A security engineer has been asked to deploy a secure remote access solution that will allow employees to connect to the company’s internal network. Which of the following can be implemented to minimize the opportunity for the man-in-the-middle attack to occur? A-SSL B-Mutual authentication C-IPSec. D-Static IP addresses.
A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The company accepting bids wants proof of work so the consultant prints out several audits that have been performed. Which of the following is likely to occur as a result? A The consultant will ask for money on the bid because of great work. B. The consultant may expose the vulnerabilities of other companies. C The company accepting bids will want the same type of format of testing.
D The company accepting bids will hire the consultant because of the great work performed.
When using Wireshark to acquire packet capture on a network, which device would enable the capture of all traffic on the wire? A Network tap. B Layer 3 switch C Network bridge D Application firewall.
A hacker, who posed as a heating and air conditioning specialist, was able to install a sniffer program in a switched environment network. Which attack could the hacker use to sniff all of the packets in the network? A Fraggle B MAC Flood C Smurf
B Tear Drop.
Which of the following is a component of a risk assessment? A Physical security B Administrative safeguards. C DMZ D Logical interface.
Which tool can be used to silently copy files from USB devices? A USB Grabber
B USB Dumper C USB Sniffer D USB Snoopy.
Which of the following is an application that requires a host application for replication? A Micro
B Worm
C Trojan
D Virus.
Which of the statements concerning proxy firewalls is correct? A Proxy firewalls increase the speed and functionality of a network.
B Firewall proxy servers decentralize all activity for an application.
C Proxy firewalls block network packets from passing to and from a protected network.
D Computers establish a connection with a proxy firewall which initiates a new network connection for the client.
Which command line switch would be used in NMAP to perform operating system detection? A -OS
B -sO
C -sP
D. -O.
An attacker has been successfully modifying the purchase price of items purchased on the company's web site. The security administrators verify the web server and Oracle database have not been compromised directly. They have also verified the Intrusion Detection System (IDS) logs and found no attacks that could have caused this. What is the most likely way the attacker has been able to modify the purchase price?
A By using SQL injection
B By changing hidden form values
C By using cross-site scripting
D By utilizing a buffer overflow attack.
Which of the following lists are valid data-gathering activities associated with a risk assessment?
A Threat identification, vulnerability identification, control analysis.
B Threat identification, response identification, mitigation identification
C Attack profile, defense profile, loss profile
D System profile, vulnerability identification, security determination.
Which of the following cryptography attack methods is usually performed without the use of a computer? A Ciphertext-only attack
B Chosen key attack C Rubber hose attack.
D Rainbow table attack.
During a penetration test, a tester finds a target that is running MS SQL 2000 with default credentials. The tester assumes that the service is running with Local System account. How can this weakness be exploited to access the system? A Using the Metasploit psexec module setting the SA / Admin credential
B Invoking the stored procedure xp_shell to spawn a Windows command shell
C Invoking the stored procedure cmd_shell to spawn a Windows command shell
D Invoking the stored procedure xp_cmdshell to spawn a Windows command shell.
Passive reconnaissance involves collecting information through which of the following? A Social engineering
B Network traffic sniffing
C Man in the middle attacks
D Publicly accessible sources.
How does an operating system protect the passwords used for account logins?
A- The operating system performs a one-way hash of the passwords. B The operating system stores the passwords in a secret file that users cannot find.
C The operating system encrypts the passwords, and decrypts them when needed.
D The operating system stores all passwords in a protected segment of non-volatile memory.
Which of the following is a hashing algorithm?
A MD5
B PGP C DES
D ROT13
.
What is the name of the international standard that establishes a baseline level of confidence in the security functionality of IT products by providing a set of requirements for evaluation? A Blue Book
B ISO 26029
C Common Criteria
D The Wassenaar Agreement.
An NMAP scan of a server shows port 69 is open. What risk could this pose? A Unauthenticated access
B Weak SSL version C Cleartext login
D Web portal data leak.
Which type of antenna is used in wireless communication?
A Omnidirectional.
B Parabolic
C Uni-directional
D Bi-directional.
Which of the following parameters enables NMAP's operating system detection feature?
A NMAP -sV
B NMAP -oS
C NMAP -sR
D NMAP -O.
Which property ensures that a hash function will not produce the same hashed value for two different messages?
A Collision resistance.
B Bit length
C Key strength D Entropy.
John the Ripper is a technical assessment tool used to test the weakness of which of the following? A Usernames
B File permissions
C Firewall rulesets
D Passwords.
Which of the following is a symmetric cryptographic standard?
A DSA
B PKI
C RSA
D 3DES.
Which of the following programs is usually targeted at Microsoft Office products?
A Polymorphic virus
B Multipart virus
C Macro virus D Stealth virus
.
Which tool would be used to collect wireless packet data?
A NetStumbler.
B John the Ripper
C Nessus
D Netcat.
A person approaches a network administrator and wants advice on how to send an encrypted emails from home. The end user does not want to have to pay for any license fees or manage server services. Which of the following is the most secure encryption protocol that the network administrator should recommend? A IP Security (IPSEC)
B Multipurpose Internet Mail Extensions (MIME)
C Pretty Good Privacy (PGP)
D Hyper Text Transfer Protocol with Secure Socket Layer (HTTPS).
While performing data validation of web content, a security technician is required to restrict malicious input.
Which of the following processes is an efficient way of restricting malicious input? A Validate web content input for query strings.
B Validate web content input with scanning tools.
C- Validate web content input for type, length, and range.
D Validate web content input for extraneous queries.
Low humidity in a data center can cause which of the following problems? A Heat
B Corrosion
C Static electricity D Airborne contamination.
How can telnet be used to fingerprint a web server? A telnet webserverAddress 80HEAD / HTTP/1.0
B telnet webserverAddress 80PUT / HTTP/1.0
C telnet webserverAddress 80HEAD / HTTP/2.0
D telnet webserverAddress 80PUT / HTTP/2.0.
One way to defeat a multi-level security solution is to leak data via
A a bypass regulator
B steganography C a covert channel.
D asymmetric routing.
Which of the following is a hardware requirement that either an IDS/IPS system or a proxy server must have in order to properly function?
A Fast processor to help with network traffic analysis
B They must be dual-homed
C Similar RAM requirements
D Fast network interface cards.
An organization hires a tester to do a wireless penetration test. Previous reports indicate that the last test did not contain management or control packets in the submitted traces. Which of the following is the most likely reason for lack of management or control packets?
A The wireless card was not turned on B The wrong network card drivers were in use by Wireshark
C On Linux and Mac OS X, only 802.11 headers are received in promiscuous mode
D Certain operating systems and adapters do not collect the management or control packets.
A covert channel is a channel that A. transfers information over, within a computer system, or network that is outside of the security policy. B transfers information over, within a computer system, or network that is within the security policy.
C transfers information via a communication path within a computer system, or network for transfer of data.
D transfers information over, within a computer system, or network that is encrypted.
Which tool is used to automate SQL injections and exploit a database by forcing a given web application to connect to another database controlled by a hacker?
A DataThief
B NetCat
C Cain and Abel
D SQLInjector.
In order to show improvement of security over time, what must be developed?
A Reports
B Testing tools
C Metrics.
D Taxonomy of vulnerabilities.
How can rainbow tables be defeated?
A Password salting
B Use of non-dictionary words
C All uppercase character passwords
D Lockout accounts under brute force password cracking attempts.
What technique is used to perform a Connection Stream Parameter Pollution (CSPP) attack? A Injecting parameters into a connection string using semicolons as a separator. B Inserting malicious Javascript code into input parameters
C Setting a user's session identifier (SID) to an explicit known value
D Adding multiple parameters with the same name in HTTP requests.
Which of the following can the administrator do to verify that a tape backup can be recovered in its entirety? A Restore a random file B Perform a full restore. C Read the first 512 bytes of the tape D Read the last 512 bytes of the tape.
A penetration tester is attempting to scan an internal corporate network from the internet without alerting the border sensor.
Which is the most efficient technique should the tester consider using? A Spoofing an IP address B Tunneling scan over SSH. C Tunneling over high port numbers D Scanning using fragmented IP packets.
A consultant is hired to do physical penetration testing at a large financial company. In the first day of his assessment, the consultant goes to the company`s building dressed like an electrician and waits in the lobby for an employee to pass through the main access gate, then the consultant follows the employee behind to get intothe restricted area.
Which type of attack did the consultant perform?
A Man trap B Tailgating C Shoulder surfing D Social engineering.
Which solution can be used to emulate computer services, such as mail and ftp, and to capture information related to logins or actions? A Firewall B Honeypot C Core server
D Layer 4 switch.
A hacker searches in Google for filetype:pcf to find Cisco VPN config files. Those files may contain connectivity passwords that can be decoded with which of the following? A Cupp
B Nessus C Cain and Abel D John The Ripper Pro.
A security analyst is performing an audit on the network to determine if there are any deviations from the security policies in place. The analyst discovers that a user from the IT department had a dial-out modem installed.
Which security policy must the security analyst check to see if dial-out modems are allowed?
A Firewall-management policy
B Acceptable-use policy C Remote-access policy D Permissive policy.
Which of the following is a client-server tool utilized to evade firewall inspection? A tcp-over-dns. B kismet C nikto D hping.
A hacker was able to sniff packets on a company's wireless network. The following information was discovered:
Using the Exlcusive OR, what was the original message?
A- 00101000 11101110
B- 11010111 00010001 C- 00001101 10100100
D- 11110010 01011011.
What is the best defense against privilege escalation vulnerability?
A Patch systems regularly and upgrade interactive login privileges at the system administrator level.
B Run administrator and applications on least privileges and use a content registry for tracking.
C. Run services with least privileged accounts and implement multi-factor authentication and authorization.
D Review user roles and administrator privileges for maximum utilization of automation services.
Which of the following processes evaluates the adherence of an organization to its stated security policy? A Vulnerability assessment
B Penetration testing
C Risk assessment
D Security auditing.
A company has hired a security administrator to maintain and administer Linux and Windows-based systems.
Written in the nightly report file is the following: Firewall log files are at the expected value of 4 MB. The current time is 12am. Exactly two hours later the size has decreased considerably. Another hour goes by and the log files have shrunk in size again.
Which of the following actions should the security administrator take? A Log the event as suspicious activity and report this behavior to the incident response team immediately B Log the event as suspicious activity, call a manager, and report this as soon as possible
C Run an anti-virus scan because it is likely the system is infected by malware
D Log the event as suspicious activity, continue to investigate, and act according to the site's security policy.
A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back end database. In order for the tester to see if SQL injection is possible, what is the first character that the tester should use to attempt breaking a valid SQL request? A Semicolon
B Single quote
C Exclamation mark D Double quote.
A Security Engineer at a medium-sized accounting firm has been tasked with discovering how much information can be obtained from the firm's public facing web servers. The engineer decides to start by using netcat to port 80.
The engineer receives this output:
Which of the following is an example of what the engineer performed? A Cross-site scripting
B Banner grabbing. C SQL injection
D Whois database query.
Which type of access control is used on a router or firewall to limit network activity? A- Mandatory B- Discretionary C- Rule-based. D- Role-based.
Which command lets a tester enumerate alive systems in a class C network via ICMP using native Windows tools?
A ping 192.168.2. B ping 192.168.2.255 C for %V in (1 1 255) do PING 192.168.2.%V D for /L %V in (1 1 254) do PING -n 1 192.168.2.%V | FIND /I "Reply".
Which security control role does encryption meet? A Preventative. B Detective C Offensive D Defensive.
Which of the following is an example of an asymmetric encryption implementation? A SHA1 B PGP C 3DES D MD5.
Which of the following techniques will identify if computer files have been changed? A Network sniffing B Permission sets. C Integrity checking hashes D Firewall alerts.
A penetration tester was hired to perform a penetration test for a bank. The tester began searching for IP ranges owned by the bank, performing lookups on the bank's DNS servers, reading news articles online about the bank, watching what times the bank employees come into work and leave from work, searching the bank's job postings (paying special attention to IT related jobs), and visiting the local dumpster for the bank's corporate office. What phase of the penetration test is the tester currently in? A Information reporting B Vulnerability assessment C Active information gathering D- Passive information gathering.
Which of the following is an example of two factor authentication? A PIN Number and Birth Date B Username and Password C Digital Certificate and Hardware Token D Fingerprint and Smartcard ID.
Which of the following business challenges could be solved by using a vulnerability scanner? A Auditors want to discover if all systems are following a standard naming convention B A web server was compromised and management needs to know if any further systems were compromised C There is an emergency need to remove administrator access from multiple machines for an employee that quit D There is a monthly requirement to test corporate compliance with host application usage and security policies.
Which of the following is considered an acceptable option when managing a risk? A Reject the risk B Deny the risk C Mitigate the risk. D Initiate the risk.
An engineer is learning to write exploits in C++ and is using the exploit tool Backtrack. The engineer wants to compile the newest C++ exploit and name it calc.exe. Which command would the engineer use to accomplish this? A g++ hackersExploit.cpp -o calc.exe. B g++ hackersExploit.py -o calc.exe C g++ -i hackersExploit.pl -o calc.exe D g++ --compile –i hackersExploit.cpp -o calc.exe.
The use of alert thresholding in an IDS can reduce the volume of repeated alerts, but introduces which of the following vulnerabilities? A An attacker, working slowly enough, can evade detection by the IDS. B Network packets are dropped if the volume exceeds the threshold C Thresholding interferes with the IDS’ ability to reassemble fragmented packets D The IDS will not distinguish among packets originating from different sources.
Which type of scan measures a person's external features through a digital video camera?
A Iris scan B Retinal scan C Facial recognition scan. D Signature kinetics scan.
What are the three types of authentication? A Something you: know, remember, prove B Something you: have, know, are. C Something you: show, prove, are D Something you: show, have, prove.
A Network Administrator was recently promoted to Chief Security Officer at a local university. One of employee's new responsibilities is to manage the implementation of an RFID card access system to a new server room on campus. The server room will house student enrollment information that is securely backed up to an off-site location.
During a meeting with an outside consultant, the Chief Security Officer explains that he is concerned that the existing security controls have not been designed properly. Currently, the Network Administrator is responsible for approving and issuing RFID card access to the server room, as well as reviewing the electronic access logs on a weekly basis.
Which of the following is an issue with the situation? A Segregation of duties.
B Undue influence C Lack of experience D Inadequate disaster recovery plan.
A pentester is using Metasploit to exploit an FTP server and pivot to a LAN. How will the pentester pivot using Metasploit?
A Issue the pivot exploit and set the meterpreter
B Reconfigure the network settings in the meterpreter
C Set the payload to propagate through the meterpreter
D Create a route statement in the meterpreter.
Which statement is TRUE regarding network firewalls preventing Web Application attacks? A Network firewalls can prevent attacks because they can detect malicious HTTP traffic.
B. Network firewalls cannot prevent attacks because ports 80 and 443 must be opened. C Network firewalls can prevent attacks if they are properly configured.
D Network firewalls cannot prevent attacks because they are too complex to configure.
Which NMAP command combination would let a tester scan every TCP port from a class C network that is blocking ICMP with fingerprinting and service detection?
A NMAP -PN -A -O -sS 192.168.2.0/24
B NMAP -P0 -A -O -p1-65535 192.168.0/24.
C NMAP -P0 -A -sT -p0-65535 192.168.0/16
D NMAP -PN -O -sS -p 1-1024 192.168.0/8.
Which of the following viruses tries to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions when they are being run? A Cavity virus
B Polymorphic virus
C Tunneling virus
D Stealth virus.
A security administrator notices that the log file of the company’s webserver contains suspicious entries:
Based on source code analysis, the analyst concludes that the login.php script is vulnerable to
A command injection
B SQL injection.
C directory traversal
D LDAP injection.
In the software security development life cycle process, threat modeling occurs in which phase? A Design. B Requirements C Verification D Implementation.
A company has publicly hosted web applications and an internal Intranet protected by a firewall. Which technique will help protect against enumeration? A Reject all invalid email received via SMTP. B Allow full DNS zone transfers. C Remove A records for internal hosts_ D Enable null session pipes.
Which of the following settings enables Nessus to detect when it is sending too many packets and the network pipe is approaching capacity? A Netstat WMI Scan
B Silent Dependencies
C Consider unscanned ports as closed
D Reduce parallel connections on congestion.
Firewalk has just completed the second phase (the scanning phase) and a technician receives the output shown below. What conclusions can be drawn based on these scan results? A The firewall itself is blocking ports 21 through 23 and a service is listening on port 23 of the target host
B The lack of response from ports 21 and 22 indicate that those services are not running on the destination server
C The scan on port 23 passed through the filtering device. This indicates that port 23 was not blocked at the firewall.
D The scan on port 23 was able to make a connection to the destination host prompting the firewall to respond with a TTL error.
Which of the following is used to indicate a single-line comment in structured query language (SQL)?
A --
B ||
C %%
D ''.
A company firewall engineer has configured a new DMZ to allow public systems to be located away from the internal network. The engineer has three security zones set:
The engineer wants to configure remote desktop access from a fixed IP on the remote network to a remote desktop server in the DMZ. Which rule would best fit this requirement? A Permit 217.77.88.0/24 11.12.13.0/24 RDP 3389 B Permit 217.77.88.12 11.12.13.50 RDP 3389. C Permit 217.77.88.12 11.12.13.0/24 RDP 3389 D Permit 217.77.88.0/24 11.12.13.50 RDP 3389.
Which of the following techniques does a vulnerability scanner use in order to detect a vulnerability on a target service? A Port scanning B Banner grabbing
C Injecting arbitrary data
D Analyzing service response.
On a Linux device, which of the following commands will start the Nessus client in the background so that the Nessus server can be configured? A nessus +
B nessus *s
C nessus &.
D nessus -d.
Which technical characteristic do Ethereal/Wireshark, TCPDump, and Snort have in common?
A They are written in Java
B They send alerts to security monitors
C They use the same packet analysis engine
D They use the same packet capture utility.
A pentester gains access to a Windows application server and needs to determine the settings of the built-in Windows firewall. Which command would be used?
A Netsh firewall show config. B WMIC firewall show config C Net firewall show config
D Ipconfig firewall show config.
A developer for a company is tasked with creating a program that will allow customers to update their billing
and shipping information. The billing address field used is limited to 50 characters. What pseudo code would
the developer use to avoid a buffer overflow attack on the billing address field?
A if (billingAddress = 50) {update field} else exit B if (billingAddress != 50) {update field} else exit
C if (billingAddress >= 50) {update field} else exit
D if (billingAddress <= 50) {update field} else exit.
The use of technologies like IPSec can help guarantee the following: authenticity, integrity, confidentiality and
A non-repudiation.
B operability
C security
D usability.
Which of the following does proper basic configuration of snort as a network intrusion detection system require?
A. Limit the packets captured to the snort configuration file.
B Capture every packet on the network segment. C Limit the packets captured to a single segment.
D Limit the packets captured to the /var/log/snort directory.
To send a PGP encrypted message, which piece of information from the recipient must the sender have before encrypting the message?
A Recipient's private key
B Recipient's public key.
C Master encryption key
D Sender's public key.
While conducting a penetration test, the tester determines that there is a firewall between the tester's machine and the target machine. The firewall is only monitoring TCP handshaking of packets at the session layer of the OSI model. Which type of firewall is the tester trying to traverse?
A Packet filtering firewall
B Application-level firewall
C Circuit-level gateway firewall.
D Stateful multilayer inspection firewall.
Least privilege is a security concept that requires that a user is
A limited to those functions required to do the job.
B given root or administrative privileges C trusted to keep all data and access to that data under their sole control
D given privileges equal to everyone else in the department.
A large company intends to use Blackberry for corporate mobile phones and a security analyst is assigned to
evaluate the possible threats. The analyst will use the Blackjacking attack method to demonstrate how an
attacker could circumvent perimeter defenses and gain access to the corporate network. What tool should the
analyst use to perform a Blackjacking attack?
A Paros Proxy
B BBProxy.
C BBCrack
D Blooover.
Smart cards use which protocol to transfer the certificate in a secure manner?
A Extensible Authentication Protocol (EAP).
B Point to Point Protocol (PPP)
C Point to Point Tunneling Protocol (PPTP)
D Layer 2 Tunneling Protocol (L2TP).
What is the broadcast address for the subnet 190.86.168.0/22?
A 190.86.168.255
B 190.86.255.255
C 190.86.171.255.
D 190.86.169.255.
WPA2 uses AES for wireless data encryption at which of the following encryption levels?
A 64 bit and CCMP
B 128 bit and CRC
C 128 bit and CCMP.
D 128 bit and TKIP.
Which set of access control solutions implements two-factor authentication?
A USB token and PIN.
B Fingerprint scanner and retina scanner
C Password and PIN
D Account and password.
A penetration tester is conducting a port scan on a specific host. The tester found several ports opened that were confusing in concluding the Operating System (OS) version installed. Considering the NMAP result below, which of the following is likely to be installed on the target machine by the OS? A The host is likely a Windows machine
B The host is likely a Linux machine
C The host is likely a router
D The host is likely a printer.
During a wireless penetration test, a tester detects an access point using WPA2 encryption. Which of the following attacks should be used to obtain the key? A. The tester must capture the WPA2 authentication handshake and then crack it.
B The tester must use the tool inSSIDer to crack it using the ESSID of the network.
C The tester cannot crack WPA2 because it is in full compliance with the IEEE 802.11i standard.
D The tester must change the MAC address of the wireless network card and then use the AirTraf tool to obtain the key.
What is the main advantage that a network-based IDS/IPS system has over a host-based solution?
A They do not use host system resources.
B They are placed at the boundary, allowing them to inspect all traffic
C They are easier to install and configure
D They will not interfere with user interfaces.
Which of the following problems can be solved by using Wireshark?
A Tracking version changes of source code
B Checking creation dates on all webpages on a server
C Resetting the administrator password on multiple systems
D Troubleshooting communication resets between two systems.
Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. Which of thefollowing is the correct bit size of the Diffie-Hellman (DH) group 5? A 768 bit key
B 1025 bit key.
C 1536 bit key D 2048 bit key.
From the two screenshots below, which of the following is occurring? A 10.0.0.253 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against- 10.0.0.2. B 10.0.0.253 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against 10.0.0.2. C 10.0.0.2 is performing an IP scan against 10.0.0.0/24, 10.0.0.252 is performing a port scan against 10.0.0.2.
D 10.0.0.252 is performing an IP scan against 10.0.0.2, 10.0.0.252 is performing a port scan against 10.0.0.2.
Which type of intrusion detection system can monitor and alert on attacks, but cannot stop them? A Detective B Passive. C Intuitive D Reactive.
When analyzing the IDS logs, the system administrator noticed an alert was logged when the external router was accessed from the administrator's computer to update the router configuration. What type of an alert is this? A False - positive B False negative C True positve D True negative.
Which system consists of a publicly available set of databases that contain domain name registration contact information?
A WHOIS.
B IANA
C CAPTCHA
D IETF.
A hacker is attempting to see which IP addresses are currently active on a network. Which NMAP switch would the hacker use?
A -sO
B -sP
C -sS
D -sU.
The following is a sample of output from a penetration tester's machine targeting a machine with the IP address of 192.168.1.106:
What is most likely taking place? A Ping sweep of the 192.168.1.106 network
B Remote service brute force attempt.
C Port scan of 192.168.1.106
D Denial of service attack on 192.168.1.106.
Which of the following is a strong post designed to stop a car?
A Gate
B Fence C Bollard.
D Reinforced rebar.
How is sniffing broadly categorized?
A Active and passive.
B Broadcast and unicast
C Unmanaged and managed
D Filtered and unfiltered.
|
