Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
140 Cards in this Set
- Front
- Back
- 3rd side (hint)
|
Which of the following attacks is a form of software exploitation that transmits or submits a long stream of data than the input variable is designed to handle? |
Buffer overflow occurs when software code receives too much input than it was designed to handle and when the programmer of that code failed to include input validation checks. |
|
|
|
A programmer that fails to check the length of input before processing leaves his code vulnerable to what form of common attack? |
Buffer overflow attacks are made possible by the oversight of programmers. A simple check on the length (and sometimes format) of input Data before processing eliminates before attacks. |
|
|
|
What is not true regarding cookies? |
They operate within a security sandbox. Cookies do not operate within a security sandbox. The concepts of security sandbox is related to Java.
Cookies can be used to record information about your computer system, your web surfing habits, and much more. Secured environment should restrict the use of cookies on all web browsers and other internet service utilities. |
|
|
|
You want to allow Ecommerce websites that you visit to keep track of your browsing history for shopping carts and other information, but want to prevent that information from being tracked by sites linked to the sites that you explicitly visit. How should you configure the browser settings? |
Allow first-party cookies and block third-party cookies. First-party cookies are cookies used by the site you are visiting. Third-party cookies are cookies place by sites linked to the site you are visiting. For example banner ads on a website might Place cookies on your machine to identify as you have already seen or as you have clicked on. |
|
|
|
What is an attack that injects malicious scripts into web pages to redirect users to fake websites or gather personal information? |
XSS (cross site scripting).
Xss often relies on social engineering or phishing to entice users to click on links to web pages that contain the malicious. Some scripts can redirect users to legitimate with websites, but run the script in the background to capture information sent to legitimate website. Scripts can be written to read or steal cookies that contain identity information such as session information. Scripts can also be designed to run under the security context of the current user. For example scripts might execute with full privileges on the local system, or the scripts might run using the credentials use on a financial website. |
|
|
|
When you browse to a website, a pop-up window tells you that your computer has been infected with a virus. You click on the window to see what the problem is. Later, you find out that the window has installed spyware on the system. What type of attack has occurred? |
Drive-by download. It is an attack where software or malware is downloaded and installed without explicit consent from the user. Drive by downloads can occur in a few different ways: through social engineering, the users tricked into downloading the software. The user might not realize that clicking the link installed the software, or the user might know that something is being installed, but not a full understanding of what it does or what it is. By exploiting a web browser operating system bug, a site is able to install software without the user's knowledge or consent. |
|
|
|
What device is subject to an SQL injection attack? |
Database servers. SQL injection attack occurs when an attacker includes database commands Within user data input fields on a form, and those command subsequently execute on the server. The injection attack succeeds if the server does not properly validate the input to restrict entry of characters that could end and begin a database. |
|
|
|
You have a website that accepts input from users for creating customers accounts. Input on the form is passed to a database server where the user account information is stored. An attacker is able to enter database commands in the input fields and have those commands execute on the server. Which type of attack has occurred? |
SQL injection |
|
|
|
Which type of methods should you use to prevent SQL injection attacks? |
Perform input validation.. |
|
|
|
When the TCP/IP session state is manipulated so that a third party is able to insert alternate packets into the communication stream, what type of attack has occurred? |
Hijacking. It has been difficult to accomplish lately due to the use of time stamps and randomized packet sequencing rules employed by modern operating systems. |
|
|
|
What is the most common attack waged against web servers? |
Buffer overflow.
Web servers are notorious for being unprotected against a wide range of buffer overflow vulnerabilities. |
|
|
|
Which type of attack is the act of exploiting a software programs free acceptance of input in order to execute arbitrary code on a Target? |
Buffer overflow |
|
|
|
What is not a protection against session hijacking? |
DHCP reservations. Packet sequencing and timestamp prevent session hijacking by disallowing packets that are out of order or which have expired. Anti IP spoofing checks that identity of the host before allowing communication to occur, even if IP address is known.. |
|
|
|
You have installed anti-malware software that checks for viruses in email attachments. You configure the software to quarantine any files with problems. You receive an email with an important attachment, but the attachment is not there. Instead, you see a message that the file has been quarantined by the anti-malware software. What has happened to the file? |
It has been moved to a secure folder on your computer.
This act is known as a quarantine by doing this it removes the infected file to a secure portal where it cannot be open or run normally. By configuring the software to quarantine any problem files, you can view, scan, and possibly repair those files. |
|
|
|
What is the goal of a TCP/IP hijacking attack? |
Execute commands or accessing resources on a system that the attacker that does not otherwise have authorization to access.
When the attackers successfully performs the hijacking, they take over control of the hijacked communication session. Whatever access the original user had, the attacker can exploit. |
|
|
|
What what type of malware monitors your actions? |
Spyware monitors the action performed on a machine and then send the information back to its original source. |
|
|
|
A collection of zombie computers have been set up to collect personal information. What type of malware do the zombie computers represent? |
Botnet. They bought that refers to a collection of zombie computers which are commanded from a central control infrastructure to propagate spam or collect usernames and passwords to access secure information. |
|
|
|
What is a program that appears to be legitimate application, utility, game, or screensaver and that performs malicious activities surreptitiously? |
Trojan horse |
|
|
|
What describes a logic bomb? |
A program that performs a malicious activity at a specific time or after a triggering event.
Logic bombs can be planted by a trojan horse, virus, or by an intruder. Logic bomvs May perform their malicious activity at a specific time or date when a specific event occurs on the system, such as logging in, accessing an online bank account, or encrypting a file. |
|
|
|
What are the characteristics of a virus? |
"Requires an activation mechanism to run" which is a file that it uses as a host. The virus only replicates when the activation mechanism is triggered. The virus is programmed with an objective, which is usually to destroy, compromise or corrupt data. |
|
|
|
What is an undetectable software that allows administrator level access? |
Rootkit. It is a set of programs that allows attackers to maintain permanent, administrator level, hidden access to a computer a rootkit: is almost invisible software. Resides below regular antivirus software detection. Requires administrator privileges to install, that maintains those privileges to allow subsequent access. Might not be malicious. Often replicates operating systems files with alternate versions that allow hidden access. |
|
|
|
While browsing the internet, you notice that the browser display ads that are targeted towards recent keyword searches he had performed. What is this an example of? |
Adware. Adware monitors actions that denote personal preferences, then since pop-ups and ads that match of preferences adware: is usually passive, this privacy invasive software, is used to install on your machine by visiting a particular website or running an application, is usually more annoying that harmful. |
|
|
|
Developers in your company have created a web application that interfaces with a database server. During the development, programmers created a special user account that bypasses the normal security. What is this an example of? |
Backdoor. It is an unprotected access method or pathway. Backdoors: I could hard-coded passwords and hidden service accounts. Are often added during development as a shortcut to circumvent security and if not removed they present a security problem. Can be added by attackers who have gained unauthorized access to a device once added the back door can be used at a future time to easily bypass security controls. Can be used to remote control the device at a later date. Rely on secrecy to maintain security. |
|
|
|
What is the most common means of virus distribution? |
|
|
|
|
What is the common name for a program that has no useful purpose, but attempts to spread itself to other systems and often damage resources on the systems where it is found? |
Virus |
|
|
|
True/False a worm infects the MBR of a hard drive |
False A worm does not affect an MBR like a virus, a worm does not require a host file or drive element. |
|
|
|
What is the primary distinguishing characteristic between a worm and a logic bomb? |
Self-replication. Logic bombs do not self-replicating.
They are designed for specific single system or type of system Once planted on a system, it remains there until it is triggered. |
|
|
|
What is another name for a logic bomb? |
Asynchronous attack.
|
|
|
|
What is another name for a backdoor that was left in a product by the manufacturer by accident? |
Maintenance hook. |
|
|
|
A relatively new employee in the data entry cubicle Firm was assigned a user account similar to that of all the other data entry employees, however, audit logs have shown that the user account has been used to change ACLs on several confidential files and has access data in restricted areas. This situation indicates which of the following has occurred? |
Privilege escalation.
It happens when a low end user account is detected performing hello activities, it is obvious that the user account has somehow gained additional privileges. |
|
|
|
What is the greatest threat to confidentiality of data in most secure organizations? |
USB devices |
|
|
|
If an SMTP server is not properly and securely configured, it can be hijacked and used maliciously as a SMTP relay agent. Which type of attack could result? |
Spam. Spam is often distributed by hijacking misconfigured SMTP servers. SMTP servers that act as a relay agent for unauthorized or external users can be easily employed to deliver spam. It is extremely important to properly configure SMTP servers to accept email only from internal authorized users. |
|
|
|
You want to prevent your browser from running JavaScript commands that are potentially harmful. What would you restrict to accomplish this? |
Client-side Scripts. JavaScript is an example of client-side scripting, with a client system runs the scripts that are embedded in web pages. When web pages download, the scripts are executed. |
|
|
|
What is the main difference between a Dos attack and a DDOS attack? |
DDOS attack uses zombie computers |
|
|
|
By using the internet, you use the URL of one of your favorite sites in the browser, instead of going to the correct site, the web browser displays a completely different website. When you use IP address of the web server, the correct sight is displayed. What type of attack has occurred? |
DNS poisoning. Because the correct site shows when you use IP address, you know that the main website is still functional and that the problem is likely caused by an incorrect domain name mapping. DNS poisoning occurs when a name server receives malicious or misleading data that incorrectly Maps the host names and IP addresses. In a DNS poisoning attack: incorrect DNS data is introduced into the cash of a primary DNS server. The incorrect mapping is made available to client applications through the resolver. |
|
|
|
What attack tries to associate incorrect Mac addresses with a known IP address? |
ARP poisoning. |
|
|
|
What are the most common Network traffic packets captured and used in a replay attack? |
Authentication. |
|
|
|
A router on the border of your network accesses packet with a source address that is from an internal client but the packet was received on the internet facing interface. This is an example of what form of attack? |
Spoofing.
Spoofing is the act of changing or falsifying information in order to mislead or redirect traffic. In the scenario, a packet received on the inbound interface cannot receive a valid packet with a stated Source that's from the internal Network. |
|
|
|
What is modified in the most common form of spoofing on a typical IP packet? |
Source address. This way the correct Source device address is hidden. |
|
|
|
What type of denial of service attack occurs when a name server receives malicious or misleading data that incorrectly Maps host names and IP addresses? |
DNS poisoning.
In a DNS poisoning attack: incorrect data is introduced into the primary DNS server. The incorrect mapping is made available to the client applications through the resolver. Traffic is directed to incorrect sites. |
|
|
|
What describes a man-in-the-middle attack? |
A false server intercepts Communications from a client by impersonating the intendant server. |
|
|
|
What could easily result in a denial-of-service attack if the victims system has to little free storage capacity? |
Spam |
|
|
|
An attacker sets up 100 drone computers that flood a DNS server with invalid request. This is an example of what kind of attack? |
DDoS.
A denial-of-service attack Can Happen by generating excessive traffic, thereby overloading Communications channels, or exploiting software flaws. A distributed denial-of-service attack uses multiple attackers that participate in the Dos attack. |
|
|
|
What is an example of an internal threat? |
A user accidentally deletes the new product designs.
Internal threats are intentional or accidental acts by employees including: malicious acts such as death, fraud, or sabotage. Intentional or unintentional actions that destroy or corrupt offshore data. Disclosing sensitive information through snooping or espionage. |
|
|
|
What is a Form of attack that tricks victims into providing confidential informations, such as a identity information or logon credentials, through emails or websites that impersonates an online entity that the victim trusts, such as a financial institution or well-known e-commerce site? |
Phishing.
Phishing tricks users into providing confidential information such as identity information or logon credentials, through emails or websites that impersonate an online entity that the victim trust such as a financial institution or well-known e-commerce site. Phishing is a specific form of social engineering. |
|
|
|
What are types of denial of service attacks? |
1. Smurf. 2. Fraggle. Smurf spoofs The Source address in icmp packets and sends icmp packets to an amplification Network (bounce site). The bounce site response to the victim site with thousands of messages that he did not send. A fraggle attack is similar to the Smurf attack but uses UDP packets directed to Port 7 (echo) and port 19 (chargen - character generation). |
|
|
|
As a victim of a Smurf attack, what protection measure is the most effective during the attack? |
Communicating with your Upstream provider. A simple phone call to request filtering on your behalf can weaken the effectiveness of a Smurf attack. |
|
|
|
What is an example of privilege escalation? |
Creeping privileges. Creeping privileges is what occurs when a user's job position changes and they are granted and you set up access privileges for their new work test, however their previous access privileges are not removed. As a result, the user accumulates privileges overtime that are not necessary for their current work tasks. |
|
|
|
You suspect an Xmas tree attack is occurring on a system. What could result if you do not stop the attack? |
The system will be unavailable to respond to legitimate request. The threat agent will obtain information about open ports on the system.
A Christmas tree attack is also known as a Christmas tree scan, nastygram, Kamikaze, or lamp test segment. It conducts reconnaissance by scanning for open ports. It also conducts a dos attack if sent in large amounts. |
|
|
|
|
|
|
|
An attacker uses an exploit to push a modified hosts file to client systems. The host file redirects traffic from legitimate tax preparation sites to malicious sites to gather personal and financial information. What kind of exploit has been used in this scenario? (Choose to. Both responses are different names for the same exploit.) |
DNS poisoning and pharming. |
|
|
|
What is a common form of a social engineering attack? |
Hoax virus information emails.
This type of attack prays on email recipients who are fearful and will believe most information if it is presented in a professional manner. All too often, the victims of these attacks failed to double-check the information or structions with a reputable third party antivirus software vendor before implementing the recommendations. Usually these hoax messages instruct the reader to delete key system files or download Trojan horses. |
|
|
|
What is not a form of social engineering? |
Impersonating a user by logging on with stolen credentials. It is an intrusion attacked made possible by Network packet capturing or obtaining logon credentials through social engineering. |
|
|
|
You have just received a generic looking email that is addressed as coming from the administrator of your company. The email says that as part of a system upgrade, you are to go to a website and enter your username and password at a new website so you can manage your email and spam using the new service. What should you do? |
Verify that the email was sent by the ministrator and that this new service is legitimate. |
|
|
|
What is the primary difference between impersonation and masquerading? |
One is more active, the other is more passive.
Both impersonation and masquerading attacks can take place against any type of user account. Both impersonation and masquerade and tax take place in real time. Neither impersonation nor masquerading attacks have an intrinsic aspect of being easy or difficult to detect. |
|
|
|
What form of social engineering attack uses voice over IP to gain sensitive information? |
Vishing. Combination of a voice and phishing. |
|
|
|
A senior executive reports that she received a suspicious email concerning a sensitive, internal project that is behind production. The email is sent from someone she doesn't know and he is asking for immediate clarification on several of the projects details so the project can go back on schedule. What type of attack best describes this scenario? |
Whaling.
Waiting is a form of social engineering attack that is targeted to senior executive and high-profile victims. Social engineering is an attack that exploits Human Nature by convincing someone to reveal information or performing activity. |
|
|
|
|
|
|
|
Your company security policy states that wireless networks are not to be used because of the potential security risk they present to your network. One day you find that an employee has connected a wireless access point to the network in his office. What type of security risk is this? |
Rogue access point. |
|
|
|
What describes marks that attackers place outside a building to identify an open wireless network? |
War chalking. Attackers might use these marks to alert others of open or secured wireless networks. Businesses might even use these Mars to advertise their free wireless networks. |
|
|
|
The process of walking around an office building with an 802.11 signal detector is known as what? |
War driving. It is the act of searching for wireless networks using a signal detector or network client such as a PDA or notebook. While the phrase wardriving originated from the actions of driving around downtown City searching for wireless networks, the name currently applies to any form of searching for wireless networks, including walking around. |
|
|
|
What best describes bluesnarfing? |
Unauthorized viewing calendar, emails, and messages on a mobile device. Bluesnarfing is the use of a Bluetooth connection to gain unauthorized access to an existing Bluetooth connection between phones, desktops, laptops, or PDAs. Bluesnarfing allows access to view calendar, emails, text messages, and contact list. Many Bluetooth devices have built-in features to prevent bluesnarfing, but is still a known vulnerability. |
|
|
|
What attack sends unsolicited business cards and messages to a Bluetooth device? |
Bluejacking.
Bluejacking is a rather harmless practice which entails an unknown sender sending business cards anonymously to a Bluetooth recipient within a 10-100m distance, depending on the class of Bluetooth device. The business cards usually include a flirtatious message, used by the attacker to see the visual reaction from the recipient. Multiple messages will be sent to the device if the attacker thinks there's a chance they will be added as a contact. Bluetooth devices are not susceptible to bluejacking if they are set to non discoverable mode. |
|
|
|
What is the best protection to prevent attacks on mobile phones through the Bluetooth protocol? |
Disable Bluetooth on the phone. If bluetooth is required than configured a device for non discoverable mode. |
|
|
|
What best describes an evil twin? |
An access point that is configured to mimic a valid access point to obtain log-on credentials and other sensitive information. In contrast, a rogue access point is any unauthorized access point added to a network. |
|
|
|
Which action should you take to reduce the attack surface of a server? |
Disable unused services. Attack surface reduction (ASR) cuts down on the software Services running on a system. By removing unnecessary software, features, or Services, you eliminate possible attacks directed against those components. |
|
|
|
What best describes a security configuration Baseline? |
A list of common security settings that a group or all devices share.
A configuration Baseline is a set of consistent requirements for a workstation or server. A security Baseline is a component of the configuration Baseline that ensures that all workstations and servers comply with the security goals of the organization. |
|
|
|
You have a company network with a single switch. All devices connect to the network through the switch. You want to control which devices will be able to connect to your network. For devices that do not have the latest operating system patches, you want to prevent access to all network devices except for a special server that house patches that the computers need to download. Which of the following components will be part of your solution? |
Remediation servers and 802.1x Authentication. |
|
|
|
Properly configured passive IDs and system audit logs are an integral part of a comprehensive security plan. What step must be taken to ensure that the information is useful in maintaining a secure environment? |
Periodic reviews must be conducted to determine malicious activity or policy violations.
Audit logs are useless unless they are periodically reviewed. The frequency will vary based on the criticality of the system being monitored, but the logs must be reviewed on a scheduled basis by knowledgeable member of the IT/infosec team. |
|
|
|
Over the past few days, a server has gone offline and rebooted automatically several times. You want to see a record of when each of these restarts has occurred. Which type of log should you check? |
System. A system log record operating system, system, and Hardware events. The system log will contain entries for when the system was shut down or started, when new hardware is added, and when new services are started. |
|
|
|
You heard about a trojan horse program where the compromised system sends personal information to a remote attacker on a specific TCP port. You want to be able to easily tell whether any of your systems are sending data to the attacker. Which log would you monitor? |
Firewall.
A firewall log identifies traffic that has been allowed or denied through a firewall. You can verify traffic types used by computers on your network by looking at the outgoing ports. For example, you can identify servers that are running a specific service, or you can see computers that are communicating using ports that might indicate malicious software.. |
|
|
|
What is the standard for sending log messages to a central login server in? |
Syslog Syslog is a protocol that identifies how log messages are sent from one device to a login server on an IP network. The sending device sends a small text message to the syslog receiver (the logging server). |
|
|
|
You suspect that some of your computers have been hijacked and are being used to perform denial-of-service attacks directed against other computers on the internet. Which log would you check to see if this is happening? |
Firewall. |
|
|
|
You're interested in identifying the source of potential attacks that have recently directed against your network but which have been successfully blocked. Which log would you check? |
Firewall |
|
|
|
You suspect that your web server has been the target of a denial-of-service attack. You would like to view information about the number of connections to the server over the past 3 days. Which log would you most likely examine? |
Performance
A performance log records information about the use of system resources. For example, the performance log record processor, memory, this, and network utilisation. In addition, the performance log can record information related to the performance of specific services, such as the number of connections to a web server. You might also find this information in an application log for the service. |
|
|
|
You're concerned that an attacker can gain access to your web server, make modifications to the system, and alter the log files to hide his actions. What actions would best protect the log files? |
Use syslog to send log entries to another server.
The best protection is to save log files to remote server. In this way, compromise of a system does not provide access to the log files for that system. |
|
|
|
You decide to use syslog to send login entries from multiple servers to a central logging server. What are the most important considerations for your implementation? |
Disk space on the syslog server. Clock synchronization between all devices.
A best practice to secure log files is to save the archive logs to remote log server. Other Kinds of log server considerations include: the amount of the space required to save files on the server. Backup requirements on the server. Time stamping to ensure that the computer generating the event and the computer where the logs are saved have, system clocks. Integrity of the logs to ensure the logs have not been modified. |
|
|
|
What is a secure doorway that can be used in coordination with a man-trap to allow easy egress from a secure environment but which actor actively prevents reentrance through the exit portal? |
Turnstiles. |
|
|
|
What is the primary benefit of CCTV? |
It expands the area visible by security guards. |
|
|
|
you want to use CCTV to increase your physical security. You want to be able to remotely control the camera position. Which type of camera should you use? |
PTZ (pan tilt zoom).
A pan tilt zoom camera lets you dynamically move the camera and zoom in on specific areas to monitor. Cameras without PTZ capabilities are manually set looking at a specific Direction. |
|
|
|
What type of CCTV camera lets you adjust the distance that the camera can see(i.e zoom in or out)? |
Varifocal |
|
|
|
You want to use CCTV as a preventive security measure. Which of the following is a requirement for your plan? |
Security guards.
When using in a preventive way, you must have a person available who monitors one or more cameras. Only a security guard will be able to interpret what the camera sees and make appropriate security decisions. |
|
|
|
What two physical security measures allows for easy exit of an area in the event of an emergency but prevents entry? |
Turnstiles and double-entry door |
|
|
|
Which of the following devices is capable of detecting and responding to security threats? |
IPS. An intrusion prevention system can detect and respond to security event. An IPS differs from an IDS in that it can respond to you and not just detect security threats. |
|
|
|
You want to create a collection of computers on your network that appear to have valuable data, but in reality the computer is configured with big data that could entice a potential Intruder. Once the Intruder connects, you want to be able to observe and gather information about the methods of the attack that are being deployed. What should you implement? |
Honeynet. (A honeynet is a network of Honeypots)
A Honeypot is a device or virtual machine that entices Intruders by displaying a vulnerable trait or flaw or by appearing to contain valuable information. |
|
|
|
What is the correct definition of a threat? |
Any potential Danger to the confidentiality, Integrity, or availability of Information or Systems. |
|
|
|
What is an example of a vulnerability? |
Misconfigured server |
|
|
|
What are functions that a port scanner can provide? |
Discovering unadvertised servers. Determining which ports are open on a firewall.
Port scanners can determine which ports are open on a firewall and identify servers that maybe unauthorized or running in a test environment. Many Port scanners provide additional information, including host operating system and version, of any detective servers. Hackers use port scanner to gather valuable information about a Target system and administrators should use the same tools for proactive penetration testing and to ensure compliance with all corporate security policies. |
|
|
|
U wants to know what protocols are being used on your network. You like to monitor Network traffic and sort traffic based on protocol. Which tool should you use? |
Packet sniffer.
A packet sniffer is a special software that captures or recordes frames that are transmitted on the network. Use a packet sniffer to: identify the types of traffic on a network. View the exchange of packets with tween communicating devices. For example, you can capture frames related to DNS and do you the exact exchange of packets for specific name resolution request. Analyze packets set to and from a specific device. And view packet contents. |
|
|
|
What is the name of the type of port scan which does not complete the full three-way handshake of TCP, but rather listens only for either SYN/ACK or RST/ACK PACKETS? |
TCP SYN scan |
|
|
|
What identifies an operating system or network service based on its response to icmp messages? |
Fingerprinting. |
|
|
|
You want to make sure that I set of servers will only accept traffic for specific Network Services. You have verified that the servers are only running the necessary services, but you also want to make sure that servers will not accept packets into those Services. Which tool should you use? |
Port scanner. |
|
|
|
You want to be able to identify the services running on a set of servers on your network. Which tool would best give you the information you need? |
Vulnerability scanner. Use a vulnerability scanner to gather information about systems such as the application or Services running on the system. The vulnerability scanner often combines functions found in other tools, and can perform additional functions such as identifying open firewall ports, missing patches, or default or blank passwords. |
|
|
|
He wants identify all devices on a network along with a list of open ports on those devices. You want the results displayed in a graphical diagram. Which tool should you use? |
Network mapper.
A network mapper is a tool that can discover devices on the network, then shows those devices in a graphical representation. Network mappers typically use ping scan to discover devices, as well as a port scanner to identify open ports on those devices.. |
|
|
|
You want to use a tool to see packets on a network, including the source and destination of each packet. Which tool should you use? |
Wireshark. A protocol analyzer, also called a packet sniffer, is a special software that captures/records friends that are transmitted on the network. A protocol analyzer is a passive device in that it copies frames and allows you to view frame contents but does not allow you to capture, modify, and retransmit frames. Wireshark is a popular protocol analyzer. |
|
|
|
You want to use a tool to scan system vulnerabilities including open ports, running services and missing patches. Which tools/programs could you use? |
Retina and Nessus.
A vulnerability scanner is a software program that searches in application, computer, or network for weaknesses such as open ports, running applications or Services, miss incredible patches, default users account that have been disabled, and blank or default passwords. On our ability scanning includes tools like nessus and retina vulnerability assessment scanner, and Microsoft Baseline security analyzer (MBSA). |
|
|
|
He wants to check a server for user accounts that have weak passwords. Which tool should you use? |
John the Ripper. John the Ripper is a password cracking tool. A password cracker is a tool that performs cryptographic attacks on passwords. Use a password cracker to identify weak passwords or passwords protected with weak encryption. |
|
|
|
What can be performed by the Microsoft Baseline security analyzer tool? |
It can check for open ports, check for missing patches, and check for user accounts for weak passwords. They can also check for active IP addresses, running applications or services, default user accounts that have not been disabled, default blank passwords or common passwords. |
|
|
|
Which of the following identifies standards and XML formats for reporting and analyzing system vulnerabilities? |
OVAL. The open vulnerability and assessment language is an international standard for testing, analyzing, and Reporting the security vulnerabilities of a system. Oval is sponsored by the national cyber security division of the US Department of Homeland Security period of identifies the XML format for identifying and Reporting System vulnerabilities. East Warner ability, Confederation issue, program, or patch that might be present on a system is identified as a definition. Oval repositories are like libraries or databases that contain multiple definitions. |
|
|
|
You're using a vulnerability scanner that conforms to the oval specifications. Which of the following items contains a specific vulnerability or security issue that could be present on a system? |
Definition.
Each one or both, configuration issue, program, or patch that might be present on the system is identified as a definition. |
|
|
|
You have run a vulnerability scanning tool and identified several patches that need to be applied to a system. What should you do next after applying the patches? |
Run of vulnerability assessment again. |
|
|
|
You want to use a vulnerability scanner to check a system for known security risk. What should you do first? |
Update the scanner definition files.
Before using a vulnerability scanner, you should update the definition miles. The definition files identify known security risks associated with the system. Some scanners will update the definition files automatically, While others you will need to download the latest definition files. |
|
|
|
You have a small network of devices connected together using a switch. You want to capture the traffic that is sent from host A to host B. On host C, you install a packet sniffer that captures Network traffic. After running the packet sniffer, you cannot find any captured packets between host a and host B. What should you do.? |
Configure Port mirroring.
When using a switch, Network traffic is sent through the switch to only the destination device. In this scenario, Host C will only receive broadcast traffic and traffic address to its own Mac address. With Port mirroring, all frames sent to other switch ports will be forwarded on the mirror port. |
|
|
|
You decide to use a packet sniffer to identify the type of traffic sent to a router. You run the packet sniffing software on a device which is connected to the same Hub that is connected to the router. When you run the software, you only see frames address to the work station and not other devices . What feature should you configure? |
Promiscuous mode. By default, a Nic will only accept frames address to that Nic. To enable the packet sniffer to capture frames sent to other devices, configure the Nic in promiscuous mode sometimes called P-mode. In P mode, the Nic will process every frame it sees |
|
|
|
You decide to use a packet sniffer to identify the type of traffic sent to a router. You run the packet sniffing software on my device which is connected to a hub with three other routers. The Hub is connected to the same switch that is connected to the router. When you run the software, you only see frames address to the for workstations but not the router. Which feature should you configure? |
Mirroring. When using a switch, the switch only will forward packets to the switch Port that holds a destination device. This means that when your packet sniffer is connected to a port, it will not see the traffic sent to the other switch ports. |
|
|
|
That recently reconfigured FTP to require encryption of both passwords and data transfers. You would like to check Network traffic to verify that all FTP passwords and data are being encrypted. Which tool should you use? |
Protocol analyzer. With a protocol analyzer you can examine the contents of each packets. Plain text Amina caitians can be read using the protocol analyzer, while encrypted packets cannot. |
|
|
|
You need to enumerate the devices on your network and display the configuration details of the network. What utility should you use? |
nmap.
Nmap is a open-source security scanner used for Network enumeration and to create a map of configuration details of a network. Nmap sends specially crafted packets to the Target host and then analyzes the responses to create the map. |
|
|
|
During the application development cycle, a developer ask several of his peers to assess the portion of the application he was assigned to write for security vulnerabilities. Which assessment technique was used in this scenario? |
Code review. Hey code review is a systematic examination of a applications source code. It is intended to find and fix Overlook mistakes, improving the overall quality and security of a software. A code review is sometimes called a peer review. |
|
|
|
What type of testing uses hacking techniques to proactively discover internal vulnerabilities? |
Penetration testing.
Penetration testing is the practice of proactively testing systems and policies for vulnerabilities. This approach seeks to identify vulnerabilities internally before a malicious individual can take advantage of them. Common techniques are identical to those used by hackers include Network/Target enumeration and Port scanning. |
|
|
|
You have decided to form a double blind penetration test. What action would you perform first? |
Inform Senior Management.
Before starting a penetration test also called a pen test, it is important to Define The Rules of Engagement, or the boundaries of the tests. Important actions to take include: obtaining written insane authorization from the highest possible Senior Management. Delegate Personnel who are experts in the areas being tested. Gained approval from the internet provider to perform the penetration test. Make sure that all tools or programs used in the testing are legal and ethical. Establish the scope and timeline. Identify systems that will not be included in the test. |
|
|
|
What activities are typically associated with a penetration test? |
Running a port scanner. Attempting social engineering.
Penetration testing is the attempt by an organization to circumvent security controls to identify vulnerabilities in their information systems. It simulates an actual attack on the network and is conducted from outside the organization security perimeter. Penetration testing helps assure the effectiveness of an organization security policy, security mechanism implementations, and deployed countermeasures. |
|
|
|
What is the main difference between vulnerability scanning and penetration testing? |
Vulnerability scanning is performed within the security perimeter and penetration testing is performed outside of the security perimeter. |
|
|
|
What type of penetration test teams will provide you information that is most revealing of a real-world hacker attack? |
Zero knowledge team. |
|
|
|
A Security administrator is conducting a penetration test on a network. She connects a notebook system running Linux to the wireless network and then uses nmap to probe various Network host to see which operating system they are running. Which process did the administrator use in the penetration test in the scenario? |
Active fingerprinting Active fingerprinting was used by the administrator in the scenario. Active fingerprinting as a form of system enumeration that is designed to gain as much information about a specific computer as possible. That identifies operating systems based upon icmp message quoting characteristics. Portions of an original icmp request are repeated or quoted within the response, and each operating system quotes the information back in a slightly different manner. Active fingerprinting can determine the operating system and even the past level. |
|
|
|
A Security administrator is conducting a penetration test on a network. She connects a notebook system to any port on a network switch. She then uses a packet sniffer to monitor Network traffic to try and determine which operating system are running on network host. Which process did the administrator use in the penetration test in this scenario? |
Passive fingerprinting.
Passive fingerprinting is a form of system enumeration that is designed to gain as much information about the network computer as possible. It passively listens to network traffic generated by Network hosts an attempt to identify which operating systems are in used based upon that icmp message holding characteristics that use. Portions of the original icmp request are repeated or coded within each response. Each operating system quotes information back in a slightly different manner. |
|
|
|
A Security administrator logs onto a Windows server on her organization's Network. She then runs a vulnerability scan on that computer. What type of scan was conducted in this scenario? |
Credentialed scan.
In a credential scan the Security administrator authentics to the system prior to starting the scan. A credential scan usually provides more detailed information about potential vulnerabilities. For example a credential scan of a Windows workstation allows a registry to be approved for security vulnerabilities.. |
|
|
|
A Security administrator needs to run a vulnerability scan that will analyze a system from a perspective of hacker attacking the organization from the outside. What type of scan should he use? |
Non credentialed scan.
In a non credentialed scan, the Security administrator does not authenticate to the system prior to running a scan. They non credential scan can be valuable because it allows the scanner to see the system from the same perspective that an attacker would see it. However, a non credentialed scan does not typically produce the same level of detail as a credential scan. |
|
|
|
|
|
|
|
While using a web based order form, an attacker enters and an unusually large value in the quantity field. The value she entered is so large that it exceeds the maximum value supported by the variable type used to store quantity in the web application. This causes the value of the quantity variable to wrap around the minimum possible value, which is the negative number. As a result, the web application processes the order as a return instead of a purchase, and the attackers account is refunded a large sum of money. What type of attack has occurred in the scenario? |
Integer overflow An integer overflow occurs when a computational operation by running process results in a numeric value that exceeds the maximum size of the integer type used to store it in memory. When this occurs, the value will wrap around and start again at its minimum value, in much the same way a mechanical odometer in a car rolls over to zero when the maximum number of miles it can record has been exceeded. This can allow an attacker to manipulate the value of variables, leading to unintended Behavior by the system. In this scenario the attacker has manipulated the quantity while purchasing items from an online store. This causes the value of the quantity variable to wrap around the minimum value possible which is a negative number. As a result, the web application processes the order form as a return instead of a perch and the attackers account is refunded a large sum of money. |
|
|
|
By using a web-based game created using Adobe Flash, a flash cookie is set on a user's computer. The game saves legitimate data in the Flash cookie, such as statistics and user preferences. However, the game creator also program the game to track websites that the user visits while the game is running and save them in the flash cookie. The data is transferred to the server over and internet connection without the user's permission. What type of exploit has occurred in the scenario? |
Locally shared object (LSO).
LSO's are referred to flash cookies as well. Adobe Flash uses LSOs to save data locally on a computer, such as information for a flash game being played or user preferences. However, they can also be used to collect information about the user browsing habits without their permission, The Flash Player setting manager can be used to configure flash prevent them from being saved on local computer. |
|
|
|
Recently a website named www.vidshare.com have become very popular with users around the world. An hacker register the following domain names: www.videoshare.com www.vidshar.com www.vidsshare.com Each of these urls points to a phishing website that tricks users into supplying their usernames and passwords to that website. What attack has occurred in this scenario? |
Typosquatting(URL hijacking)
Occurs when an attacker registers domain names that correlate to Common typographical error made by users when trying to Access a legitimate website. The typosquatters intentions may be benign or malicious in nature. They may be simply trying to coerce the legitimate site owner to buy the domain name from them. Alternatively, they may be attempting to compromise the suspecting users by redirecting them to a phishing site that looks like a legitimate website. They may even use this to exploit install drive by malware. malware.
|
|
|
|
|
|
|
|
An attacker inserts SQL database commands into a data input field of an order form used by web-based application. When submitted, these commands are executed on the remote database server, causing customer contact information from the database to be sent to the malicious users web browser. What practice would have prevented this exploit? |
Implementing client-side validation.
Client-side validation should have been used on the local system to identify input errors in the order form before data was ever sent to the server. In this example if the user entered SQL commands in an order form filled, the error would have been immediately detected and block before the data was submitted to the server. |
|
|
|
You install a new Linux distribution on a server in your network. The distribution includes an SMTP Daemon that is enabled by default when the system boots. The SMTP Damon does not require authentication to send email and messages. Which type of email attack is this server susceptible to?
|
Open SMTP relay
An SMTP relay is an email server that accepts email and forwards it to other email servers. An open SMTP relay allows forwarding of mail by anyone. As the best practice: configure your mail server to accept email only from authenticated users or specific email servers that you authorize. Required TLS encryption to connect to the server. |
|
|
|
Users in your organization receive email messages informing them that suspicious activity has been detected on their bank account . They are directed to click a link in the email to verify their online banking username and password. The URL and the link is in the .ru top level domain. What kind of attack has occurred? |
Phishing A phishing scam uses an email pretending to be from a trusted organization and asks you to verify personal information or send money. In a phishing attack: a fraudulent message that appears to be legitimate is sent to a Target. The message request at the Target visit violent website which also appears to be legitimate. Graphics, links, and web pages look almost identical to the legitimate request and website they are trying to represent. The fraudulent website request that the victim provide sensitive information such as an account number and password. |
|
|
|
What is a strong password to use? |
It uses at least 8 characters, upper and lowercase letters, and uses numbers or symbols. |
|
|
|
You manage a single domain name widgets.com. organizational units have been created for each company Dept. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the Domain. However, members of the directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the changes as easily as possible. what should you do? |
Implement a granular password policy for the users in the director's OU. |
|
|
|
You manage a single domain named widgets.com. Organizational units have been created for each company Department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the directors OU want you to enforce longer passwords than are required for the rest of the users. You would like to define a granular password policy for these users. Which tool should you use? |
ADSI edit.
Use adsi edit or the active directory module for Windows Powershell to define granular password policy. |
|
|
|
You manage a single domain name widgets.com. OUs have been created for each company Department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the directors OU wants to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. What should you do? |
Create a granular password policy. Apply the policy to all users in the director's OU. To use granular password policies: create the password settings object (PSO) what the necessary settings. Edit the msDS-PSOAppliesTo property in the PSO to identify the users or Global Security groups to which policy applies. If the policy was applied to a group, add members to the group. |
|
|
|
You manage a single domain name widgets.com. OUs have been created for each company Department. User and accounts have been moved into their corresponding organizational units. Members of the directors organizational unit wants you and force longer passwords then are required for the rest of the users. You define a new granular password policy with the required settings. All users and their directors organizational units are currently members of the DirectorsGG group, a Global Security Group in that organizational unit. You apply the new password policy to the group. Matt Barnes is a Chief Financial Officer. He would like his account to have even more strict password policies than is required for other members in the organizational unit. What should you what should you do? |
Create a granular password policy for matt. Apply the new policy directly to Matt's user account. |
|
|
|
You need to increase the security of your Linux system by finding and closing open ports. Which of the following commands should you use to locate open ports? |
Nmap Open ports can provide information about what operating system a computer uses, and my provide entry points, or information about ways to formulate and attack. Use one of the following commands to scan for open: nmap -sT for TCP ports. nmap -sU for udp |
|
|
|
What command should you use to display both listening and not listening sockets on your Linux system? |
netstat -a A socket is an endpoint of a bidirectional communication flow across a computer network. Be aware of other common netstat options: -l list listening sockets, -s display statistics for each protocol, -i displays a table of all network interfaces. |
|
|
|
You're concerned that a wireless access point may have been deployed within your organization without authorization. What should you do? |
Check the MAC address of devices connected to your wire switch. Conduct a site survey. A rogue host is an unauthorized system that has connected to a wireless network. It could be unauthorized wireless device, or even an unauthorized wireless access point that someone connected without permission to a wired Network Jack. Rogue hose could be benign in nature, or they could be malicious. Either way, rokos on your wireless network could represent a security risk and should be detected and subsequently removed, if necessary. For commonly used techniques for detecting rogue hosts include: using site survey tools to identify hosts and access points on the wireless network. Checking connected Mac addresses to identify unauthorized hosts. Conducting an RF noise analysis to detect malicious Rogue access points that is using jamming to force Wireless clients to connect to it instead of legitimate access points. Analyzing Wireless traffic to identify Rogue hosts. |
|
|
|
|
|
|
|
An attacker has hidden an NFC Reader behind an NFC based kiosk in an airport. The attacker uses the device to capture NFC data in transit between end user devices and the reader and the kiosk. She then uses that information later on to masquerade as the original end user device and establish an NFC connection to the kiosk. What kind of attack has occurred in this scenario? |
NFC relay attack.
NFC devices and readers are susceptible to relay attacks where the attacker captures NFC data in transit and then later uses that information to masquerade as the original device. |
|
|
|
You are implementing a wireless network in a dentist office. The dentist practice is small, so you choose to use an inexpensive, consumer-grade access point. While reading the documentation, you notice that the access point supports WiFi protected setup (WPS) using a pin. You are concerned about the security implications of this functionality. what should you do to reduce the risk,? |
Disable WPS in the access points configuration. |
|
|
|
|
|
|
|
|
|
|
|
You have been recently hired as the new Network's administrator for a startup company. The company's network was implemented prior to your arrival. One of the first test you need to complete in your new position is to develop a manageable Network plan for the network. You have already completed the first and second Milestones were documentation procedures were identified and the network was mapped. You are now working on the third Milestone where you must identify ways to protect the network. Which task should you complete as part of the milestone? |
Identifying document each user on the network. Physically secure high value systems.
During the third milestone (protect your network) of developing a manageable plan Network plan, you should take the following steps to protect your network: Identifying document issues that are on the network and information the user has access to. Identify the high-value network assets. Document the trust boundaries. Identify the choke point on the network. segregate and isolate Networks. Isolate server functions. Physically secure high-value systems. |
|
|
|
What is the weakest point in an organization's security infrastructure?? |
People. People are usually the weakest point in an organization's security infrastructure. |
|
