was designed specifically for someone in the Accounts Payable department of this firm. It is not a whaling attack because it is targeting a clerk, not a senior executive. It was not conducted by telephone or SMS, so it is not a vishing or smishing attack.
82. C. Pass-the-hash attacks exploit a vulnerability in the NTLM authentication protocol that's used by Windows systems. The attack is not possible against non-Windows systems.
83. C. Web application firewalls are capable of detecting and filtering SQL injection attack attempts and would be an effective control. Stored procedures and parameterized queries both limit the information sent from the web application to the database and also serve as an effective control against SQL injection attacks. Indexes are used to enhance database performance and would not prevent an injection attack.
84. B. Data loss prevention (DLP) systems are designed to detect and block the exfiltration of sensitive information. While an intrusion prevention system (IPS) or firewall may be able to reduce the likelihood of a successful attack, they are not designed for this purpose. The use of TLS encryption would not prevent an attack as it protects data while in transit but not at rest.
85. A. Implementing credentialed scanning would improve the quality of the information provided to the scanner and, therefore, would lower the false positive rate. Decreasing the scan's sensitivity would lower the threshold for an alert and increase the false positive rate. Disabling safe checks and increasing the size of the target network would both increase the number of scan tests performed and, absent of any other change, would have the effect of increasing the number of false positive reports.
86. D. This is an example of a radio frequency identification (RFID) transmitter. RFID is a form of near-field communication (NFC) that is used to communicate over short distances. This device could be used to track the physical presence of the executive when within range of a receiver.
87. D. These tweets are an example of botnet command and control traffic. The Twitter account is directing the infected system to engage in distributed denial of service attacks.
88. B. During a black box test, the attacker should not have access to any non-public information. It is reasonable to assume that any member of the public could conduct an external vulnerability scan, and so there is no harm in expediting the penetration test by providing Rick with the results of an external scan. However, he should not have access to scans that would require additional access. These include credentialed scans, agent-based scans, and internal scans.
89. C. A false positive error occurs when a security system reports a condition that does not actually exist. In this case, the vulnerability scanner reported a missing patch, but that report was in error and, therefore, a false positive report.
90. B. This issue means that the web server will provide detailed error messages when an error condition occurs. These error messages may disclose information about the structure of the web application and supporting databases to an attacker that the attacker could then use to wage an attack.
91. B. The fact that the traffic is exceeding normal baselines and that the responses are much larger than the queries indicates that a DNS amplification attack may be underway. In this type of attack, the attacker sends spoofed DNS queries, asking for large amounts of information. The source address on those queries is the IP address of the target system, which then becomes overwhelmed by the response packets.
92. A. This is an example of a logic bomb, that is, code that remains dormant until certain logical conditions are met and then releases its payload. In this case, the logic bomb was configured to release if the developer was no longer employed by the organization.
93. A. Whois queries provide information about the registered owners of domain names and are a useful open source intelligence tool. The nslookup and dig commands perform standard DNS queries and can determine the IP addresses associated with domain names but do not normally reveal registration information. The ping command is used to test network connectivity.
94. D. Including security team members in the project management process allows them to review and comment on proposed system designs and architectures before a project is implemented. This increases the likelihood that the design will be secure. Technical controls, such as firewalls and intrusion prevention systems, may not protect against architectural weaknesses. Design flaws are generally not caused by employee malfeasance, so background checks would not be an effective control.
95. D. This type of attack, which causes a user's browser to execute a script, is known as a cross-site scripting (XSS) attack. This particular variant stores the script on the server (in the form of a message board posting) and, therefore, is a stored XSS attack.
96. B. Zero-day attacks occur when an attacker exploits a vulnerability for which there is no security patch, leaving users defenseless. As Mal's organization is the only entity aware of the attack, there is no security update from the vendor to resolve the problem. Therefore, she is in a position to conduct a zero-day attack. The question does not provide enough information about the vulnerability to determine whether it would allow SQL injection, man-in-the-browser, or spoofing attacks.
97. C. Man-in-the-middle (MITM) attacks occur when an interloper is able to trick both client and server systems into establishing a connection with the interloper but believing that they are actually communicating with each other. SSL and TLS may be used to protect the contents of communications with encryption but they do not, by themselves, offer protection against MITM attacks. If the parties use digital certificates signed by a trusted certificate authority, this provides an added degree of trust and protects against MITM attacks. Input validation is a useful control to protect against application layer attacks but is not helpful against MITM attacks.
98. C. The third log entry shows clear signs of a SQL injection attack. Notice that the parameters passed to the web page include an appended SQL command: UNION SELECT 1,2,3,4,5. This is designed to retrieve the first five columns from the database table and will likely succeed if the web application is not performing proper input validation.
99. D. Race conditions occur when a security issue exists that allows an attacker to exploit the timing of commands to obtain unauthorized access. A time-of-check/time-of-use (TOC/TOU) attack exploits a time lag between when an application verifies authorization and then allows the use of privileges. Therefore, this timing-based attack exploits a race condition.
100. D. A Wi-Fi pineapple is a device specifically designed to carry out rogue AP attacks against wireless networks. The pineapple functions by forcing clients to disassociate from their current access points and connect to a network run by the pineapple.
101. D. Generally speaking, IoT deployments do not typically require multifactor authentication. They do, however, call for maintenance of the embedded operating systems, network segmentation, and the encryption of sensitive information.
102. C. The core issue underlying these vulnerabilities is that SSL is no longer considered secure and that TLS version 1.0 is also insecure. Therefore, the most expedient way to address this problem is to upgrade to TLS 1.2 and make that the only transport encryption protocol supported by the server.
103. A. The main limitation of IP spoofing over the internet is that the attacker will not be able to receive responses to their requests because they will be routed to a different network location. If Mal controls her own network, she will be able to bypass any local firewall egress filters that would prevent her from sending the spoofed packets, which she can create with any packet generation tool. IP spoofing is commonly used in denial of service attacks.
104. C. Answering this question doesn't require any knowledge of the specific vulnerability described in MS08-067. Instead, the key is that the worm was spreading overnight while nobody was in the office. The key characteristic of a worm is that it spreads on its own power, without user intervention.
105. A. From the description provided, we have sufficient information to identify this as a Trojan horse. Trojans are a type of malware that disguise themselves as a benign application, such as a game, but then carry a malicious payload.