Certified Ethical Hacker (CEH) Mock

What is used to indicate a single-line comment in Structured Query Language (SQL)?

Options are :

  • ||
  • '
  • -- (Correct)
  • %%

Answer : --

Explanation To create a single-line comment in SQL, you must begin the comment with two hyphens (--). After the --, you then proceed with your text-based comment and that text cannot extend to the next line. If you enter a line break, the comment is ended.

What is an example of an asymmetric encryption implementation?

Options are :

  • MD5
  • 3DES
  • PGP (Correct)
  • SHA1

Answer : PGP

Explanation Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. PGP uses asymmetric encryption.

A company has setup a new ecommerce website, but is concerned about the possibility of packet sniffing being conducted by an attacker to steal their customer’s credit card information being submitted via the user’s web browser. The customer’s web browsers will need to encrypt the data using an HTTPS connection to prevent any sniffed traffic from being read by an attacker. What certificate type should be used to encrypt and decrypt the data?

Options are :

  • Non-confidential
  • Confidential
  • Symmetric
  • Asymmetric (Correct)

Answer : Asymmetric

Explanation Asymmetric encryption is a form of Encryption where keys come in pairs. What one key encrypts, only the other can decrypt. This is commonly use in Public Key Infrastructure environments, such as an e-commerce websites using SSL/TLS connections to securely create an HTTPS connection.

A technician just completed the second phase (scanning) using Firewalk and received the following output:
TCP port 21 – no response
TCP port 22 – no response
TCP port 23 – Time-to-live exceeded

What do these scan results indicate?

Options are :

  • This indicates that port 23 was not blocked at the firewall since the scan on port 23 passed through the filtering device (Correct)
  • Firewall is blocking ports 21 through 23, but a service on the targeted server is listening on port 23
  • Firewall responded with a TTL error since the scan on port 23 was able to make a connection to the targeted server
  • No response from port 21 and 22 indicates that those services are not running on the targeted server

Answer : This indicates that port 23 was not blocked at the firewall since the scan on port 23 passed through the filtering device

Explanation Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it will likely drop the packets and we will see no response.

What technical solution can be used to emulate computer services, such as mail, web, and ftp in order to capture information related to login attempts or other commands being issued by an attacker?

Options are :

  • Core server
  • Honeypot (Correct)
  • Layer 3 switch
  • Firewall

Answer : Honeypot

Explanation A honeypot is a computer security technology that is setup to detect, deflect, or counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data that appears to be a legitimate part of a site or network but is actually isolated and monitored. The honeypot seems to contain information or a resource of value to attackers, but their actions can be logged, blocked, or ignored.

A technician is checking the settings on a web browser and finds that the proxy server settings have been set for the client to use itself a proxy server. What IP address was set as the proxy server?

Options are :

  • 10.0.0.1
  • 172.16.1.1
  • 127.0.0.1 (Correct)
  • 192.168.1.1

Answer : 127.0.0.1

Explanation The client is set to use the localhost (itself) as the proxy server. This means it is set to 127.0.0.1, the loopback IP address for the localhost.

What acronym represents a hashing algorithm?

Options are :

  • ROT13
  • PGP
  • MD5 (Correct)
  • DES

Answer : MD5

Explanation The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities and has been replaced by SHA1 and SHA-256 in most organizations. DES, PGP, and ROT13 are all forms of encryption and are not hashing algorithms.

The Windows 7 operating system kernel mode uses a code signing policy to provide additional security to the kernel. How can a rootkit bypass this security feature?

Options are :

  • Performing common services for the application process and replacing real applications with fake ones
  • Defeating the scanner from detecting any code change at the kernel
  • Replacing patch system calls with its own version that hides the rootkit’s actions
  • Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence or options (Correct)

Answer : Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence or options

Explanation By attaching itself to the master boot record (MBR) of a hard drive, the rootkit is able to modify boot sequences and other options. The rootkit is loaded before the Windows kernel is loaded, therefore it is able to bypass the code signing policy as that policy is enforces by the Windows kernel.

How does an operating system protect the passwords used for account logins?

Options are :

  • Uses a one-way hash of the passwords (Correct)
  • Stores the passwords in a secret file that users cannot find
  • Stores all passwords in a protected segment of non-volatile memory
  • Encrypts the passwords, and decrypts them when needed

Answer : Uses a one-way hash of the passwords

Explanation Passwords are stored by the operating system after being hashed with a one-way encryption algorithm. Examples of this are MD5, SHA1, SHA256, as well as some proprietary variants used by various applications and operating systems. To increase the security of the store password, these hashes are often salted, as well.

What must be developed in order to show security improvements over time?

Options are :

  • Testing tools
  • Metrics (Correct)
  • Taxonomy of vulnerabilities
  • Reports

Answer : Metrics

Explanation Metrics are a method of measuring something over time. If you wish to show the effect of security improvements over time, creating a metrics would be a good option. For example, you may wish to look at the number of unpatched and known vulnerabilities. As this number decreases, your network would be considered to have improved security.

What is the biggest advantage of a network-based IDS/IPS system over a host-based solution?

Options are :

  • Doesn’t interfere with the user interface
  • Easier to install and configure
  • Inspects all traffic since they are located at the boundary
  • Host system resources are not utilized (Correct)

Answer : Host system resources are not utilized

Explanation The biggest advantage of using a Network-based IDS/IPS over a host-based solution is they do not require the use of any system resources on the host itself. Network-based IDS/IPS are able to see most traffic at the boundary, but not all traffic since the user may be using an encrypted web tunnel connection (like TLS) which bypasses the IDS/IPS sensor. Network-based IDS/IPS are often more difficult to install and configure, as well.

What kind of attack is an example of IP spoofing?

Options are :

  • SQL injections
  • Cross-site scripting
  • ARP poisoning
  • Man-in-the-middle (Correct)

Answer : Man-in-the-middle

Explanation The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. This often uses IP spoofing to trick a victim into connecting to the attack.

A security engineer is using the Kali Linux operating system and is writing exploits in C++. What command should they use to compile their new exploit and name it notepad.exe?

Options are :

  • g++ exploit.cpp -o notepad.exe (Correct)
  • g++ --compile –i exploit.cpp -o notepad.exe
  • g++ exploit.py -o notepad.exe
  • g++ -i exploit.pl -o notepad.exe

Answer : g++ exploit.cpp -o notepad.exe

Explanation g++ is free C++ compiler that is available across a wide variety of operating systems, and is installed by default as part of Kali Linux. The proper syntax to compile a C++ file (*.cpp) is “g++ filename -o outputfile?, so “g++ exploit.cpp -0 notepad.exe? is correct.

If you are attempting to leak data without being detected by a multi-level security solution, what technique should you use?

Options are :

  • Covert channel (Correct)
  • Bypass regulator
  • Steganography
  • Asymmetric routing

Answer : Covert channel

Explanation A covert channel transfers information over, within a computer system, or network that is outside of the security policy. It is useful to bypass multi-level security solutions in order to leak data out of a protected network. A good example of this is the use of reserved fields in various packet headers/footers to conceal data. A ping packet, for example, is not designed to contain any data, but in the past attackers have placed data in the ping packets header as a method of creating a covert channel.

What is required in order to increase the acceptance of a security policy by employees across the organization?

Options are :

  • Consistency and support of the policy by executive management (Correct)
  • Consistency and support of the policy by a supervisor
  • Consistency and support of the policy by coworkers
  • Consistency and support of the policy by the security office

Answer : Consistency and support of the policy by executive management

Explanation A top-down approach to implementing a security policy and maintaining consistency is the most important way to ensure employees across an organization will support and follow the policies. A top-down approach means that executive management must support the policy first.

What three modes can Snort be configured to run in?

Options are :

  • Sniffer, Host Intrusion Prevention System, and Network Intrusion Prevention System
  • Sniffer, Packet Logger, and Host Intrusion Prevention System
  • Sniffer, Network Intrusion Detection System, and Host Intrusion Detection System
  • Sniffer, Packet Logger, and Network Intrusion Detection System (Correct)

Answer : Sniffer, Packet Logger, and Network Intrusion Detection System

Explanation Snort can be configured to work as a packet sniffer, a packet logger, a Network Intrusion Detection System, or a Network Intrusion Protection System. Snort cannot be used as a host-based detection or prevention system.

What tool can be used to scan a network to perform vulnerability checks and compliance auditing?

Options are :

  • Metasploit
  • Nessus (Correct)
  • BeEF
  • NMAP

Answer : Nessus

Explanation Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can be used to perform compliance auditing, like internal and external PCI DSS audit scans.

Authentication, integrity, confidentiality and _________ can be assured through the use of IPSec and other technologies.

Options are :

  • security
  • non-repudiation (Correct)
  • scalability
  • usability

Answer : non-repudiation

Explanation Confidentiality, Integrity, Availability, Non-repudiation, and Authentication are the basic factors of information security. Technologies like IPSec and others all seek to increase one or more of these factors.

What does symmetric key cryptography use?

Options are :

  • Identical key on each end of the transmission (Correct)
  • Multiple keys for non-repudiation of bulk data
  • Different keys on both ends of the transmission
  • Bulk encryption for data transmission over fiber

Answer : Identical key on each end of the transmission

Explanation Symmetric key cryptography uses the same key on both ends of the transmission. Asymmetric key cryptography uses a different key on the each end of the transmission.

What NMAP switch would a hacker use to attempt to see which ports are open on a targeted network?

Options are :

  • -sP
  • -sO (Correct)
  • -sU
  • -sS

Answer : -sO

Explanation –sO is used to determine which IP protocols (TCP, UDP, ICMP, IGMP, etc) are supported and open on the targeted machine and is the correct answer. –sU will only scan UDP ports. -sS will only scan TCP ports using a SYN scan. –sP is a legacy (and depreciated) command for a ping scan.

Which of these options is a preventive control?

Options are :

  • Smart card authentication (Correct)
  • Audit trail
  • Continuity of operations plan
  • Security policy

Answer : Smart card authentication

Explanation Preventative controls are designed to prevent the threat from coming in contact with the weakness. Smart card authentication allows for the implementation of two-factor authentication, preventing the threat of password guessing against the weakness of a username/password authentication scheme. Security policies and continuity of operations plans are administrative controls. Audit trails are detective controls.

What virus attempts to hide from anti-virus programs by actively altering and corrupting the chosen service call interruptions being run?

Options are :

  • Tunneling virus
  • Polymorphic virus
  • Stealth virus (Correct)
  • Cavity virus

Answer : Stealth virus

Explanation A stealth virus is a hidden computer virus that attacks operating system processes and averts typical anti-virus or anti-malware scans. Stealth viruses are adept at deliberately avoiding detection.

Why are some passwords stored using hashes, a specialized encryption algorithms?

Options are :

  • Because if a user forgets the password, it can be easily retrieved using the hash key stored by administrators
  • Because an attacker to crack hashed user passwords unless the key used to encrypt them is obtained
  • Because passwords stored using hashes are non-reversible, making finding the password much more difficult (Correct)
  • Because hashing is faster compared to more traditional encryption algorithms

Answer : Because passwords stored using hashes are non-reversible, making finding the password much more difficult

Explanation Because hashes are a one-way algorithm, it becomes much more difficult to determine the original password from the hash value. Even the system administrators do not know the original password, because all passwords are stored as unique hashes.

What device could you use to enable the capture of all traffic being passed over a network connection when you are using Wireshark to acquire packet capture ?

Options are :

  • Layer 3 switch
  • Network tap (Correct)
  • Application firewall
  • Network bridge

Answer : Network tap

Explanation A network tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network. The machine running Wireshark should be connected to the network tap and it will then be able to collect all packets passing across that segment of the network. If you want to collect ALL traffic being passed over the network, it is important to place the network tap into the proper place on the network.

What problem can be solved by using Wireshark?

Options are :

  • Resetting the administrator password on three different server
  • Tracking source code version changes
  • Troubleshooting network communication between two systems (Correct)
  • Validating the creation dates of webpages on a server

Answer : Troubleshooting network communication between two systems

Explanation Wireshark is a free and open source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

An insurance company has developed a new web application to allow their customers to choose and apply for an insurance plan. You have been asked to help perform a security review of the new web application. You have discovered that the application was developed in ASP and uses MS SQL for its backend database. You have been able to locate application's search form and introduced the following code in the search input field:

IMG SRC="vbscript:msgbox("Vulnerable_to_Attack");>" originalAttribute="SRC" originalPath="vbscript:msgbox("Vulnerable_to_Attack ");>"

When you click submit on the search form, your web browser returns a pop-up window that says "Vulnerable_to_Attack". What vulnerability did you discover in the web application?

Options are :

  • Cross-site scripting (Correct)
  • Command injection
  • Cross-site request forgery
  • SQL injection

Answer : Cross-site scripting

Explanation This is a form of Cross-Site Scripting (XSS). Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

What international standard establishes a baseline level of confidence in the security functionality of information technology products by providing a set of evaluation requirements?

Options are :

  • Common Criteria (Correct)
  • The Wassenaar Agreement
  • ISO 26029
  • Blue Book

Answer : Common Criteria

Explanation The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements (SFRs and SARs respectively) through the use of Protection Profiles (PPs), vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use, providing us with a baseline level of confidence.

What can be used with NMAP to utilize it as a basic vulnerability scanner for FTP, HTTP, and SMB attack vectors?

Options are :

  • Metasploit scripting engine
  • Nessus scripting engine
  • NMAP scripting engine (Correct)
  • SAINT scripting engine

Answer : NMAP scripting engine

Explanation The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. NSE can be used to detect and/or exploit vulnerabilities associated with FTP, HTTP, SMB, and other attack vectors.

Although the Advanced Encryption Standard (AES) algorithm with a 256 bit key is considered very secure when used to encrypt sensitive data, what is the largest drawback of using this solution?

Options are :

  • Complex configurations are required to get messaging programs to function with this algorithm
  • Due to the large key size, the time it takes to encrypt and decrypt the message hinders efficient communication
  • It has been proven to be a weak cipher and should not be trusted to protect sensitive data
  • It is a symmetric key algorithm so each recipient must receive the key through a different channel than the message to retain the security of the data (Correct)

Answer : It is a symmetric key algorithm so each recipient must receive the key through a different channel than the message to retain the security of the data

Explanation AES with a 256 bit key is considered very secure and has not yet been proven to be broken. IT doesn't required complex configurations to be used, either. Unfortunately, since it is a symmetric algorithm, both ends of the transmission must use the same key. Therefore, you have to find a secondary secure channel to send the symmetric key to the recipient to ensure security.

A penetration test tester conducts an ACK scan using NMAP against the external interface of an organization’s DMZ firewall. NMAP is reporting port 80 as “unfiltered?. What type of packet inspection is the firewall performing?

Options are :

  • Host
  • Stateful
  • Application
  • Stateless (Correct)

Answer : Stateless

Explanation The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into this state. Based on the unfiltered port state, the firewall must be performing stateless inspection. Stateless firewalls watch network traffic, and restrict or block packets based on source and destination addresses or other static values. They are not 'aware' of traffic patterns or data flows. A stateless firewall uses simple rule-sets with ACLs.

An organization is currently accepting bids for a contract that will involve penetration testing and reporting. The organization is asking all bidders to provide proof of previous penetration testing and reporting experience. One contractor decides to print out a few reports from some previous penetration tests that they performed. What could have occurred as a result of this contractor’s actions?

Options are :

  • The organization accepting the bids will want to use the reports as an example of the format for all bidders to use in the future
  • The contractor may have inadvertently exposed numerous vulnerabilities they had found at other companies on previous assessments (Correct)
  • The company accepting the bids will hire the contractor because of the quality of the reports he submitted with his bid
  • The contractor will have their bid accepted with a special pay bonus because of their excellent work on previous penetration tests

Answer : The contractor may have inadvertently exposed numerous vulnerabilities they had found at other companies on previous assessments

Explanation Ethical hackers should never disclose any information from previous penetration tests to anyone outside of the assessed organization, per the original contract and scope of work. If the contractor wishes to provide a sample report, then the report should be custom made for the contract and only include information from a sample/test network, not a previous customer’s assessment.

Why is a stored biometric vulnerable to an attack?

Options are :

  • When conducting authentication using a stored biometric, it compares a copy to a copy instead of the original to a copy
  • Even if the physical characteristic is unique, the digital representation of the biometric might not be unique
  • Once a biometric is stored biometric, it is no longer "something you are" but instead becomes "something you have"
  • Stored biometrics could be stolen and used by an attacker to impersonate the actual user identified by the biometric (Correct)

Answer : Stored biometrics could be stolen and used by an attacker to impersonate the actual user identified by the biometric

Explanation The actual overall vulnerability of a biometric system or biometric end to end process, is typically made up of several areas of variable risk. When specifically considered stored biometric values, they could be stolen or compromised and then used by the attacker to impersonate the actual user identified by the unique biometric value.

A cybersecurity analyst is looking over the logs from his Intrusion Detection System and sees an alert was logged for the border router being accessed by a system administrator’s computer when the administrator updated the router configuration. What best describes this type of alert?

Options are :

  • True positive
  • False positive (Correct)
  • True negative
  • False negative

Answer : False positive

Explanation A False Positive occurs when an alert is fired (so that you think you have a specific issue), but that issue doesn’t really exist. In this case, the alert on the IDS shows that an unauthorized configuration was made to the border router, but this change was authorized and allowed, deeming it a false positive.

What tool is used to collect wireless packet data?

Options are :

  • Netcat
  • NetStumbler (Correct)
  • John the Ripper
  • Nessus

Answer : NetStumbler

Explanation NetStubmbler, also known as Network Stumbler, is a tool for Windows that facilitates detection of Wireless LANs using the 802.11b, 802.11a, and 802.11g WLAN standards. The program was designed for wardriving, verifying network configurations, finding locations with poor coverage in a WLAN, detecting causes of wireless interference, detecting unauthorized ("rogue") access points, and aiming directional antennas for long-haul WLAN links. Unfortunately, this program has not been updated since 2005, so it is not the best tool to use for wireless packet collection. Instead, the AirCrack-ng suite of tools inside Kali Linux is more often utilized by attackers and penetration testers.

What kind of antenna is most commonly used in wireless communication?

Options are :

  • Omnidirectional (Correct)
  • Uni-directional
  • Parabolic
  • Bi-directional

Answer : Omnidirectional

Explanation Omnidirectional antennas provide 360 degree coverage of an area and are the most common type of antenna used in wireless communications and networks, especially WiFi networks. Directional antennas may be used to decrease the coverage area of a given wireless network and to focus the transmission power in a singular direction (uni-directional) or two directions (bi-directional), although they are only used in certain higher security or special use case scenarios.

What is an advantage to conducting a security audit using security testing methodologies?

Options are :

  • They are available at low cost
  • Anyone can run the command line scripts
  • They are subject to government regulation
  • They provide you with a repeatable framework (Correct)

Answer : They provide you with a repeatable framework

Explanation By using a good security testing methodology, you provide a repeatable framework for your team to utilize during an assessment, security audit, or penetration test.

What are ICMP ping and ping sweeps used to check?

Options are :

  • Location of the switch port in relation to the ICMP ping
  • Route that the ICMP ping took
  • If an ICMP ping can traverse a firewall (Correct)
  • Number of hops an ICMP ping takes to reach a destination

Answer : If an ICMP ping can traverse a firewall

Explanation An ICMP ping and ping sweep are used to establish a range of IP addresses with active systems/hosts on them. It also will report whether or not ICMP traffic is able to traverse a firewall, or if it simply times out before reaching the host.

What is a primary service provided by the U.S. Computer Emergency Readiness Team (CERT)?

Options are :

  • Vulnerability assessment service to assist law enforcement agencies with profiling an individual's property or company's asset
  • Incident response services that enable a reliable and trusted single point of contact for reporting computer security incidents worldwide (Correct)
  • Computer security surveillance service to supply a government with important intelligence information on individuals travelling abroad
  • Penetration testing service to support exception reporting on incidents worldwide by individuals and multi-national corporations

Answer : Incident response services that enable a reliable and trusted single point of contact for reporting computer security incidents worldwide

Explanation US-CERT strives for a safer, stronger Internet for all Americans by responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world. US-CERT seeks to be the single point of contact for reporting security incidents worldwide.

You are logged into the Windows command prompt and want to find what systems are "alive" in a portion of a Class B network (172.16.0.0/24) using ICMP. What command would best accomplish this?

Options are :

  • for /L %X in (1 1 254) do PING -n 1 172.16.0.%X | FIND /I "Reply" (Correct)
  • for %X in (1 1 255) do PING 172.16.0.%X
  • ping 172.16.0.255
  • ping 172.16.0.0

Answer : for /L %X in (1 1 254) do PING -n 1 172.16.0.%X | FIND /I "Reply"

Explanation The Windows command line does support some very basic scripting, as shown in this answer. Use an iterative variable to set the starting value (start#) and then step through a set range of values until the value exceeds the set ending value (end#). /L will execute the iterative by comparing start# with end#. If start# is less than end# the command will execute. When the iterative variable exceeds end# the command shell exists the loop. You can also use a negative step# to step through a range in decreasing values. For example, (1,1,5) generates the sequence 1 2 3 4 5 and (5,-1,1) generates the sequence (5 4 3 2 1). The syntax is: "for /L %variable in (start# step# end#) do command [CommandLineOptions]."

Which of the following a characteristic of a “Blind? SQL Injection vulnerability?

Options are :

  • Application properly filters the user input, but it is still vulnerable to code injection in a “Blind? attack
  • Administrator of the affected application does not see an error message during a successful attack
  • Attacker cannot see any of the display errors with information about the injection during a “Blind? attack (Correct)
  • Administrator of the vulnerable application cannot see the request to the web server

Answer : Attacker cannot see any of the display errors with information about the injection during a “Blind? attack

Explanation Blind SQL injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the application's response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

A network administrator was recently promoted to Chief Security Officer at a local university. The Chief Security Officer needs to manage the implementation of an RFID card access system to a new server room being built on the campus. This new server room will house student enrollment information that is backed up to an off-site location each day over a secure network connection. During a meeting with an outside consultant, the Chief Security Officer explains that he is concerned that the existing security controls have not been designed properly. Currently, the administrator is responsible for approving/issuing RFID card access to the server room, and for reviewing the electronic access logs on a weekly basis. What is the problem with the situation described?

Options are :

  • Segregation of duties (Correct)
  • Lack of experience
  • Inadequate disaster recovery plan
  • Undue influence

Answer : Segregation of duties

Explanation Separation of duties, also known as segregation of duties, is the concept of having more than one person required to complete a task. In business, the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error. Since the same person was responsible for approving/issuing the RFID cards and reviewing the electronic access logs, there is no effective review of the administrator performing all these functions.

A hacker sniffed encrypted traffic from the network and is now able to decrypt it. What cryptanalytic technique could the hacker now use to attempt to discover the encryption key?

Options are :

  • Meet in the middle attack
  • Birthday attack
  • Chosen cipher text attack (Correct)
  • Plaintext attack

Answer : Chosen cipher text attack

Explanation Since the hacker has access to both the encrypted traffic and is able to decrypt it, he can use a chosen cipher text attack. A chosen-cipher text attack (CCA) is an attack model for cryptanalysis in which the cryptanalyst gathers information, at least in part, by choosing a cipher text and obtaining its decryption under an unknown key.

What is unique to the N-tier architecture method of designing software applications?

Options are :

  • Application layers can be written in C, ASP.NET, or Delphi without any performance loss.
  • It is compatible with various databases including Access, Oracle, and SQL.
  • Data security is tied into each layer and must be updated for all layers when any upgrade is performed.
  • Application layers can be separated, allowing each layer to be upgraded independently from other layers. (Correct)

Answer : Application layers can be separated, allowing each layer to be upgraded independently from other layers.

Explanation In software design, multitier architecture, also known as n-tier architecture or multilayered architecture is a client–server architecture in which presentation, application processing, and data management functions are physically separated. This allows each layer to be designed and upgraded independently from the other layers of the software.

What type of firewall only inspects the header information in network traffic?

Options are :

  • Application-level gateway
  • Circuit-level gateway
  • Stateful inspection
  • Packet filter (Correct)

Answer : Packet filter

Explanation Packet filtering is a firewall technique used to control network access by monitoring outgoing and incoming packets and allowing them to pass or halt based on the source and destination Internet Protocol (IP) addresses, protocols and ports.

If you are concerned that an attack may try using a rainbow table, what technique should you use to defeat it?

Options are :

  • Password salting (Correct)
  • Use of non-dictionary words
  • Lockout accounts after every 3 login attempts
  • Utilizing only uppercase characters in your passwords

Answer : Password salting

Explanation A password salt makes it more time-consuming to crack a large list of passwords and it makes it infeasible to use a rainbow table. A rainbow table is a large list of pre-computed hashes for commonly-used passwords. if the password file is salted, then the rainbow table would have to contain "salt.password" pre-hashed. That would make the rainbow table prohibitively large.

What are three types of authentication?

Options are :

  • Something you know, Something you remember, Something you prove
  • Something you show, Something you prove, Something you are
  • Something you show, Something you have, Something you prove
  • Something you have, Something you know, Something you are (Correct)

Answer : Something you have, Something you know, Something you are

Explanation The three main types of authentication consist of something you know, something you have, and something you are. There is also a newer method called something you do. Something you know is a knowledge-based test, such as a username, password, PIN, or other data. Something you have is a physical object, like a hardware token, smartcard, key fob, or other physical authenticator. Something you are refers to biometrics, like a retina scan or fingerprint. Something you do refers to the way you sign your name or speak your name (based on tonal inflections).

What scanning tool is specifically designed to find potential exploits in Microsoft Windows products?

Options are :

  • Core Impact
  • Qualysguard
  • Retina
  • Microsoft Baseline Security Analyzer (Correct)

Answer : Microsoft Baseline Security Analyzer

Explanation Microsoft Baseline Security Analyzer (MBSA) is a software tool released by Microsoft to determine security state by assessing missing security updates and less-secure security settings within Microsoft Windows, Windows components such as Internet Explorer, IIS web server, and products Microsoft SQL Server, and Microsoft Office macro settings.

What business challenge can be solved by using a vulnerability scanner?

Options are :

  • Determining if any other systems were compromised after a web server had been compromised by an attacker
  • Testing organizational compliance with host application usage and security policies each month (Correct)
  • Removing administrator access from multiple machines immediately after an employee quits
  • Determining if a standard naming convention exists on all systems

Answer : Testing organizational compliance with host application usage and security policies each month

Explanation Vulnerability scanners can be used during routine scans (for example, monthly) to determine if organizational security policies are being properly followed (such as patching and updating systems).

What is an example of two-factor authentication?

Options are :

  • Username and Date of Birth
  • Digital Certificate and Hardware Token
  • PIN Number and Password
  • Fingerprint and Smartcard Token (Correct)

Answer : Fingerprint and Smartcard Token

Explanation Two-factor authentication occurs when you have items from two of these categories: something you know, something you are, or something you have. Something you know includes things like usernames, passwords, date of birth, and PIN numbers. Something you are includes things like fingerprints, retina scans, and voice prints. Something you have is things like a smartcard token, hardware token, and digital certificate.

What does a Boot Sector Virus do?

Options are :

  • Overwrites the original Master Boot Record with a copy of the virus and only executes the newly copied virus code
  • Copies the Master Boot Record to a different location on the hard disk and copies itself to the original location of the Master Boot Record (Correct)
  • Modifies the directory table entries in order to make the directory entries point to the virus’s code instead of the original program
  • Copies the Master Boot Record to a different location in the RAM and copies itself to the original location of the Master Boot Record

Answer : Copies the Master Boot Record to a different location on the hard disk and copies itself to the original location of the Master Boot Record

Explanation Boot Sector Viruses move a copy of the Master Boot Record to a different location on the hard disk and then put a copy of the virus into the original location of the Master Boot Record. By doing this, whenever the computer is booted up, it first loads a copy of the Boot Sector Virus before reading the original copy of the Master Boot Record. These viruses operate at the Boot Sector level. An early example of a boot sector virus is the Michelangelo virus which was first discovered in 1991.

A penetration tester was hired by an organization to perform a wireless penetration test. During a review of the previous report, the penetration tester discovered that the last test did not contain any control or management packets in the traces submitted. Why is the management or control packets most likely missing from the traces?

Options are :

  • Wireshark was using the wrong network card drivers
  • Management or control packet are not collected when using certain operating systems and adapters (Correct)
  • Wireless card was not turned on
  • 802.11 headers are only received in promiscuous mode when using Linux and Mac OS X

Answer : Management or control packet are not collected when using certain operating systems and adapters

Explanation Management frames enable stations to establish and maintain communications. Management packets are used to support authentication, association, and synchronization. Control frames assist in the delivery of data frames between stations. Unfortunately, certain operating systems and adapter types do not properly collect management or control packets during network sniffing and packet capture.

What command could be used to list the running services from the Windows command prompt?

Options are :

  • sc query \\servername
  • sc query (Correct)
  • sc config
  • sc query type= running

Answer : sc query

Explanation sc query is used by Windows to display information about the running service. It is part of the Service Control command line tool, known as sc.

When you are managing a risk, what is considered an acceptable option?

Options are :

  • Mitigate it (Correct)
  • Reject it
  • Initiate it
  • Deny it

Answer : Mitigate it

Explanation Mitigating a risk makes the effect of a risk less unpleasant, harmful, or serious. The majority of risk management is focused on mitigating risks down to an acceptable level of loss or risk.

A security analyst wants to implement a layered defense posture for this network, so he decides to use multiple layers of antivirus defense, including both an end-user desktop antivirus software and an email gateway scanner. What kind of attack would this approach help to mitigate?

Options are :

  • Scanning attack
  • ARP spoofing attack
  • Social engineering attack (Correct)
  • Forensic attack

Answer : Social engineering attack

Explanation By utilizing both endpoint protection (desktop antivirus software) and the email gateway scanner, the security analyst is working to prevent phishing and other social engineering attacks.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions