Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
86 Cards in this Set
- Front
- Back
- 3rd side (hint)
|
1- Which of the following terms may be defined as “a measure of possible inability to achieve a goal, objective, or target within a defined security, cost plan and technical limitations that adversely affects the organization’s operation and revenues?”
|
a. Risk
|
a. Risk
b. Vulnerability c. Threat d. Incident Response |
|
|
2- A distributed Denial of Service (DDoS) attack is a more common type of DoS Attack, where a single system is targeted by a large number of infected machines over the Internet. In a DDoS attack, attackers first infect multiple systems which are known as:
|
b. Zombies
|
a. Trojans
b. Zombies c. Spymacroware d. Worms |
|
|
3- The goal of incident response is to handle the incident in a way that minimizes damage and reduces recovery time and cost. Which of the following does not constitute a goal of incident response?
|
a. Dealing with human resources department and various employee conflict behaviors.
|
a. Dealing with human resources department and various employee conflict behaviors. b. Using information gathered during incident handling to prepare for handling future incidents in a better way and to provide stronger protection for systems and data. c. Helping personal to recover quickly and efficiently from security incidents, minimizing loss or theft and disruption of services d. Dealing properly with legal issues that may arise during incidents |
|
|
4- An organization faced an information security incident where a disgruntled employee passed sensitive access control information to a competitor. The organization’s incident response manager, upon investigation, found that the incident must be handled within a few hours on the same day to maintain business continuity and market competitiveness. How would you categorize such information security incident? |
b. Middle level incident |
a. High level incident
b. Middle level incident c. Ultra-High level incident d. Low level incident |
|
|
5- Business continuity is defined as the ability of an organization to continue to function even after a disastrous event, accomplished through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy. Identify the plan which is mandatory part of a business continuity plan?
|
b. Business Recovery Plan |
a. Forensics Procedure Plan
b. Business Recovery Plan c. Sales and Marketing plan d. New business strategy plan |
|
|
6- The flow chart gives a view of different roles played by the different personnel of CSIRT. Identify the incident response personnel denoted by A, B, C, D, E, F and G. |
c. A- Incident Coordinator, B- Constituency, C-Administrator, D-Incident Manager, E- Human Resource, F-Incident Analyst, G-Public |
a. A-Incident Analyst, B- Incident Coordinator, C- Public Relations, D-Administrator, E- Human Resource, F-Constituency, G-Incident Manager
b. A- Incident Coordinator, B-Incident Analyst,, C- Public Relations, D-Administrator, E- Human Resource, F-Constituency, G-Incident Manager c. A- Incident Coordinator, B- Constituency, C-Administrator, D-Incident Manager, E- Human Resource, F-Incident Analyst, G-Public relations d. A- Incident Manager, B-Incident Analyst,, C- Public Relations, D-Administrator, E- Human Resource, F-Constituency, G-Incident Coordinator |
|
|
7- Which of the following is an appropriate flow of the incident recovery steps? |
d. System restoration System validation system operations System monitoring |
a. System OperationSystem restorationsystem validationSystem monitoring
b. System ValidationSystem operationsystem restorationSystem monitoring c. System restorationSystem monitoringsystem validationSystem operations d. System restorationSystem validationsystem operationsSystem monitoring |
|
|
8- A computer Risk Policy is a set of ideas to be implemented to overcome the risk associated with computer security incidents. Identify the procedure that is not part of the computer risk policy? |
a. Procedure to identify security funds to hedge risk |
a. Procedure to identify security funds to hedge risk b. Procedure to monitor the efficiency of security controls c. Procedure for the ongoing training of employees authorized to access the system d. Provisions for continuing support if there is an interruption in the system or if the system crashes |
|
|
9- Identify the network security incident where intended authorized users are prevented from using system, network, or applications by flooding the network with high volume of traffic that consumes all existing network resources.
|
d. Denial of Service Attack |
a. URL Manipulation
b. XSS Attack c. SQL Injection d. Denial of Service Attack |
|
|
10- Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following steps focus on limiting the scope and extent of an incident? |
b. Containment |
a. Eradication
b. Containment c. Identification d. Data collection |
|
|
11- Identify the malicious program that is masked as a genuine harmless program and gives the attacker unrestricted access to the user’s information and system. These programs may unleash dangerous programs that may erase the unsuspecting user’s disk and send the victim’s credit card numbers and passwords to a stranger. |
c. Trojan |
a. Cookie tracker
b. Worm c. Trojan d. Virus |
|
|
12- Quantitative risk is the numerical determination of the probability of an adverse event and the extent of the losses due to the event. Quantitative risk is calculated as:
|
a. (Probability risk of Loss) X (Loss) |
a. (Probability risk of Loss) X (Loss)
b. (Loss) / (Probability of Loss) c. (Probability of Loss) / (Loss) d. Significant Risks X Probability of Loss X Loss |
|
|
13- An incident recovery plan is a statement of actions that should be taken before, during or after an incident. Identify which of the following is not an objective of the incident recovery plan?
|
a. Creating new business processes to maintain profitability after incident |
a. Creating new business processes to maintain profitability after incident
b. Providing a standard for testing the recovery plan c. Avoiding the legal liabilities arising due to incident d. Providing assurance that systems are reliable |
|
|
14- Risk is defined as the probability of the occurrence of an incident. Risk formulation generally begins with the likeliness of an event’s occurrence, the harm it may cause and is usually denoted as Risk = Σ(events)X(Probability of occurrence)X?
|
c. Consequences |
a. Magnitude
b. Probability c. Consequences d. Significance |
|
|
15- An audit trail policy collects all audit trails such as series of records of computer events, about an operating system, application or user activities. Which of the following statements is not true for an audit trail policy:
|
a. It helps calculating intangible losses to the organization due to incident |
a. It helps calculating intangible losses to the organization due to incident
b. It helps tracking individual actions and allows users to be personally accountable for their actions c. It helps in compliance to various regulatory laws, rules, and guidelines d. It helps in reconstructing the events after a problem has occurred |
|
|
16- Computer forensics is methodical series of techniques and procedures for gathering evidence from computing equipment, various storage devices and or digital media that can be presented in a course of law in a coherent and meaningful format. Which one of the following is an appropriate flow of steps in the computer forensics process:
|
d. Preparation > Collection > Examination > Analysis > Reporting |
a. Examination> Analysis > Preparation > Collection > Reporting
b. Preparation > Analysis > Collection > Examination > Reporting c. Analysis > Preparation > Collection > Reporting > Examination d. Preparation > Collection > Examination > Analysis > Reporting |
|
|
17- Multiple component incidents consist of a combination of two or more attacks in a system. Which of the following is not a multiple component incident?
|
a. An insider intentionally deleting files from a workstation |
a. An insider intentionally deleting files from a workstation
b. An attacker redirecting user to a malicious website and infects his system with Trojan c. An attacker infecting a machine to launch a DDoS attack d. An attacker using email with malicious code to infect internal workstation |
|
|
18- Computer Forensics is the branch of forensic science in which legal evidence is found in any computer or any digital media device. Of the following, who is responsible for examining the evidence acquired and separating the useful evidence?
|
d. Evidence examiner/ investigator |
a. Evidence supervisor
b. Evidence Document \er c. Evidence Manager d. Evidence examiner/ investigator |
|
|
19- The network perimeter should be configured in such a way that it denies all incoming and outgoing traffic/ services that are not required. Which service listed below, if blocked, can help in preventing Denial of Service attack?
|
d. Echo service |
a. SAM service
b. POP3 service c. SMTP service d. Echo service |
|
|
20- A US Federal agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency’s reporting timeframe guidelines, this incident should be reported within two (2) HOURS of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity. Which incident category of the US Federal Agency does this incident belong to?
|
c. CAT 2 |
a. CAT 5
b. CAT 1 c. CAT 2 d. CAT 6 |
|
|
21- US-CERT and Federal civilian agencies use the reporting timeframe criteria in the federal agency reporting categorization. What is the timeframe required to report an incident under the CAT 4 Federal Agency category?
|
a. Weekly |
a. Weekly
b. Within four (4) hours of discovery/detection if the successful attack is still ongoing and agency is unable to successfully mitigate activity c. Within two (2) hours of discovery/detection d. Monthly |
|
|
22- Identify a standard national process which establishes a set of activities, general tasks and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site.
|
d. NIACAP |
a. NIASAP
b. NIAAAP c. NIPACP d. NIACAP |
|
|
23- Policies are designed to protect the organizational resources on the network by establishing the set rules and procedures. Which of the following policies authorizes a group of users to perform a set of actions on a set of resources?
|
a. Access control policy |
a. Access control policy
b. Audit trail policy c. Logging policy d. Documentation policy |
|
|
24- When an employee is terminated from his or her job, what should be the next immediate step taken by an organization? |
a. All access rights of the employee to physical locations, networks, systems, applications and data should be disabled |
a. All access rights of the employee to physical locations, networks, systems, applications and data should be disabled
b. The organization should enforce separation of duties c. The access requests granted to an employee should be documented and vetted by the supervisor d. The organization should monitor the activities of the system administrators and privileged users who have permissions to access the sensitive information |
|
|
25- A threat source does not present a risk if no vulnerability that can be exercised for a particular threat source. Identify the step in which different threat sources are defined:
|
c. Threat identification |
a. Identification Vulnerabilities
b. Control analysis c. Threat identification d. System characterization |
|
|
26- In the Control Analysis stage of the NIST’s risk assessment methodology, technical and none technical control methods are classified into two categories. What are these two control categories?
|
a. Preventive and Detective controls |
a. Preventive and Detective controls
b. Detective and Disguised controls c. Predictive and Detective controls d. Preventive and predictive controls |
|
|
27- Which of the following incident recovery testing methods works by creating a mock disaster, like fire to identify the reaction of the procedures that are implemented to handle such situations?
|
a. Scenario testing |
a. Scenario testing
b. Facility testing c. Live walk-through testing d. Procedure testing |
|
|
28- An incident is analyzed for its nature, intensity and its effects on the network and systems. WHICH STAGE OF THE INCIDENT RESPONSE AND HANDLING PROCESS Involves auditing the system and network log files?
|
d. Identification |
a. Incident recording
b. Reporting c. Containment d. Identification |
|
|
29- Which among the following CERTs is an Internet provider to higher education institutions and various other research institutions in the Netherlands and deals with all cases related to computer security incidents in which a customer is involved either as a victim or as a suspect?
|
d. SURFnet-CERT |
a. NET-CERT
b. DFN-CERT c. Funet CERT d. SURFnet-CERT |
|
|
30- One of the main objectives of incident management is to prevent incidents and attacks by tightening the physical security of the system or infrastructure. According to CERT’s incident management process, which stage focuses on implementing infrastructure improvements resulting from postmortem reviews or other process improvement mechanisms?
|
a. Protection |
a. Protection
b. Preparation c. Detection d. Triage |
|
|
31- Risk management consists of three processes, risk assessment, mitigation and evaluation. Risk assessment determines the extent of the potential threat and the risk associated with an IT system through its SDLC. How many primary steps does NIST’s risk assessment methodology involve?
|
d. Nine |
a. Twelve
b. Four c. Six d. Nine |
|
|
32- Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness or unexplained absenteeism. Select the technique that helps in detecting insider threats:
|
a. Correlating known patterns of suspicious and malicious behavior |
a. Correlating known patterns of suspicious and malicious behavior
b. Protecting computer systems by implementing proper controls c. Making is compulsory for employees to sign a none disclosure agreement d. Categorizing information according to its sensitivity and access rights |
|
|
33- Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan, namely supporting information, notification activation, recovery and reconstitution and plan appendices. What is the main purpose of the reconstitution plan?
|
a. To restore the original site, tests systems to prevent the incident and terminates operations |
a. To restore the original site, tests systems to prevent the incident and terminates operations
b. To define the notification procedures, damage assessments and offers the plan activation c. To provide the introduction and detailed concept of the contingency plan d. To provide a sequence of recovery activities with the help of recovery procedures |
|
|
34- The insider risk matrix consists of technical literacy and business process knowledge vectors. Considering the matrix, one can conclude that:
|
d. If the insider’s technical literacy and process knowledge are high, the risk posed by the threat will be high |
a. If the insider’s technical literacy is low and process knowledge is high, the risk posed by the threat will be insignificant
b. If the insider’s technical literacy and process knowledge are high, the risk posed by the threat will be insignificant c. If the insider’s technical literacy is high and process knowledge is low, the risk posed by the threat will be high d. If the insider’s technical literacy and process knowledge are high, the risk posed by the threat will be high |
|
|
35- Which policy recommends controls for securing and tracking organizational resources:
|
d. Asset control policy |
a. Access control policy
b. Administrative security policy c. Acceptable use policy d. Asset control policy |
|
|
36- Which one of the following is the correct sequence of flow of the stages in an incident response:
|
b. Preparation > Identification Containment > Eradication > Recovery > Follow-up |
a. Containment > Identification > Preparation > Recovery >> Follow-up > Eradication
b. Preparation > Identification > Containment > Eradication > Recovery > Follow-up > c. Eradication > Containment > Identification > Preparation > Recovery > Follow-up d. Identification > Preparation > Containment > Recovery > Follow-up > Eradication |
|
|
37- Organizations or incident response teams need to protect the evidence for any future legal actions that may be taken against perpetrators that intentionally attacked the computer system. EVIDENCE PROTECTION is also required to meet legal compliance issues. Which of the following documents helps in protecting evidence from physical or logical damage: |
b. Chain-of-Custody |
a. Network and host log records
b. Chain-of-Custody c. Forensic analysis report d. Chain-of-Precedence |
|
|
38- Except for some common roles, the roles in an IRT are distinct for every organization. Which among the following is the role played by the Incident Coordinator of an IRT?
|
b. Links the groups that are affected by the incidents, such as legal, human resources, different business areas and management |
a. Links the appropriate technology to the incident to ensure that the foundation’s offices are returned to normal operations as quickly as possible
b. Links the groups that are affected by the incidents, such as legal, human resources, different business areas and management c. Applies the appropriate technology and tries to eradicate and recover from the incident d. Focuses on the incident and handles it from management and technical point of view |
|
|
39- The data on the affected system must be backed up so that it can be retrieved if it is damaged during incident response. The system backup can also be used for further investigations of the incident. Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out?
|
a. Containment |
a. Containment
b. Eradication c. Incident recording d. Incident investigation |
|
|
40- In a qualitative risk analysis, risk is calculated in terms of:
|
a. (Attack Success + Criticality ) –(Countermeasures) |
a. (Attack Success + Criticality ) –(Countermeasures)
b. Asset criticality assessment – (Risks and Associated Risk Levels) c. Probability of Loss X Loss d. (Countermeasures + Magnitude of Impact) – (Reports from prior risk assessments) |
|
|
41- A computer virus hoax is a message warning the recipient of non-existent computer virus. The message is usually a chain e-mail that tells the recipient to forward it to every one they know. Which of the following is not a symptom of virus hoax message?
|
b. The message from a known email id is caught by SPAM filters due to change of filter settings
|
a. The message prompts the end user to forward it to his / her e-mail contact list and gain monetary benefits in doing so
b. The message from a known email id is caught by SPAM filters due to change of filter settings c. The message warns to delete certain files if the user does not take appropriate action d. The message prompts the user to install Anti-Virus |
|
|
42- In which of the steps of NIST’s risk assessment methodology are the boundary of the IT system, along with the resources and the information that constitute the system identified?
|
c. System characterization
|
a. Likelihood Determination
b. Control recommendation c. System characterization d. Control analysis |
|
|
43- ADAM, an employee from multinational company, uses his company’s accounts to send e-mails to a third party with their spoofed mail address. How can you categorize this type of account?
|
a. Inappropriate usage incident
|
a. Inappropriate usage incident
b. Unauthorized access incident c. Network intrusion incident d. Denial of Service incident |
|
|
44- A security policy will take the form of a document or a collection of documents, depending on the situation or usage. It can become a point of reference in case a violation occurs that results in dismissal or other penalty. Which of the following is NOT true for a good security policy?
|
b. It must be approved by court of law after verification of the stated terms and facts
|
a. It must be enforceable with security tools where appropriate and with sanctions where actual prevention ios not technically feasible
b. It must beapproved by court of law after verifications of the stated terms and facts c. It must be implemented through system administration procedures, publishing of acceptable use guide lines or other appropriate methods d. It must clearly define the areas of responsibilities of the users, administrators and management |
|
|
45- Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following helps in recognizing and separating the infected hosts from the information system?
|
b. Inspecting the process running on the system
|
a. Configuring firewall to default settings
b. Inspecting the process running on the system c. Browsing particular government websites d. Sending mails to only group of friends |
|
|
46- An access control policy authorized a group of users to perform a set of actions on a set of resources. Access to resources is based on necessity and if a particular job role requires the use of those resources. Which of the following is not a fundamental element of access control policy
|
b. Development group: group of persons who develop the policy
|
a. Action group: group of actions performed by the users on resources
b. Development group: group of persons who develop the policy c. Resource group: resources controlled by the policy d. Access group: group of users to which the policy applies |
|
|
47- Computer viruses are malicious software programs that infect computers and corrupt or delete the data on them. Identify the virus type that specifically infects Microsoft Word files?
|
c. Macro Virus
|
a. Micro Virus
b. File Infector c. Macro Virus d. Boot Sector virus |
|
|
48- The type of relationship between CSIRT and its constituency have an impact on the services provided by the CSIRT. Identify the level of the authority that enables members of CSIRT to undertake any necessary actions on behalf of their constituency? |
a. Full-level authority |
a. Full-level authority |
|
|
49- Digital evidence plays a major role in prosecuting cyber criminals. John is a cyber-crime investigator, is asked to investigate a child pornography case. The personal computer of the criminal in question was confiscated by the county police. Which of the following evidence will lead John in his investigation? (check this answer )
|
d. Web browser history
|
a. SAM file
b. Web serve log c. Routing table list d. Web browser history |
|
|
50- An estimation of the expected losses after an incident helps organization in prioritizing and formulating their incident response. The cost of an incident can be categorized as a tangible and intangible cost. Identify the tangible cost associated with virus outbreak?
|
d. Lost productivity damage |
a. Loss of goodwill
b. Damage to corporate reputation c. Psychological damage d. Lost productivity damage |
|
|
51- An incident response plan consists of instruction to deduct and respond to the incident.
|
Company Financial Support
|
What is an essential prerequisite for the incident plan?
|
|
|
52- Information gathering part of warfare.
|
Obtain details of organization that are freely available in the internet thru various techniques without coming into direct contact with organization.
|
Part of passive information gathering.
|
|
|
53- Which of the following is appropriate follow of incident recovery steps:
|
System restoration>>System validation>>System Operation>>System monitoring
|
restore
validate operate monitor |
|
|
54- The incident management team provides support to all users in the organization that are affected by threat or attack.
|
Identify and report security loopholes to the management for necessary action
|
One of the responsibilities of internal auditor as part of the incident response team.
|
|
|
55- information warfare is conflict that uses information/information system is weapon.
|
Disabling SSID broadcast so un authorized users can’t detect the presence of wireless network.
|
Example of defensive information warfare.
|
|
|
56- information system process data into useful information to achieve specified organizational or individual goals.
|
Information custodian
|
Person responsible for implementing and controlling security measure of information system.
|
|
|
57- Standalone utility tool used to detect and remove a specific virus.
|
Stinger
|
detect and removes a specific virus.
|
|
|
58- information gathering is an integral part of information warfare. |
Obtaining details of the target organization that are freely available on the internet.
|
Passive information gathering activity. |
|
|
59- Identify the risk mitigation strategy that focuses on minimizing probability of risk and losses by searching the vulnerability on the system and appropriate control.
|
Research and acknowledgement
|
A risk mitigation determines the circumstances.
|
|
|
60- SAM employee from multinational company uses his company account to send email.
|
In appropriate usage incident
|
How can you recognize the type of this account:
|
|
|
61- signs of an incident are categorized in two one of two categories precursor or indication.
|
A new found vulnerability in the organization server in case the vendor makes announcement of the same.
|
Precursor of the incident:
|
|
|
62-Xconsoft a major software developer located out of.
|
Any real or suspected adverse event in relation to security computer system or network
|
Definition of computer security incidents:
|
|
|
63- Risk analysis involves process of defining and evaluating danger the numerical determination.
|
Quantitative risk analysis.
|
Risk determination approach: |
|
|
64- a computer forensic investigator must perform a proper investigation to protect digital evidence.
|
Analysis
|
The computer forensic process involved.
|
|
|
65- after restoration to normal operation it should be verified there is no trace of incident.
|
System validation.
|
Which stage of the incident recovery process does this refer to?
|
|
|
66- Reported under the CAT5 Federal agency category?
|
Scans/Probes/Attempted Access
|
CAT5
|
|
|
67- One of the goals of CSIRT is to manage security problems.
|
Proactive approach
|
CSIRT employs this type of approach in managing security problems.
|
|
|
68- A computer forensic investigator must perform a proper investigation to protect digital.
|
Examination
|
Identify the computer forensic process involved.
|
|
|
69- Identify and analyzing an incident is a very critical part of incident.
|
Failed logon attempts and creation of new user accounts.
|
Does not indicate a computer security incident.
|
|
|
70- the risk that remains after implementation of all possible risk control.
|
Residual risk. (Threats) X (Vulnerability) |
All things considered and risk continues to exist.
|
|
|
Risk mitigation strategy determines the circumstances under which an action has to be taken to minimize and overcome risks. An organization that absorbs minor risks while preparing to respond to major risks relates to which risk mitigation strategy? |
d. Risk assumption |
a. Risk avoidance b. Risk absorption c. Risk limitation d. Risk assumption |
|
|
The insider’s incident response plan helps the organization to minimize or limit the damage caused due to malicious insiders. Organizations should ensure that the insider perpetrators are not included in the response team or are not aware of the progress. Which of the following statements is not true about the incident response plan?
|
D. The organization should share or provide the details of the insider’s incident response plan with all employees |
A. The organization should regularly update the employee on different forms of external and internal attacks through training program
B. Persons responsible for handling insiders incidents should be trained on the contents and execution of the response plan C. The employees should also be trained on how to report suspicious behaviors of the insiders D. The organization should share or provide the details of the insider’s incident response plan with all employees |
|
|
Host based evidence is the evidence gathered and available on a computer system. It may include logs, records, documents, and any other information stored in a computer system. Network-based evidence is the information gathered from the network resources. Which of the following is Host-Based evidence?
|
A. State of network interface
|
A. State of network interface
B. Router logs C. IDS logs D. Wiretaps |
|
|
A file or an object found on the system that might involve attacking systems and networks is known as an “artifact”. Handling an artifact involves receiving information about the artifacts that are used in intruder attacks, investigation, and other unauthorized activities causing distortions. Identify the CSIRT service category that artifact handling belongs to?
|
A. Reactive services
|
A. Reactive services
B. Security quality management services C. Proactive services D. Incident tracking and reporting systems services |
|
|
1. What does "message repudiation" refer to in the realm of e-mail security?
|
e. Message repudiation means a sender can claim they did not actually send a particular message |
a. Message repudiation means an user can validate which mail server or servers a message was passed through
b. Message repudiation means an user can claim damages for a mail message that damaged their reputation c. Message repudiation means a recipient can be sure that a message was sent from a particular person d. Message repudiation means a recipient can be sure that a message was sent from a certain host e. Message repudiation means a sender can claim they did not actually send a particular message |
|
|
2. How does traceroute map the route that a packet travels from point A to point B?
|
c. It manipulates the values of TTL parameter packet to elicit a time exceeded in transit message
|
a. It uses TCP Timestamp packet that will elicit a time exceeded in transit message
b. It uses a protocol that will be rejected at the gateways on its way to its destination c. It manipulates the values of TTL parameter packet to elicit a time exceeded in transit message d. It manipulates flags within packets to force gateways into generating error messages |
|
|
3. Snort has been used to capture packets on the network. On studying the packets, the SysAdmin finds it to be abnormal. If you were the SysAdmin, why would you find this abnormal?
|
a. This is not a spoofed packet as the IP stack has increasing numbers for the three flags
B. This is BackOriffice activity as the scan comes from port 31337 c. The attacker wants to avoid creating a sub-carrier connection that is not normally valid d. The packets were created by a tool and not from a standard TCP/IP stack |
05/20-17:0645.061034 192.160.13.4:31337 --> 172.16.1.101:1 |
|
|
4. According to CEH methodology, what is the next step to be performed after "Footprinting"?
|
b. Scanning
|
a. Enumeration
b. Scanning c. System Hacking d. Social Engineering e. Denial of Service |
|
|
5. While performing a ping weep of a subnet you receive an ICMP Type 3/Code 13 for all the pings sent out. What is the most likely cause behind this response?
|
c. A router is blocking ICMP
|
a. The firewall is dropping packets
b. The Network IDS is dropping the packets c. A router is blocking ICMP d. The host does not respond to ICMP packets |
|
|
6. Jessica would like to perform a reliable scan against a remote target. She is not concerned about being stealth at this point. Which of the following scans would be the most accurate and reliable?
|
c. A TCP Connect scan
|
a. A half scan
b. A UDP scan c. A TCP Connect scan d. A FIN scan |
|
|
7. What is Form Scalpel used for?
|
a. Dissecting HTML Forms
|
a. Dissecting HTML Forms
b. Dissecting SQL Forms c. Analysis of Access Database Forms d. Troubleshooting Netscap Forms e. Dissecting ASP Forms |
|
|
8. In an attempt to secure his Wireless network, Jason turns off broadcasting of the SSID. He concludes that since his AP requires the client computer to have the proper SSID, it would prevent others from connecting to the Wireless network. Unfortunately unauthorized users are still connecting to his Wireless network. Why do you think this is possible?
|
c. The SSID is still sent inside both client AP packets
|
a. Jason forgot to turn off the DHCP broadcasting
b. All AP are shipped with a default SSID c. The SSID is still sent inside both client AP packets d. Jason's solution only works in ad-hoc mode |
|
|
9. Which of the following is one of the key features found in a worm but not seen in a Virus?
|
b. It is self-replicating without the need for user intervention
|
a. The payload is very small, usually below 800 bytes
b. It is self-replicating without the need for user intervention c. It does not have the ability to propagate on its own d. They are difficult to detect by AV signatures |
|
|
10. If you perform a port scan with a TCP ACK packet, what should an Open port return?
|
a. RST (reset)
|
a. RST
b. No Reply c. SYN/ACK d. FIN |
|
|
11. You are attempting to map out the firewall policy for an organization. You discover your target system is one hop beyond the firewall. Using hping2 tool, you send SYN packets with the exact TTL of the target system starting at port 1 and going up to port 1024. What is this process called?
|
b. Firewalking
|
a. Footprinting
b. Firewalking c. Enumeration d. Idle Scanning |
|
|
12. The Programmers on your team are analyzing the free open source software being used to run FTP services on a server. They notice that there is an excessive number of FGETS() and GETS() on the source code. These C/C++ functions do not check bounds. What kind of attack is this program susceptible to?
|
a. Buffer Overflows
|
a. Buffer Overflows
b. Denial of Service c. Shatter Attack d. CrashTin Attack |
