You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CEH Practice Test 5 "
0 of 79 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CEH
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
Answered
Review
Question 1 of 79
1. Question
What encryption standard does WPA2 use?
Correct
Correct answer:
WPA2 uses AES for its encryption algorithm.
Incorrect answers:
Neither RC4 nor RC5 is used in WPA2, and SHA-1 is a hash algorithm.
Incorrect
Correct answer:
WPA2 uses AES for its encryption algorithm.
Incorrect answers:
Neither RC4 nor RC5 is used in WPA2, and SHA-1 is a hash algorithm.
Unattempted
Correct answer:
WPA2 uses AES for its encryption algorithm.
Incorrect answers:
Neither RC4 nor RC5 is used in WPA2, and SHA-1 is a hash algorithm.
Question 2 of 79
2. Question
Amy creates a fake company ID badge and follows employees in through the front door. Which of the following best describes this action?
Correct
Correct answer:
Tailgating is correct.
This is another one of those questions that is going to drive you batty on the exam. Just remember, tailgating = a badge.
Incorrect answers:
Piggybacking is following someone in without a badge (a silly but important distinction so far as EC-Council is concerned).
Surfing and reverse SE have nothing to do with this topic.
Incorrect
Correct answer:
Tailgating is correct.
This is another one of those questions that is going to drive you batty on the exam. Just remember, tailgating = a badge.
Incorrect answers:
Piggybacking is following someone in without a badge (a silly but important distinction so far as EC-Council is concerned).
Surfing and reverse SE have nothing to do with this topic.
Unattempted
Correct answer:
Tailgating is correct.
This is another one of those questions that is going to drive you batty on the exam. Just remember, tailgating = a badge.
Incorrect answers:
Piggybacking is following someone in without a badge (a silly but important distinction so far as EC-Council is concerned).
Surfing and reverse SE have nothing to do with this topic.
Question 3 of 79
3. Question
Operations promotes the use of mobile devices in the enterprise. Security disagrees, noting multiple risks involved in adding mobile devices to the network. Which of the following provides some protections against the risks security is concerned about?
Correct
Correct answer:
A is correct. Mobile Device Management (MDM) won’t mitigate all the risks associated with unending use of mobile devices on your network, but it’s a step in the right direction.
Incorrect answers:
WPA is an encryption algorithm.
MAC filtering is a great idea, but it’s a nightmare to keep up with and it doesn’t address the problems BYOD introduces to the environment.
Whether WAPs are from a single vendor or multiple vendors is irrelevant.
Incorrect
Correct answer:
A is correct. Mobile Device Management (MDM) won’t mitigate all the risks associated with unending use of mobile devices on your network, but it’s a step in the right direction.
Incorrect answers:
WPA is an encryption algorithm.
MAC filtering is a great idea, but it’s a nightmare to keep up with and it doesn’t address the problems BYOD introduces to the environment.
Whether WAPs are from a single vendor or multiple vendors is irrelevant.
Unattempted
Correct answer:
A is correct. Mobile Device Management (MDM) won’t mitigate all the risks associated with unending use of mobile devices on your network, but it’s a step in the right direction.
Incorrect answers:
WPA is an encryption algorithm.
MAC filtering is a great idea, but it’s a nightmare to keep up with and it doesn’t address the problems BYOD introduces to the environment.
Whether WAPs are from a single vendor or multiple vendors is irrelevant.
Question 4 of 79
4. Question
Which of the following commands will display all current shares on the Windows machine?
Correct
Correct answer:
net share is correct.
The net command is used to view and configure network settings on a Windows machine. Net commands can add or remove users and computers, manage network shares and print jobs, as well as a host of other functions. Entering “net share” without any switches or arguments displays all shares from the machine.
Incorrect answers:
These answers do not match the syntax provided.
The “net use” command connects a computer to or disconnects a computer from a shared resource (it can also show the shared drives the current user has mapped to).
The “net view” command is used to show a list of computers and network devices on the network.
The “net config” command displays the configurable services that are running, or displays and changes settings for a Server service or a Workstation service.
Incorrect
Correct answer:
net share is correct.
The net command is used to view and configure network settings on a Windows machine. Net commands can add or remove users and computers, manage network shares and print jobs, as well as a host of other functions. Entering “net share” without any switches or arguments displays all shares from the machine.
Incorrect answers:
These answers do not match the syntax provided.
The “net use” command connects a computer to or disconnects a computer from a shared resource (it can also show the shared drives the current user has mapped to).
The “net view” command is used to show a list of computers and network devices on the network.
The “net config” command displays the configurable services that are running, or displays and changes settings for a Server service or a Workstation service.
Unattempted
Correct answer:
net share is correct.
The net command is used to view and configure network settings on a Windows machine. Net commands can add or remove users and computers, manage network shares and print jobs, as well as a host of other functions. Entering “net share” without any switches or arguments displays all shares from the machine.
Incorrect answers:
These answers do not match the syntax provided.
The “net use” command connects a computer to or disconnects a computer from a shared resource (it can also show the shared drives the current user has mapped to).
The “net view” command is used to show a list of computers and network devices on the network.
The “net config” command displays the configurable services that are running, or displays and changes settings for a Server service or a Workstation service.
Question 5 of 79
5. Question
Where is the SAM file stored on a Windows 7 system?
Correct
Correct answer:
The SAM file is stored in the same folder on most Windows machines, including Windows 10 boxes: C:\Windows\System32\Config\. You might also find a copy in backups (C:\Windows\Repair\Sam).
Incorrect answers:
These are not SAM file storage locations.
Incorrect
Correct answer:
The SAM file is stored in the same folder on most Windows machines, including Windows 10 boxes: C:\Windows\System32\Config\. You might also find a copy in backups (C:\Windows\Repair\Sam).
Incorrect answers:
These are not SAM file storage locations.
Unattempted
Correct answer:
The SAM file is stored in the same folder on most Windows machines, including Windows 10 boxes: C:\Windows\System32\Config\. You might also find a copy in backups (C:\Windows\Repair\Sam).
Incorrect answers:
These are not SAM file storage locations.
Question 6 of 79
6. Question
Which of the following is the rating assigned by a Common Criteria evaluation?
Correct
Correct answer:
The Evaluation Assurance Level (EAL) is the rating assigned to a product after testing. EAL levels range from 1 (functionally tested) to 7 (formally verified, designed, and tested).
Incorrect answers:
Protection profile (PP) is the set of requirements for the type of product being tested.
Target of evaluation (TOE) is the product itself.
Security target (ST) is the documentation describing the TOE and any requirements.
Incorrect
Correct answer:
The Evaluation Assurance Level (EAL) is the rating assigned to a product after testing. EAL levels range from 1 (functionally tested) to 7 (formally verified, designed, and tested).
Incorrect answers:
Protection profile (PP) is the set of requirements for the type of product being tested.
Target of evaluation (TOE) is the product itself.
Security target (ST) is the documentation describing the TOE and any requirements.
Unattempted
Correct answer:
The Evaluation Assurance Level (EAL) is the rating assigned to a product after testing. EAL levels range from 1 (functionally tested) to 7 (formally verified, designed, and tested).
Incorrect answers:
Protection profile (PP) is the set of requirements for the type of product being tested.
Target of evaluation (TOE) is the product itself.
Security target (ST) is the documentation describing the TOE and any requirements.
Question 7 of 79
7. Question
Your organization resolves events as well as takes the time to log and record root causes, actions taken to mitigate the problem, and lessons learned. What is this process called?
Correct
Correct answer:
Incident management process is correct.
Regardless of the size of your organization, a well-defined process for handling incidents is a mandatory, key part of any good security plan. After all, the last thing you want during a real incident is for confusion and panic to reign.
Incorrect answers:
Metrics are simply a measurement.
Security policy and procedure may take part in, and be referenced by, your incident management process, but they are not the best answers.
Incorrect
Correct answer:
Incident management process is correct.
Regardless of the size of your organization, a well-defined process for handling incidents is a mandatory, key part of any good security plan. After all, the last thing you want during a real incident is for confusion and panic to reign.
Incorrect answers:
Metrics are simply a measurement.
Security policy and procedure may take part in, and be referenced by, your incident management process, but they are not the best answers.
Unattempted
Correct answer:
Incident management process is correct.
Regardless of the size of your organization, a well-defined process for handling incidents is a mandatory, key part of any good security plan. After all, the last thing you want during a real incident is for confusion and panic to reign.
Incorrect answers:
Metrics are simply a measurement.
Security policy and procedure may take part in, and be referenced by, your incident management process, but they are not the best answers.
Question 8 of 79
8. Question
A standard ping sweep using ICMP over TCP attempts to identify live hosts on the network. Which of the following provides an explanation for no response from a ping request?
Correct
Correct answer:
Ping basically asks a host to return the packet sent. It’s used mainly to identify live hosts and to help in troubleshooting. If the host isn’t available—because it’s turned off or ICMP is being filtered by an external (or internal) device—then it cannot respond (almost like yelling to your kids who can’t hear you due to the loud music in the room). The TTL value tells the ping packet when to “die” and is decremented after passing through a router (hop). If it isn’t high enough to reach the host system, there will be no reply.
Incorrect answers:
Because all these are correct responses, E is the only appropriate choice.
Incorrect
Correct answer:
Ping basically asks a host to return the packet sent. It’s used mainly to identify live hosts and to help in troubleshooting. If the host isn’t available—because it’s turned off or ICMP is being filtered by an external (or internal) device—then it cannot respond (almost like yelling to your kids who can’t hear you due to the loud music in the room). The TTL value tells the ping packet when to “die” and is decremented after passing through a router (hop). If it isn’t high enough to reach the host system, there will be no reply.
Incorrect answers:
Because all these are correct responses, E is the only appropriate choice.
Unattempted
Correct answer:
Ping basically asks a host to return the packet sent. It’s used mainly to identify live hosts and to help in troubleshooting. If the host isn’t available—because it’s turned off or ICMP is being filtered by an external (or internal) device—then it cannot respond (almost like yelling to your kids who can’t hear you due to the loud music in the room). The TTL value tells the ping packet when to “die” and is decremented after passing through a router (hop). If it isn’t high enough to reach the host system, there will be no reply.
Incorrect answers:
Because all these are correct responses, E is the only appropriate choice.
Question 9 of 79
9. Question
Which of the following is not a valid XOR operation?
Correct
Correct answer:
1 xor 1 = 1 is correct.
A little deductive reasoning—with or without any knowledge of what XOR actually is—can break this down to a 50/50 choice. If the bits do not match, the output is a 1. If the bits do match, the output is a 0.
Incorrect answers:
The remaining answers are all valid XOR operations.
Incorrect
Correct answer:
1 xor 1 = 1 is correct.
A little deductive reasoning—with or without any knowledge of what XOR actually is—can break this down to a 50/50 choice. If the bits do not match, the output is a 1. If the bits do match, the output is a 0.
Incorrect answers:
The remaining answers are all valid XOR operations.
Unattempted
Correct answer:
1 xor 1 = 1 is correct.
A little deductive reasoning—with or without any knowledge of what XOR actually is—can break this down to a 50/50 choice. If the bits do not match, the output is a 1. If the bits do match, the output is a 0.
Incorrect answers:
The remaining answers are all valid XOR operations.
Question 10 of 79
10. Question
Which of the following is a method of testing software making use of randomly generated invalid input in an attempt to test program input validation?
Correct
Correct answer:
Fuzzing is correct.
If you want a user to input their name in a form field, that’s great—but what happens if they enter 27 digits? Or a series of characters matching a script or database query? Fuzzing is an automated testing method where tons of randomly generated entries are jammed into the application to see what happens.
Incorrect answers:
These answers are added as distractors.
Incorrect
Correct answer:
Fuzzing is correct.
If you want a user to input their name in a form field, that’s great—but what happens if they enter 27 digits? Or a series of characters matching a script or database query? Fuzzing is an automated testing method where tons of randomly generated entries are jammed into the application to see what happens.
Incorrect answers:
These answers are added as distractors.
Unattempted
Correct answer:
Fuzzing is correct.
If you want a user to input their name in a form field, that’s great—but what happens if they enter 27 digits? Or a series of characters matching a script or database query? Fuzzing is an automated testing method where tons of randomly generated entries are jammed into the application to see what happens.
Incorrect answers:
These answers are added as distractors.
Question 11 of 79
11. Question
What nmap syntax will attempt a half-open paranoid scan?
Correct
Correct answer:
nmap -sS 192.168.1.0/24 -T0 is correct.
The -sS option starts the SYN scan, and -T0 puts it in paranoid mode. For study purposes, think of the “T” switches as speed limits: 0 is barely moving, whereas 5 is really cooking.
Incorrect answers:
-sT is a full TCP Connect scan
-sX starts an XMAS scan
-sO starts OS discovery
Incorrect
Correct answer:
nmap -sS 192.168.1.0/24 -T0 is correct.
The -sS option starts the SYN scan, and -T0 puts it in paranoid mode. For study purposes, think of the “T” switches as speed limits: 0 is barely moving, whereas 5 is really cooking.
Incorrect answers:
-sT is a full TCP Connect scan
-sX starts an XMAS scan
-sO starts OS discovery
Unattempted
Correct answer:
nmap -sS 192.168.1.0/24 -T0 is correct.
The -sS option starts the SYN scan, and -T0 puts it in paranoid mode. For study purposes, think of the “T” switches as speed limits: 0 is barely moving, whereas 5 is really cooking.
Incorrect answers:
-sT is a full TCP Connect scan
-sX starts an XMAS scan
-sO starts OS discovery
Question 12 of 79
12. Question
An attacker is attempting to telnet to an internal server. He has done his homework and knows port 23 is open on the machine, it is listening for requests, and he can reach it using port scans from his current location (nmap). To hide his tracks, he spoofs his IP address and then launches telnet against the server. His attempts fail. What is the most likely cause?
Correct
Correct answer:
Spoofing the IP address sends all of his replies to that fake address, meaning he cannot spoof his IP and still use telnet: the replies would go to the spoofed address instead of the attacker’s own.
Incorrect answers:
Because the scans are getting through, the firewall is not blocking port 23 traffic, which is telnet’s port. Answer D is a distracter.
Incorrect
Correct answer:
Spoofing the IP address sends all of his replies to that fake address, meaning he cannot spoof his IP and still use telnet: the replies would go to the spoofed address instead of the attacker’s own.
Incorrect answers:
Because the scans are getting through, the firewall is not blocking port 23 traffic, which is telnet’s port. Answer D is a distracter.
Unattempted
Correct answer:
Spoofing the IP address sends all of his replies to that fake address, meaning he cannot spoof his IP and still use telnet: the replies would go to the spoofed address instead of the attacker’s own.
Incorrect answers:
Because the scans are getting through, the firewall is not blocking port 23 traffic, which is telnet’s port. Answer D is a distracter.
Question 13 of 79
13. Question
Which IDS evasion technique would be associated with splitting TCP headers among multiple packets?
Correct
Correct answer:
Fragmenting is correct.
Fragmenting packets is a great way to evade an IDS, for any purpose. Sometimes referred to as IP fragments, splitting a TCP header across multiple packets can serve to keep you hidden while scanning.
Incorrect answers:
Spoofing, scanning, and anonymizers don’t have anything to do with fragmenting headers.
Incorrect
Correct answer:
Fragmenting is correct.
Fragmenting packets is a great way to evade an IDS, for any purpose. Sometimes referred to as IP fragments, splitting a TCP header across multiple packets can serve to keep you hidden while scanning.
Incorrect answers:
Spoofing, scanning, and anonymizers don’t have anything to do with fragmenting headers.
Unattempted
Correct answer:
Fragmenting is correct.
Fragmenting packets is a great way to evade an IDS, for any purpose. Sometimes referred to as IP fragments, splitting a TCP header across multiple packets can serve to keep you hidden while scanning.
Incorrect answers:
Spoofing, scanning, and anonymizers don’t have anything to do with fragmenting headers.
Question 14 of 79
14. Question
Which of the following statements is true regarding Kismet?
Correct
Correct answer:
Kismet can discover wireless networks that are not sending beacon frames is correct.
Kismet’s primary use is scanning for (and sniffing) wireless networks. Even if the security admin turns beaconing off (so no one can supposedly search for the SSID), Kismet can still find the network for you.
Incorrect answers:
These statements are not true regarding Kismet.
Incorrect
Correct answer:
Kismet can discover wireless networks that are not sending beacon frames is correct.
Kismet’s primary use is scanning for (and sniffing) wireless networks. Even if the security admin turns beaconing off (so no one can supposedly search for the SSID), Kismet can still find the network for you.
Incorrect answers:
These statements are not true regarding Kismet.
Unattempted
Correct answer:
Kismet can discover wireless networks that are not sending beacon frames is correct.
Kismet’s primary use is scanning for (and sniffing) wireless networks. Even if the security admin turns beaconing off (so no one can supposedly search for the SSID), Kismet can still find the network for you.
Incorrect answers:
These statements are not true regarding Kismet.
Question 15 of 79
15. Question
In Amazon’s EC2, virtual machines are provided and can be controlled through a service API. Which of the following best defines this service?
Correct
Correct answer:
IaaS is correct.
Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via API, thus fitting the definition of IaaS.
Incorrect answers:
These do not match the Amazon EC2 service description.
Incorrect
Correct answer:
IaaS is correct.
Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via API, thus fitting the definition of IaaS.
Incorrect answers:
These do not match the Amazon EC2 service description.
Unattempted
Correct answer:
IaaS is correct.
Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via API, thus fitting the definition of IaaS.
Incorrect answers:
These do not match the Amazon EC2 service description.
Question 16 of 79
16. Question
Operations promotes the use of mobile devices in the enterprise. Security disagrees, noting multiple risks involved in adding mobile devices to the network. Which of the following actions provides some protection against the risks the security department is concerned about?
Correct
Correct answer:
Mobile Device Management (MDM) won’t mitigate all the risks associated with unending use of mobile devices on your network, but it’s a step in the right direction.
Incorrect answers:
WPA is an encryption algorithm.
MAC filtering is a great idea, but it’s a nightmare to keep up with and it doesn’t address the problems BYOD introduces to the environment.
WAPs being from a single vendor or multiple vendors is irrelevant.
Incorrect
Correct answer:
Mobile Device Management (MDM) won’t mitigate all the risks associated with unending use of mobile devices on your network, but it’s a step in the right direction.
Incorrect answers:
WPA is an encryption algorithm.
MAC filtering is a great idea, but it’s a nightmare to keep up with and it doesn’t address the problems BYOD introduces to the environment.
WAPs being from a single vendor or multiple vendors is irrelevant.
Unattempted
Correct answer:
Mobile Device Management (MDM) won’t mitigate all the risks associated with unending use of mobile devices on your network, but it’s a step in the right direction.
Incorrect answers:
WPA is an encryption algorithm.
MAC filtering is a great idea, but it’s a nightmare to keep up with and it doesn’t address the problems BYOD introduces to the environment.
WAPs being from a single vendor or multiple vendors is irrelevant.
Question 17 of 79
17. Question
A client asks you about intrusion detection systems. The company wants a system that dynamically learns traffic patterns and alerts on abnormal traffic. Which IDS would you recommend?
Correct
Correct answer:
Anomaly based is correct.
Anomaly-based, or behavior-based, systems must be given some time to learn what is considered normal traffic. Then they will alert on anything falling outside the determined norm.
Incorrect answers:
Signature-based systems match traffic patterns to signatures.
The other two answers are irrelevant.
Incorrect
Correct answer:
Anomaly based is correct.
Anomaly-based, or behavior-based, systems must be given some time to learn what is considered normal traffic. Then they will alert on anything falling outside the determined norm.
Incorrect answers:
Signature-based systems match traffic patterns to signatures.
The other two answers are irrelevant.
Unattempted
Correct answer:
Anomaly based is correct.
Anomaly-based, or behavior-based, systems must be given some time to learn what is considered normal traffic. Then they will alert on anything falling outside the determined norm.
Incorrect answers:
Signature-based systems match traffic patterns to signatures.
The other two answers are irrelevant.
Question 18 of 79
18. Question
Which of the following statements is not true regarding SSIDs?
Correct
Correct answer:
They are used to encrypt traffic on networks is correct.
SSIDs have a singular purpose, which is to identify a network for a client. They can be up to 32 characters long, and you can turn off the SSID broadcast at the access point. However, SSIDs are included with most packets leaving the access point and are easily discoverable anyway. And they provide no encryption at all—merely identification.
Incorrect answers:
These are all true statements regarding SSIDs.
Incorrect
Correct answer:
They are used to encrypt traffic on networks is correct.
SSIDs have a singular purpose, which is to identify a network for a client. They can be up to 32 characters long, and you can turn off the SSID broadcast at the access point. However, SSIDs are included with most packets leaving the access point and are easily discoverable anyway. And they provide no encryption at all—merely identification.
Incorrect answers:
These are all true statements regarding SSIDs.
Unattempted
Correct answer:
They are used to encrypt traffic on networks is correct.
SSIDs have a singular purpose, which is to identify a network for a client. They can be up to 32 characters long, and you can turn off the SSID broadcast at the access point. However, SSIDs are included with most packets leaving the access point and are easily discoverable anyway. And they provide no encryption at all—merely identification.
Incorrect answers:
These are all true statements regarding SSIDs.
Question 19 of 79
19. Question
Which of the following best describes port security?
Correct
Correct answer:
It allows traffic from a specific MAC address to enter to a port is correct.
This is exceedingly confusing on purpose—because it’s how you’ll see it on the exam. “Port security” refers to a security feature on switches that allows an administrator to manually assign MAC addresses to a specific port; if the machine connecting to the port does not use that particular MAC, it isn’t allowed to even connect. Port security works on source addresses, so you’re automatically looking at “from,” not “to.” In other words, it is specifically allowing access (entering a port) to a defined MAC address—think of it as a whitelist. In other words, in truth, this type of implementation turns out to be a bit of a pain for the network staff, so most people don’t use it that way. In most cases, port security simply restricts the number of MAC addresses connected to a given port. Say your Windows 7 machine runs six VMs for testing, each with its own MAC. As long as your port security allows for at least seven MACs on the port, you’re in good shape.
Incorrect answers:
Port security works on source addressing, so you can throw out answers It stops traffic sent to a specified MAC address from entering a port and Answer It stops traffic from a specific MAC from entering a port is incorrect because it’s not stopping a specific MAC from connecting; it’s only allowing a specific one to do so.
Incorrect
Correct answer:
It allows traffic from a specific MAC address to enter to a port is correct.
This is exceedingly confusing on purpose—because it’s how you’ll see it on the exam. “Port security” refers to a security feature on switches that allows an administrator to manually assign MAC addresses to a specific port; if the machine connecting to the port does not use that particular MAC, it isn’t allowed to even connect. Port security works on source addresses, so you’re automatically looking at “from,” not “to.” In other words, it is specifically allowing access (entering a port) to a defined MAC address—think of it as a whitelist. In other words, in truth, this type of implementation turns out to be a bit of a pain for the network staff, so most people don’t use it that way. In most cases, port security simply restricts the number of MAC addresses connected to a given port. Say your Windows 7 machine runs six VMs for testing, each with its own MAC. As long as your port security allows for at least seven MACs on the port, you’re in good shape.
Incorrect answers:
Port security works on source addressing, so you can throw out answers It stops traffic sent to a specified MAC address from entering a port and Answer It stops traffic from a specific MAC from entering a port is incorrect because it’s not stopping a specific MAC from connecting; it’s only allowing a specific one to do so.
Unattempted
Correct answer:
It allows traffic from a specific MAC address to enter to a port is correct.
This is exceedingly confusing on purpose—because it’s how you’ll see it on the exam. “Port security” refers to a security feature on switches that allows an administrator to manually assign MAC addresses to a specific port; if the machine connecting to the port does not use that particular MAC, it isn’t allowed to even connect. Port security works on source addresses, so you’re automatically looking at “from,” not “to.” In other words, it is specifically allowing access (entering a port) to a defined MAC address—think of it as a whitelist. In other words, in truth, this type of implementation turns out to be a bit of a pain for the network staff, so most people don’t use it that way. In most cases, port security simply restricts the number of MAC addresses connected to a given port. Say your Windows 7 machine runs six VMs for testing, each with its own MAC. As long as your port security allows for at least seven MACs on the port, you’re in good shape.
Incorrect answers:
Port security works on source addressing, so you can throw out answers It stops traffic sent to a specified MAC address from entering a port and Answer It stops traffic from a specific MAC from entering a port is incorrect because it’s not stopping a specific MAC from connecting; it’s only allowing a specific one to do so.
Question 20 of 79
20. Question
Which of the following represents the highest risk to an organization’s IT security?
Correct
Correct answer:
The internal disgruntled employee represents the biggest risk to your organization. And as easy as this is to remember, you’ll definitely get asked about it on the exam.
Incorrect answers:
Script kiddies are novice hackers who rely on tools and luck.
Phishing is an e-mail social engineering attack.
A white-hat attacker would be an ethical hacker as part of an assessment.
Incorrect
Correct answer:
The internal disgruntled employee represents the biggest risk to your organization. And as easy as this is to remember, you’ll definitely get asked about it on the exam.
Incorrect answers:
Script kiddies are novice hackers who rely on tools and luck.
Phishing is an e-mail social engineering attack.
A white-hat attacker would be an ethical hacker as part of an assessment.
Unattempted
Correct answer:
The internal disgruntled employee represents the biggest risk to your organization. And as easy as this is to remember, you’ll definitely get asked about it on the exam.
Incorrect answers:
Script kiddies are novice hackers who rely on tools and luck.
Phishing is an e-mail social engineering attack.
A white-hat attacker would be an ethical hacker as part of an assessment.
Question 21 of 79
21. Question
Which of the following commands is used to open Computer Management on a Windows OS machine?
Correct
Correct answer:
The compmgmt.msc command is used to open the Computer Management console.
Incorrect answers:
The Services MMC is opened by services.msc, and gpedit (.msc) opens the Group Policy Editor. ncpa.cp does not exist.
Incorrect
Correct answer:
The compmgmt.msc command is used to open the Computer Management console.
Incorrect answers:
The Services MMC is opened by services.msc, and gpedit (.msc) opens the Group Policy Editor. ncpa.cp does not exist.
Unattempted
Correct answer:
The compmgmt.msc command is used to open the Computer Management console.
Incorrect answers:
The Services MMC is opened by services.msc, and gpedit (.msc) opens the Group Policy Editor. ncpa.cp does not exist.
Question 22 of 79
22. Question
Jim works for an organization that recently began support of a cause he does not support. Additionally, he was reprimanded for negligence in his duties yesterday. Angry, he begins a series of attacks from his work system this morning soon after coming in to the office. Which of the following best describes Jim?
Correct
Correct answer:
Pure insider is correct.
A pure insider is an employee of the organization who already has legitimate credentials.
Incorrect answers:
Insider affiliates are spouses or friends who illegally use the credentials.
Outside affiliates are outside attackers (hackers).
Inside associates are limited-access employees, such as cleaning staff.
Incorrect
Correct answer:
Pure insider is correct.
A pure insider is an employee of the organization who already has legitimate credentials.
Incorrect answers:
Insider affiliates are spouses or friends who illegally use the credentials.
Outside affiliates are outside attackers (hackers).
Inside associates are limited-access employees, such as cleaning staff.
Unattempted
Correct answer:
Pure insider is correct.
A pure insider is an employee of the organization who already has legitimate credentials.
Incorrect answers:
Insider affiliates are spouses or friends who illegally use the credentials.
Outside affiliates are outside attackers (hackers).
Inside associates are limited-access employees, such as cleaning staff.
Question 23 of 79
23. Question
A user calls the help desk complaining about large amounts of unsolicited messages being received on her Bluetooth-enabled device. Which Bluetooth attack may be in play here?
Correct
Correct answer:
Bluejacking is correct.
Bluejacking is a Bluetooth attack where the attacker sends unsolicited messages to the target. In many cases, this is done as part of social engineering in an effort to get the user to do something beneficial for the attacker.
Incorrect answers:
Bluesmacking is a DoS attack.
Bluesniffing is an effort to sniff data from Bluetooth exchanges.
Bluescarfing is the actual theft of data from a Bluetooth device.
Incorrect
Correct answer:
Bluejacking is correct.
Bluejacking is a Bluetooth attack where the attacker sends unsolicited messages to the target. In many cases, this is done as part of social engineering in an effort to get the user to do something beneficial for the attacker.
Incorrect answers:
Bluesmacking is a DoS attack.
Bluesniffing is an effort to sniff data from Bluetooth exchanges.
Bluescarfing is the actual theft of data from a Bluetooth device.
Unattempted
Correct answer:
Bluejacking is correct.
Bluejacking is a Bluetooth attack where the attacker sends unsolicited messages to the target. In many cases, this is done as part of social engineering in an effort to get the user to do something beneficial for the attacker.
Incorrect answers:
Bluesmacking is a DoS attack.
Bluesniffing is an effort to sniff data from Bluetooth exchanges.
Bluescarfing is the actual theft of data from a Bluetooth device.
Question 24 of 79
24. Question
If a rootkit is discovered on the system, which of the following is the best alternative for recovery?
Correct
Correct answer:
Reload the entire system from known-good media is correct.
Sometimes a good old wipe and reload is not only faster than a clean effort, but it’s just flat out better. When it comes to rootkits, it’s really your only option—unless we’re talking a hardware-level rootkit, in which case you’re probably better off throwing the thing away.
Incorrect answers:
Nearly anything you’re doing with the data files themselves isn’t going to help in getting rid of a rootkit.
The device has been rooted, so all data should be treated as suspect.
Tripwire is a great tool, but it—or any other tool—isn’t really useful to you once the machine has been infected.
Incorrect
Correct answer:
Reload the entire system from known-good media is correct.
Sometimes a good old wipe and reload is not only faster than a clean effort, but it’s just flat out better. When it comes to rootkits, it’s really your only option—unless we’re talking a hardware-level rootkit, in which case you’re probably better off throwing the thing away.
Incorrect answers:
Nearly anything you’re doing with the data files themselves isn’t going to help in getting rid of a rootkit.
The device has been rooted, so all data should be treated as suspect.
Tripwire is a great tool, but it—or any other tool—isn’t really useful to you once the machine has been infected.
Unattempted
Correct answer:
Reload the entire system from known-good media is correct.
Sometimes a good old wipe and reload is not only faster than a clean effort, but it’s just flat out better. When it comes to rootkits, it’s really your only option—unless we’re talking a hardware-level rootkit, in which case you’re probably better off throwing the thing away.
Incorrect answers:
Nearly anything you’re doing with the data files themselves isn’t going to help in getting rid of a rootkit.
The device has been rooted, so all data should be treated as suspect.
Tripwire is a great tool, but it—or any other tool—isn’t really useful to you once the machine has been infected.
Question 25 of 79
25. Question
Examine the response provided to a banner-grab effort. Which of the following is true regarding this server? “` … HTTP/1.1 200 OK Cache-Control: private Content-Length: 31544 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 Set-Cookie: ASP.NET_SessionId=jzh3bkzbazylvcjpkpdalaur; domain=.somebiz.com; path=/; HttpOnly X-AspNet-Version: 4.0.30319 Set-Cookie: OI=01c6f8df-b3f3-4cc8-aa73-bd41fc511126; domain=.sombiz.com; expires=Mon, 27-Jun-2016 15:13:22 GMT; path=/ X-Powered-By: ASP.NET Date: Mon, 27 Jun 2016 15:13:22 GMT Connection: close “`
Correct
Correct answer:
Steps have been taken to protect the server against XSS is correct.
From the banner returned, you can see the server version (Server: Microsoft-IIS/7.5), what level of HTTP requests it can answer to (HTTP/1.1 200 OK), and the acceptance and use of cookies (in the Set Cookie: response section). Additionally, you can clearly see the HttpOnly entry in the cookie section, which can be used as a mitigation against XSS (setting it prevents the cookie from being accessed by any client-side scripts).
Incorrect answers:
These statements do not match the output.
Incorrect
Correct answer:
Steps have been taken to protect the server against XSS is correct.
From the banner returned, you can see the server version (Server: Microsoft-IIS/7.5), what level of HTTP requests it can answer to (HTTP/1.1 200 OK), and the acceptance and use of cookies (in the Set Cookie: response section). Additionally, you can clearly see the HttpOnly entry in the cookie section, which can be used as a mitigation against XSS (setting it prevents the cookie from being accessed by any client-side scripts).
Incorrect answers:
These statements do not match the output.
Unattempted
Correct answer:
Steps have been taken to protect the server against XSS is correct.
From the banner returned, you can see the server version (Server: Microsoft-IIS/7.5), what level of HTTP requests it can answer to (HTTP/1.1 200 OK), and the acceptance and use of cookies (in the Set Cookie: response section). Additionally, you can clearly see the HttpOnly entry in the cookie section, which can be used as a mitigation against XSS (setting it prevents the cookie from being accessed by any client-side scripts).
Incorrect answers:
These statements do not match the output.
Question 26 of 79
26. Question
Which cloud deployment model is also known as “single tenant”?
Correct
Correct answer:
Private is correct.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
Incorrect answers:
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet).
The hybrid cloud model is exactly what it sounds like—a composite of two or more cloud deployment models.
Incorrect
Correct answer:
Private is correct.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
Incorrect answers:
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet).
The hybrid cloud model is exactly what it sounds like—a composite of two or more cloud deployment models.
Unattempted
Correct answer:
Private is correct.
A private cloud model is operated solely for a single organization (a.k.a. single-tenant environment), is usually not a pay-as-you-go type of operation, and is usually preferred by larger organizations.
Incorrect answers:
A community cloud model is one where the infrastructure is shared by several organizations, usually with the same policy and compliance considerations.
A public cloud model is one where services are provided over a network that is open for public use (like the Internet).
The hybrid cloud model is exactly what it sounds like—a composite of two or more cloud deployment models.
Question 27 of 79
27. Question
An attacker enters the following into a Google search window: cache:www.anybiz.com. What will this result in?
Correct
Correct answer:
The result will display Google’s cache version of the website is correct.
The cache operator will display a link to a Google cached version of the website. This is very useful for earlier “mistakes” a web admin may have left on the site but has since removed.
Incorrect answers:
Tools such as BlackWidow are used to clone a copy of the website for your machine.
This operator does not provide a visitors list to a site.
Also, the syntax is correct.
Incorrect
Correct answer:
The result will display Google’s cache version of the website is correct.
The cache operator will display a link to a Google cached version of the website. This is very useful for earlier “mistakes” a web admin may have left on the site but has since removed.
Incorrect answers:
Tools such as BlackWidow are used to clone a copy of the website for your machine.
This operator does not provide a visitors list to a site.
Also, the syntax is correct.
Unattempted
Correct answer:
The result will display Google’s cache version of the website is correct.
The cache operator will display a link to a Google cached version of the website. This is very useful for earlier “mistakes” a web admin may have left on the site but has since removed.
Incorrect answers:
Tools such as BlackWidow are used to clone a copy of the website for your machine.
This operator does not provide a visitors list to a site.
Also, the syntax is correct.
Question 28 of 79
28. Question
Which of the following focuses on protecting customer credit card data?
Correct
Correct answer:
PCI DSS is correct.
If you knew that PCI stood for “Payment Card Industry” and DSS stood for “Data Security Standard,” this one was a piece of cake. PCI DSS is actually an evaluation standard developed by the Payment Card Industry Security Standards Council (PCI SSC, which includes American Express, Discover, MasterCard, and Visa, by the way) to secure networks and storage environments for credit card consumer data.
Incorrect answers:
The Trusted Computer System Evaluation Criteria (TCSEC) security evaluation standard is also known as the Orange Book and was created by the DoD to define different types of access controls.
The Trusted Network Interpretation Environments Guideline (TNIEG) outlines minimum security protections required in networking environments.
Common Criteria was designed to help remove vulnerabilities in products before they’re released, and it’s an international standard. ITSEC is an encryption standard.
Incorrect
Correct answer:
PCI DSS is correct.
If you knew that PCI stood for “Payment Card Industry” and DSS stood for “Data Security Standard,” this one was a piece of cake. PCI DSS is actually an evaluation standard developed by the Payment Card Industry Security Standards Council (PCI SSC, which includes American Express, Discover, MasterCard, and Visa, by the way) to secure networks and storage environments for credit card consumer data.
Incorrect answers:
The Trusted Computer System Evaluation Criteria (TCSEC) security evaluation standard is also known as the Orange Book and was created by the DoD to define different types of access controls.
The Trusted Network Interpretation Environments Guideline (TNIEG) outlines minimum security protections required in networking environments.
Common Criteria was designed to help remove vulnerabilities in products before they’re released, and it’s an international standard. ITSEC is an encryption standard.
Unattempted
Correct answer:
PCI DSS is correct.
If you knew that PCI stood for “Payment Card Industry” and DSS stood for “Data Security Standard,” this one was a piece of cake. PCI DSS is actually an evaluation standard developed by the Payment Card Industry Security Standards Council (PCI SSC, which includes American Express, Discover, MasterCard, and Visa, by the way) to secure networks and storage environments for credit card consumer data.
Incorrect answers:
The Trusted Computer System Evaluation Criteria (TCSEC) security evaluation standard is also known as the Orange Book and was created by the DoD to define different types of access controls.
The Trusted Network Interpretation Environments Guideline (TNIEG) outlines minimum security protections required in networking environments.
Common Criteria was designed to help remove vulnerabilities in products before they’re released, and it’s an international standard. ITSEC is an encryption standard.
Question 29 of 79
29. Question
Assuming the user had appropriate credentials, which of the following are true regarding the following command? (Choose all that apply.) net use F: \\ECCCOMPUTER\BankFiles /persistent:yes
Correct
Correct answer:
In Windows Explorer, a drive will appear denoted as BankFiles (\\ECCCOMPUTER) (F:) and The mapped drive will remain mapped after a reboot are correct.
Net use commands were the rage back in the day. This command connects to a shared folder on ECCCOMPUTER. The shared folder is named BankFiles, and the mapping will display as a drive (F:) on the local machine. The “persistent:yes” portion means it will remain mapped forever, until the user turns it off.
Incorrect answers:
These do not reflect the outcome of the command.
Incorrect
Correct answer:
In Windows Explorer, a drive will appear denoted as BankFiles (\\ECCCOMPUTER) (F:) and The mapped drive will remain mapped after a reboot are correct.
Net use commands were the rage back in the day. This command connects to a shared folder on ECCCOMPUTER. The shared folder is named BankFiles, and the mapping will display as a drive (F:) on the local machine. The “persistent:yes” portion means it will remain mapped forever, until the user turns it off.
Incorrect answers:
These do not reflect the outcome of the command.
Unattempted
Correct answer:
In Windows Explorer, a drive will appear denoted as BankFiles (\\ECCCOMPUTER) (F:) and The mapped drive will remain mapped after a reboot are correct.
Net use commands were the rage back in the day. This command connects to a shared folder on ECCCOMPUTER. The shared folder is named BankFiles, and the mapping will display as a drive (F:) on the local machine. The “persistent:yes” portion means it will remain mapped forever, until the user turns it off.
Incorrect answers:
These do not reflect the outcome of the command.
Question 30 of 79
30. Question
Which of the following is a legitimate use for tcp-over-dns?
Correct
Correct answer:
Firewall evasion is correct.
Tunneling through a firewall is a great evasion technique, and the tcp-over-dns tool accomplishes this by tunneling over the Domain Name System (DNS). Port 53 is usually open on firewalls because…well, everything uses and needs DNS. The tcp-over-dns tool takes advantage of that. As an aside, it also requires Java runtime environment 6.0 or later and is supported on Windows, Linux, and Solaris.
Incorrect answers:
These are not uses for the tcp-over-dns tool.
Incorrect
Correct answer:
Firewall evasion is correct.
Tunneling through a firewall is a great evasion technique, and the tcp-over-dns tool accomplishes this by tunneling over the Domain Name System (DNS). Port 53 is usually open on firewalls because…well, everything uses and needs DNS. The tcp-over-dns tool takes advantage of that. As an aside, it also requires Java runtime environment 6.0 or later and is supported on Windows, Linux, and Solaris.
Incorrect answers:
These are not uses for the tcp-over-dns tool.
Unattempted
Correct answer:
Firewall evasion is correct.
Tunneling through a firewall is a great evasion technique, and the tcp-over-dns tool accomplishes this by tunneling over the Domain Name System (DNS). Port 53 is usually open on firewalls because…well, everything uses and needs DNS. The tcp-over-dns tool takes advantage of that. As an aside, it also requires Java runtime environment 6.0 or later and is supported on Windows, Linux, and Solaris.
Incorrect answers:
These are not uses for the tcp-over-dns tool.
Question 31 of 79
31. Question
Which of the following is the best way to defend against network sniffing?
Correct
Correct answer:
Implement encryption throughout the environment is correct.
Encryption is the enemy of sniffing (and IDS). After all, if it’s encrypted at point A and decrypted only at point B, any effort to examine the traffic in between is pointless. Of the choices, this is the best available option.
Incorrect answers:
Physical security and static IP addressing won’t do a thing about sniffing.
MAC access control can provide some protection, but not at the level encryption could.
Incorrect
Correct answer:
Implement encryption throughout the environment is correct.
Encryption is the enemy of sniffing (and IDS). After all, if it’s encrypted at point A and decrypted only at point B, any effort to examine the traffic in between is pointless. Of the choices, this is the best available option.
Incorrect answers:
Physical security and static IP addressing won’t do a thing about sniffing.
MAC access control can provide some protection, but not at the level encryption could.
Unattempted
Correct answer:
Implement encryption throughout the environment is correct.
Encryption is the enemy of sniffing (and IDS). After all, if it’s encrypted at point A and decrypted only at point B, any effort to examine the traffic in between is pointless. Of the choices, this is the best available option.
Incorrect answers:
Physical security and static IP addressing won’t do a thing about sniffing.
MAC access control can provide some protection, but not at the level encryption could.
Question 32 of 79
32. Question
Which of the following attacks is RSA specifically vulnerable to?
Correct
Correct answer:
Chosen-cipher-text attacks is correct.
In a chosen-cipher-text attack, the bad guy chooses a particular cipher-text message and attempts to discern the key through comparative analysis with multiple keys and a plain-text version. Because RSA uses a public key to encrypt and a private key to decrypt, an attacker could use the public key to encrypt tons of things for analysis.
Incorrect answers:
RSA is not particularly susceptible to known-plain-text attacks.
Sequence-timing attacks do not exist.
Rubber hose attacks, in addition to sounding hilarious, are violent social engineering efforts.
Incorrect
Correct answer:
Chosen-cipher-text attacks is correct.
In a chosen-cipher-text attack, the bad guy chooses a particular cipher-text message and attempts to discern the key through comparative analysis with multiple keys and a plain-text version. Because RSA uses a public key to encrypt and a private key to decrypt, an attacker could use the public key to encrypt tons of things for analysis.
Incorrect answers:
RSA is not particularly susceptible to known-plain-text attacks.
Sequence-timing attacks do not exist.
Rubber hose attacks, in addition to sounding hilarious, are violent social engineering efforts.
Unattempted
Correct answer:
Chosen-cipher-text attacks is correct.
In a chosen-cipher-text attack, the bad guy chooses a particular cipher-text message and attempts to discern the key through comparative analysis with multiple keys and a plain-text version. Because RSA uses a public key to encrypt and a private key to decrypt, an attacker could use the public key to encrypt tons of things for analysis.
Incorrect answers:
RSA is not particularly susceptible to known-plain-text attacks.
Sequence-timing attacks do not exist.
Rubber hose attacks, in addition to sounding hilarious, are violent social engineering efforts.
Question 33 of 79
33. Question
You are examining an internal web server and discover there are two hours missing from the log files. No users complained of downtime or accessibility issues. Which of the following is most likely true?
Correct
Correct answer:
It’s a web server used by employees all day during normal business hours and there’s “nothing” in the log? Despite this, none of the users complained about it being down at all? No, we think this one is going to require some forensics work. Call the IR team.
Incorrect answers:
The log file being corrupted would’ve been throughout.
A crisp two-hour window doesn’t match up with that.
If the system were rebooted, that in and of itself would’ve shown in the log. It defies common sense and probability that absolutely nothing occurred to the web server during normal business hours.
Incorrect
Correct answer:
It’s a web server used by employees all day during normal business hours and there’s “nothing” in the log? Despite this, none of the users complained about it being down at all? No, we think this one is going to require some forensics work. Call the IR team.
Incorrect answers:
The log file being corrupted would’ve been throughout.
A crisp two-hour window doesn’t match up with that.
If the system were rebooted, that in and of itself would’ve shown in the log. It defies common sense and probability that absolutely nothing occurred to the web server during normal business hours.
Unattempted
Correct answer:
It’s a web server used by employees all day during normal business hours and there’s “nothing” in the log? Despite this, none of the users complained about it being down at all? No, we think this one is going to require some forensics work. Call the IR team.
Incorrect answers:
The log file being corrupted would’ve been throughout.
A crisp two-hour window doesn’t match up with that.
If the system were rebooted, that in and of itself would’ve shown in the log. It defies common sense and probability that absolutely nothing occurred to the web server during normal business hours.
Question 34 of 79
34. Question
Which TCP flag brings communications to an orderly close?
Correct
Correct answer:
The FIN flag brings communications to an orderly close.
Incorrect answers:
These TCP flags do not bring communications to an orderly close.
Incorrect
Correct answer:
The FIN flag brings communications to an orderly close.
Incorrect answers:
These TCP flags do not bring communications to an orderly close.
Unattempted
Correct answer:
The FIN flag brings communications to an orderly close.
Incorrect answers:
These TCP flags do not bring communications to an orderly close.
Question 35 of 79
35. Question
Which security element is of primary concern when you want to ensure a message is not altered during transit?
Correct
Correct answer:
Integrity is correct.
Integrity is all about ensuring the message is received at the remote destination exactly as it left—with no changes.
Incorrect answers:
Confidentiality involves protecting the message from unauthorized access.
Availability is all about making sure authorized users can get to the message when they need it.
Authentication is included as a distractor.
Incorrect
Correct answer:
Integrity is correct.
Integrity is all about ensuring the message is received at the remote destination exactly as it left—with no changes.
Incorrect answers:
Confidentiality involves protecting the message from unauthorized access.
Availability is all about making sure authorized users can get to the message when they need it.
Authentication is included as a distractor.
Unattempted
Correct answer:
Integrity is correct.
Integrity is all about ensuring the message is received at the remote destination exactly as it left—with no changes.
Incorrect answers:
Confidentiality involves protecting the message from unauthorized access.
Availability is all about making sure authorized users can get to the message when they need it.
Authentication is included as a distractor.
Question 36 of 79
36. Question
Phishing e-mail attacks have caused severe harm to a company. The security office decides to provide training to all users in phishing prevention. Which of the following are true statements regarding identification of phishing attempts? (Choose all that apply.)
Correct
Correct answer:
Ensure an e-mail is from a trusted, legitimate e-mail address source, Verify the spelling and grammar are correct, and Verify all links before clicking them are correct.
Phishing e-mails can be spotted by who they are from, who they are addressed to, spelling and grammar errors, and unknown or malicious embedded links.
Incorrect answers:
The last line containing a copyright is irrelevant.
Incorrect
Correct answer:
Ensure an e-mail is from a trusted, legitimate e-mail address source, Verify the spelling and grammar are correct, and Verify all links before clicking them are correct.
Phishing e-mails can be spotted by who they are from, who they are addressed to, spelling and grammar errors, and unknown or malicious embedded links.
Incorrect answers:
The last line containing a copyright is irrelevant.
Unattempted
Correct answer:
Ensure an e-mail is from a trusted, legitimate e-mail address source, Verify the spelling and grammar are correct, and Verify all links before clicking them are correct.
Phishing e-mails can be spotted by who they are from, who they are addressed to, spelling and grammar errors, and unknown or malicious embedded links.
Incorrect answers:
The last line containing a copyright is irrelevant.
Question 37 of 79
37. Question
Which security element is of primary concern when you want to ensure a message is not altered during transit?
Correct
Correct answer:
Integrity is all about ensuring the message is received at the remote destination exactly as it left—with no changes.
Incorrect answers:
Confidentiality is protecting the message from unauthorized access.
Availability is all about making sure authorized users can get to the message when they need it.
Authentication is included as a distractor.
Incorrect
Correct answer:
Integrity is all about ensuring the message is received at the remote destination exactly as it left—with no changes.
Incorrect answers:
Confidentiality is protecting the message from unauthorized access.
Availability is all about making sure authorized users can get to the message when they need it.
Authentication is included as a distractor.
Unattempted
Correct answer:
Integrity is all about ensuring the message is received at the remote destination exactly as it left—with no changes.
Incorrect answers:
Confidentiality is protecting the message from unauthorized access.
Availability is all about making sure authorized users can get to the message when they need it.
Authentication is included as a distractor.
Question 38 of 79
38. Question
A coder wants to determine if the application properly handles a wide range of invalid inputs. Which of the following refers to a software testing effort generating random invalid inputs?
Correct
Correct answer:
Fuzzing is correct.
Fuzzing is a software testing effort where tons of randomized inputs are hurled at the application to see how it reacts.
Incorrect answers:
These answers do not match the definition provided.
Incorrect
Correct answer:
Fuzzing is correct.
Fuzzing is a software testing effort where tons of randomized inputs are hurled at the application to see how it reacts.
Incorrect answers:
These answers do not match the definition provided.
Unattempted
Correct answer:
Fuzzing is correct.
Fuzzing is a software testing effort where tons of randomized inputs are hurled at the application to see how it reacts.
Incorrect answers:
These answers do not match the definition provided.
Question 39 of 79
39. Question
Which of the following would be a benefit of virtualization of servers?
Correct
Correct answer:
Shared hardware between virtualized servers is correct.
One of the primary benefits in virtualization is the reduced cost due to shared hardware. A single physical server can host multiple, concurrent VMs.
Incorrect answers:
These answers are not benefits of virtualization.
Incorrect
Correct answer:
Shared hardware between virtualized servers is correct.
One of the primary benefits in virtualization is the reduced cost due to shared hardware. A single physical server can host multiple, concurrent VMs.
Incorrect answers:
These answers are not benefits of virtualization.
Unattempted
Correct answer:
Shared hardware between virtualized servers is correct.
One of the primary benefits in virtualization is the reduced cost due to shared hardware. A single physical server can host multiple, concurrent VMs.
Incorrect answers:
These answers are not benefits of virtualization.
Question 40 of 79
40. Question
Which TCP flag is used to force transmission of data even if the buffer is full?
Correct
Correct answer:
The PSH flag is used when the application simply can’t wait for the data and needs it immediately. The sender will be working through a standard exchange and placing packets into the buffer as space frees up. An URG packet gets sent regardless of the buffer status; it simply goes.
Incorrect answers:
An URG flagged packet is treated with importance, almost like holding a reservation tag that lets you go to the front of the line when you arrive at your destination.
ACK is used for acknowledgments, and FIN brings an orderly close to the session.
Incorrect
Correct answer:
The PSH flag is used when the application simply can’t wait for the data and needs it immediately. The sender will be working through a standard exchange and placing packets into the buffer as space frees up. An URG packet gets sent regardless of the buffer status; it simply goes.
Incorrect answers:
An URG flagged packet is treated with importance, almost like holding a reservation tag that lets you go to the front of the line when you arrive at your destination.
ACK is used for acknowledgments, and FIN brings an orderly close to the session.
Unattempted
Correct answer:
The PSH flag is used when the application simply can’t wait for the data and needs it immediately. The sender will be working through a standard exchange and placing packets into the buffer as space frees up. An URG packet gets sent regardless of the buffer status; it simply goes.
Incorrect answers:
An URG flagged packet is treated with importance, almost like holding a reservation tag that lets you go to the front of the line when you arrive at your destination.
ACK is used for acknowledgments, and FIN brings an orderly close to the session.
Question 41 of 79
41. Question
Which threat presents the highest risk to a target network or resource?
Correct
Correct answer:
Everyone recognizes insider threats as the worst type of threat, and a disgruntled employee on the inside is the single biggest threat for security professionals to plan for and deal with.
Incorrect answers:
Script kiddies usually don’t pose much threat—defenses are aligned against them.
Phishing is a definite threat, but again defenses are in place.
White-hat attackers are hired by the organization, so they’re not an intentional threat.
Incorrect
Correct answer:
Everyone recognizes insider threats as the worst type of threat, and a disgruntled employee on the inside is the single biggest threat for security professionals to plan for and deal with.
Incorrect answers:
Script kiddies usually don’t pose much threat—defenses are aligned against them.
Phishing is a definite threat, but again defenses are in place.
White-hat attackers are hired by the organization, so they’re not an intentional threat.
Unattempted
Correct answer:
Everyone recognizes insider threats as the worst type of threat, and a disgruntled employee on the inside is the single biggest threat for security professionals to plan for and deal with.
Incorrect answers:
Script kiddies usually don’t pose much threat—defenses are aligned against them.
Phishing is a definite threat, but again defenses are in place.
White-hat attackers are hired by the organization, so they’re not an intentional threat.
Question 42 of 79
42. Question
An attacker waits until a user has an authenticated session with the server he really wants to attack. He then sends a phishing e-mail to the user. When the user opens it and goes to the malicious website, the attacker begins sending messages through the user’s browser session to the target server. Which of the following best describes this attack?
Correct
Correct answer:
CSRF is correct.
The question is describing CSRF.
Incorrect answers:
This description does not match the remaining answers.
Incorrect
Correct answer:
CSRF is correct.
The question is describing CSRF.
Incorrect answers:
This description does not match the remaining answers.
Unattempted
Correct answer:
CSRF is correct.
The question is describing CSRF.
Incorrect answers:
This description does not match the remaining answers.
Question 43 of 79
43. Question
Which of the following is the best choice for performing a bluebugging attack?
Correct
Correct answer:
Blooover is correct.
Blooover is designed and created for Bluebugging.
Incorrect answers:
BBProxy and PhoneSnoop are both BlackBerry tools, and btCrawler is a discovery option.
Incorrect
Correct answer:
Blooover is correct.
Blooover is designed and created for Bluebugging.
Incorrect answers:
BBProxy and PhoneSnoop are both BlackBerry tools, and btCrawler is a discovery option.
Unattempted
Correct answer:
Blooover is correct.
Blooover is designed and created for Bluebugging.
Incorrect answers:
BBProxy and PhoneSnoop are both BlackBerry tools, and btCrawler is a discovery option.
Question 44 of 79
44. Question
Which cloud computing type provides virtualized computing resources over the Internet?
Correct
Correct answer:
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.
Incorrect answers:
Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.
Hybrid is a deployment model (a composite of two or more cloud deployment models).
Incorrect
Correct answer:
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.
Incorrect answers:
Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.
Hybrid is a deployment model (a composite of two or more cloud deployment models).
Unattempted
Correct answer:
Infrastructure as a Service (IaaS) basically provides virtualized computing resources over the Internet.
Incorrect answers:
Software as a Service (SaaS) is simply a software distribution model—the provider offers on-demand applications to subscribers over the Internet.
Platform as a Service (PaaS) is geared toward software development because it provides a development platform that allows subscribers to develop applications without building the infrastructure it would normally take to develop and launch software.
Hybrid is a deployment model (a composite of two or more cloud deployment models).
Question 45 of 79
45. Question
In an SOA record the retry variable is set to 600. If a zone transfer fails, how long will the secondary server wait before attempting another one?
Correct
Correct answer:
The retry interval determines how long a secondary will wait to try again, should a zone transfer not work. In this SOA record, it is set to 600 seconds (10 minutes
Incorrect answers:
Refresh interval defines the amount of time a secondary will wait before checking in to see if it needs a zone update.
Expire determines the maximum amount of time a secondary server will spend trying to “complete” a zone transfer.
TTL is the minimum time to live for all records in the zone.
Incorrect
Correct answer:
The retry interval determines how long a secondary will wait to try again, should a zone transfer not work. In this SOA record, it is set to 600 seconds (10 minutes
Incorrect answers:
Refresh interval defines the amount of time a secondary will wait before checking in to see if it needs a zone update.
Expire determines the maximum amount of time a secondary server will spend trying to “complete” a zone transfer.
TTL is the minimum time to live for all records in the zone.
Unattempted
Correct answer:
The retry interval determines how long a secondary will wait to try again, should a zone transfer not work. In this SOA record, it is set to 600 seconds (10 minutes
Incorrect answers:
Refresh interval defines the amount of time a secondary will wait before checking in to see if it needs a zone update.
Expire determines the maximum amount of time a secondary server will spend trying to “complete” a zone transfer.
TTL is the minimum time to live for all records in the zone.
Question 46 of 79
46. Question
You have network anomaly-based IPS set up, along with multiple other tools for security controls. This morning on the way to work, you receive an e-mail alert on your phone regarding possible malicious traffic. In investigating, you see that the IPS saw the anomalous traffic coming into the network and leaving, with the alert based on the unexpected behavior. The traffic turned out to be a user coming into work very early to get a project finished. Which of the following best describes what the IPS noted?
Correct
Correct answer:
False positive is correct.
The IPS saw the traffic, obviously, but made a decision it was bad traffic based on previous noted behavior, when it was, indeed, normal traffic (just at an abnormal time). The traffic was flagged as malicious even though it wasn’t, which is the definition of a false positive.
Incorrect answers:
A false negative occurs when the IPS sees traffic as good when it is actually malicious. The other two answers are distractors.
Incorrect
Correct answer:
False positive is correct.
The IPS saw the traffic, obviously, but made a decision it was bad traffic based on previous noted behavior, when it was, indeed, normal traffic (just at an abnormal time). The traffic was flagged as malicious even though it wasn’t, which is the definition of a false positive.
Incorrect answers:
A false negative occurs when the IPS sees traffic as good when it is actually malicious. The other two answers are distractors.
Unattempted
Correct answer:
False positive is correct.
The IPS saw the traffic, obviously, but made a decision it was bad traffic based on previous noted behavior, when it was, indeed, normal traffic (just at an abnormal time). The traffic was flagged as malicious even though it wasn’t, which is the definition of a false positive.
Incorrect answers:
A false negative occurs when the IPS sees traffic as good when it is actually malicious. The other two answers are distractors.
Question 47 of 79
47. Question
When would a secondary name server request a zone transfer from a primary?
Correct
Correct answer:
When the primary SOA serial number is higher is correct.
Secondary servers check in with the primary based on the refresh interval. The primary increments the serial number every time the SOA changes. If the secondary checks in and the primary’s copy has a higher serial number, then it knows the SOA has changed and it needs a new copy.
Incorrect answers:
The secondary does not request a new copy if the serial number is lower or when the server is rebooted.
The TTL reaching zero has nothing to do with requesting a zone transfer.
Incorrect
Correct answer:
When the primary SOA serial number is higher is correct.
Secondary servers check in with the primary based on the refresh interval. The primary increments the serial number every time the SOA changes. If the secondary checks in and the primary’s copy has a higher serial number, then it knows the SOA has changed and it needs a new copy.
Incorrect answers:
The secondary does not request a new copy if the serial number is lower or when the server is rebooted.
The TTL reaching zero has nothing to do with requesting a zone transfer.
Unattempted
Correct answer:
When the primary SOA serial number is higher is correct.
Secondary servers check in with the primary based on the refresh interval. The primary increments the serial number every time the SOA changes. If the secondary checks in and the primary’s copy has a higher serial number, then it knows the SOA has changed and it needs a new copy.
Incorrect answers:
The secondary does not request a new copy if the serial number is lower or when the server is rebooted.
The TTL reaching zero has nothing to do with requesting a zone transfer.
Question 48 of 79
48. Question
Which of the following reconnaissance methods is not considered passive in nature?
Correct
Correct answer:
Of the answers provided, only scanning the IP range doesn’t fit the passive role as defined by EC-Council.
Incorrect answers:
These remaining answers are all passive in nature.
Incorrect
Correct answer:
Of the answers provided, only scanning the IP range doesn’t fit the passive role as defined by EC-Council.
Incorrect answers:
These remaining answers are all passive in nature.
Unattempted
Correct answer:
Of the answers provided, only scanning the IP range doesn’t fit the passive role as defined by EC-Council.
Incorrect answers:
These remaining answers are all passive in nature.
Question 49 of 79
49. Question
A pen tester is using netcat in connection with a target over port 80. The results are displayed here: HTTP/1.1 200 OK Server: Microsoft-IIS/6 Expires: Tue, 17 Jan 2018 01:41:33 GMT Date: Mon, 16 Jan 2018 01:41:33 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Wed, 28 Dec 2016 15:32:21 GMT ETag: “b0aac0542e25c31:89d” Content-Length: 7369 Which of the following best describes what was accomplished?
Correct
Correct answer:
Banner grabbing is correct.
Banner grabbing simply involves touching a box over a port and seeing what message—what banner—comes in response. There are innumerable ways to do this, and you need to be very familiar with each and every one of them. In this example, the pen tester might have used a netcat command such as nc -vv -n 192.168.17.8 80 (where -vv is verbose mode, -n indicates no name resolution, and 80 indicates a connection to port 80).
Incorrect answers:
These answers will not provide the results shown and are not banner-grabbing techniques.
Incorrect
Correct answer:
Banner grabbing is correct.
Banner grabbing simply involves touching a box over a port and seeing what message—what banner—comes in response. There are innumerable ways to do this, and you need to be very familiar with each and every one of them. In this example, the pen tester might have used a netcat command such as nc -vv -n 192.168.17.8 80 (where -vv is verbose mode, -n indicates no name resolution, and 80 indicates a connection to port 80).
Incorrect answers:
These answers will not provide the results shown and are not banner-grabbing techniques.
Unattempted
Correct answer:
Banner grabbing is correct.
Banner grabbing simply involves touching a box over a port and seeing what message—what banner—comes in response. There are innumerable ways to do this, and you need to be very familiar with each and every one of them. In this example, the pen tester might have used a netcat command such as nc -vv -n 192.168.17.8 80 (where -vv is verbose mode, -n indicates no name resolution, and 80 indicates a connection to port 80).
Incorrect answers:
These answers will not provide the results shown and are not banner-grabbing techniques.
Question 50 of 79
50. Question
The organization has a DNS server out in the DMZ and a second internal to the network. Which of the following best describes this DNS configuration?
Correct
Correct answer:
Split DNS is correct.
Split DNS is recommended virtually everywhere. Internal hosts may need to see everything internal, but external hosts do not. Keep internal DNS records split away from external, as there is no need for anyone outside your organization to see them.
Incorrect answers:
The remaining answers are all distractors.
Incorrect
Correct answer:
Split DNS is correct.
Split DNS is recommended virtually everywhere. Internal hosts may need to see everything internal, but external hosts do not. Keep internal DNS records split away from external, as there is no need for anyone outside your organization to see them.
Incorrect answers:
The remaining answers are all distractors.
Unattempted
Correct answer:
Split DNS is correct.
Split DNS is recommended virtually everywhere. Internal hosts may need to see everything internal, but external hosts do not. Keep internal DNS records split away from external, as there is no need for anyone outside your organization to see them.
Incorrect answers:
The remaining answers are all distractors.
Question 51 of 79
51. Question
A team member enters the Linux command “someproc &”. Which of the following are the expected results? (Choose two.)
Correct
Correct answer:
The process “someproc” will stop when the user logs out and The process “someproc” will run as a background task are correct.
The ampersand (&) after the command dictates that the process should run in the background. Without anything indicating a persistent process (that is, adding “nohup” before the process name), it will die when the user logs out.
Incorrect answers:
These do not reflect the outcome of the command.
Incorrect
Correct answer:
The process “someproc” will stop when the user logs out and The process “someproc” will run as a background task are correct.
The ampersand (&) after the command dictates that the process should run in the background. Without anything indicating a persistent process (that is, adding “nohup” before the process name), it will die when the user logs out.
Incorrect answers:
These do not reflect the outcome of the command.
Unattempted
Correct answer:
The process “someproc” will stop when the user logs out and The process “someproc” will run as a background task are correct.
The ampersand (&) after the command dictates that the process should run in the background. Without anything indicating a persistent process (that is, adding “nohup” before the process name), it will die when the user logs out.
Incorrect answers:
These do not reflect the outcome of the command.
Question 52 of 79
52. Question
Which of the following is not considered passive in nature?
Correct
Correct answer:
Of the answers provided, only scanning the IP range fits the passive role as defined by EC-Council.
Incorrect answers:
The remaining answers are all passive in nature.
Incorrect
Correct answer:
Of the answers provided, only scanning the IP range fits the passive role as defined by EC-Council.
Incorrect answers:
The remaining answers are all passive in nature.
Unattempted
Correct answer:
Of the answers provided, only scanning the IP range fits the passive role as defined by EC-Council.
Incorrect answers:
The remaining answers are all passive in nature.
Question 53 of 79
53. Question
Which of the following commands would be the best choice for a pen tester attempting to perform DNS cache snooping?
Correct
Correct answer:
nslookup -norecursive one.anywhere.com is correct.
If you can make a nonrecursive query to a DNS server looking for an _already resolved_ hostname, the box is susceptible to DNS cache snooping. To see if you can do this, you may try to find the IP address of a hostname by querying the DNS server nonrecursively (that is, not asking further DNS servers for an answer if the DNS server in question does not know it).
Incorrect answers:
The syntax is incorrect in each of these uses of nslookup.
Incorrect
Correct answer:
nslookup -norecursive one.anywhere.com is correct.
If you can make a nonrecursive query to a DNS server looking for an _already resolved_ hostname, the box is susceptible to DNS cache snooping. To see if you can do this, you may try to find the IP address of a hostname by querying the DNS server nonrecursively (that is, not asking further DNS servers for an answer if the DNS server in question does not know it).
Incorrect answers:
The syntax is incorrect in each of these uses of nslookup.
Unattempted
Correct answer:
nslookup -norecursive one.anywhere.com is correct.
If you can make a nonrecursive query to a DNS server looking for an _already resolved_ hostname, the box is susceptible to DNS cache snooping. To see if you can do this, you may try to find the IP address of a hostname by querying the DNS server nonrecursively (that is, not asking further DNS servers for an answer if the DNS server in question does not know it).
Incorrect answers:
The syntax is incorrect in each of these uses of nslookup.
Question 54 of 79
54. Question
An attacker creates a fake ID badge and waits next to an entry door to a secured facility. An authorized user swipes a key card and opens the door. The attacker follows the user inside. Which social engineering attack is in play here?
Correct
Correct answer:
Tailgating is correct.
In tailgating, the attacker holds a fake entry badge of some sort and follows an authorized user inside.
Incorrect answers:
Piggybacking is much the same as tailgating—the attacker is following someone inside—but in this case the attacker does not have a fake badge.
Phishing is an e-mail attack.
Shoulder surfing occurs inside the building and involves looking over someone’s shoulder as he types.
Incorrect
Correct answer:
Tailgating is correct.
In tailgating, the attacker holds a fake entry badge of some sort and follows an authorized user inside.
Incorrect answers:
Piggybacking is much the same as tailgating—the attacker is following someone inside—but in this case the attacker does not have a fake badge.
Phishing is an e-mail attack.
Shoulder surfing occurs inside the building and involves looking over someone’s shoulder as he types.
Unattempted
Correct answer:
Tailgating is correct.
In tailgating, the attacker holds a fake entry badge of some sort and follows an authorized user inside.
Incorrect answers:
Piggybacking is much the same as tailgating—the attacker is following someone inside—but in this case the attacker does not have a fake badge.
Phishing is an e-mail attack.
Shoulder surfing occurs inside the building and involves looking over someone’s shoulder as he types.
Question 55 of 79
55. Question
A pen tester connects a laptop to a switch port and enables promiscuous mode on the NIC. He then turns on Wireshark and leaves for the day, hoping to catch interesting traffic over the next few hours. Which of the following is true regarding this scenario? (Choose all that apply.)
Correct
Correct Answer:
The packet capture will provide the MAC addresses of other machines connected to the switch, The packet capture will display all unicast messages intended for the laptop, and The packet capture will display all broadcast messages are correct.
Switches are designed to filter traffic—that is, they send traffic intended for a destination MAC only to the port that holds the MAC address as an attached host. The exception, however, is broadcast and multicast traffic, which gets sent out every port. Because ARP is broadcast in nature, all machines’ ARP messages would be viewable.
Incorrect Answers:
The packet capture will only provide the MAC addresses of the laptop and the default gateway and E are incorrect.
The switch will filter traffic to the laptop, and MAC addresses will be available from the broadcast ARPs.
Incorrect
Correct Answer:
The packet capture will provide the MAC addresses of other machines connected to the switch, The packet capture will display all unicast messages intended for the laptop, and The packet capture will display all broadcast messages are correct.
Switches are designed to filter traffic—that is, they send traffic intended for a destination MAC only to the port that holds the MAC address as an attached host. The exception, however, is broadcast and multicast traffic, which gets sent out every port. Because ARP is broadcast in nature, all machines’ ARP messages would be viewable.
Incorrect Answers:
The packet capture will only provide the MAC addresses of the laptop and the default gateway and E are incorrect.
The switch will filter traffic to the laptop, and MAC addresses will be available from the broadcast ARPs.
Unattempted
Correct Answer:
The packet capture will provide the MAC addresses of other machines connected to the switch, The packet capture will display all unicast messages intended for the laptop, and The packet capture will display all broadcast messages are correct.
Switches are designed to filter traffic—that is, they send traffic intended for a destination MAC only to the port that holds the MAC address as an attached host. The exception, however, is broadcast and multicast traffic, which gets sent out every port. Because ARP is broadcast in nature, all machines’ ARP messages would be viewable.
Incorrect Answers:
The packet capture will only provide the MAC addresses of the laptop and the default gateway and E are incorrect.
The switch will filter traffic to the laptop, and MAC addresses will be available from the broadcast ARPs.
Question 56 of 79
56. Question
Which of the following best describes a connection stream parameter pollution attack?
Correct
Correct answer:
Injecting parameters into a connection string using semicolons as separators is correct. Highlighted at a Black Hat conference in 2010, CSPP can be used to steal user identities and hijack web credentials. CSPP is a high-risk attack because of the relative ease with which it can be carried out and the potential results it can have.
Incorrect answers:
All other answers are incorrect. These choices do not accurately reflect the method(s) used in this attack.
Incorrect
Correct answer:
Injecting parameters into a connection string using semicolons as separators is correct. Highlighted at a Black Hat conference in 2010, CSPP can be used to steal user identities and hijack web credentials. CSPP is a high-risk attack because of the relative ease with which it can be carried out and the potential results it can have.
Incorrect answers:
All other answers are incorrect. These choices do not accurately reflect the method(s) used in this attack.
Unattempted
Correct answer:
Injecting parameters into a connection string using semicolons as separators is correct. Highlighted at a Black Hat conference in 2010, CSPP can be used to steal user identities and hijack web credentials. CSPP is a high-risk attack because of the relative ease with which it can be carried out and the potential results it can have.
Incorrect answers:
All other answers are incorrect. These choices do not accurately reflect the method(s) used in this attack.
Question 57 of 79
57. Question
Your network was successfully attacked the previous evening. A review of the IDS logs reveals the IDS did not consider the initial or subsequent traffic to be malicious in nature. Which of the following best describes this?
Correct
Correct answer:
False negative is correct. In this case, the IDS reacted in a negative fashion (that is, it did not send any alerts) when in fact it should have alerted. This could be due to a variety of reasons—poor configuration, anomaly-based IDS without the appropriate baseline time to learn proper traffic patterns, and so on.
Incorrect answers:
A false positive occurs when the IDS alerts on traffic as malicious when, in truth, it is allowable and expected.
The other choices are included as distractors.
Incorrect
Correct answer:
False negative is correct. In this case, the IDS reacted in a negative fashion (that is, it did not send any alerts) when in fact it should have alerted. This could be due to a variety of reasons—poor configuration, anomaly-based IDS without the appropriate baseline time to learn proper traffic patterns, and so on.
Incorrect answers:
A false positive occurs when the IDS alerts on traffic as malicious when, in truth, it is allowable and expected.
The other choices are included as distractors.
Unattempted
Correct answer:
False negative is correct. In this case, the IDS reacted in a negative fashion (that is, it did not send any alerts) when in fact it should have alerted. This could be due to a variety of reasons—poor configuration, anomaly-based IDS without the appropriate baseline time to learn proper traffic patterns, and so on.
Incorrect answers:
A false positive occurs when the IDS alerts on traffic as malicious when, in truth, it is allowable and expected.
The other choices are included as distractors.
Question 58 of 79
58. Question
Which of the following Linux commands can be used to resolve a domain name to an IP?
Correct
Correct answer:
host -t a somewhere.com is correct. The host command is one of several DNS lookup utilities in Linux (for example, dig will work as well). It is a simple utility for performing DNS lookups and is normally used to convert names to IP addresses, and vice versa. When no arguments or options are given, the host command displays a short summary of its command-line arguments and options. The -t switch sets the type, followed by which type (in this case, the -a option).
Incorrect answers:
The -ns and -soa switches are for name servers and Start of Authority records, respectively.
The remaining command is incorrect syntax.
Incorrect
Correct answer:
host -t a somewhere.com is correct. The host command is one of several DNS lookup utilities in Linux (for example, dig will work as well). It is a simple utility for performing DNS lookups and is normally used to convert names to IP addresses, and vice versa. When no arguments or options are given, the host command displays a short summary of its command-line arguments and options. The -t switch sets the type, followed by which type (in this case, the -a option).
Incorrect answers:
The -ns and -soa switches are for name servers and Start of Authority records, respectively.
The remaining command is incorrect syntax.
Unattempted
Correct answer:
host -t a somewhere.com is correct. The host command is one of several DNS lookup utilities in Linux (for example, dig will work as well). It is a simple utility for performing DNS lookups and is normally used to convert names to IP addresses, and vice versa. When no arguments or options are given, the host command displays a short summary of its command-line arguments and options. The -t switch sets the type, followed by which type (in this case, the -a option).
Incorrect answers:
The -ns and -soa switches are for name servers and Start of Authority records, respectively.
The remaining command is incorrect syntax.
Question 59 of 79
59. Question
You use a Linux distribution Live CD to boot a system that is running Ubuntu and enter the following command set: “` sudo mkdir /media/sda1 sudo mount /dev/sda1 /media/sda1 sudo chroot /media/sda1 passwd N3wPWD4thi$ “` Which of the following best describes what you are attempting?
Correct
Correct Answer:
Change the password of the underlying desktop Ubuntu installation is correct.
Let’s walk through the commands: First up, sudo runs everything afterward as a superuser (assuming, of course, you are allowed, as specified in the sudoers file). mkdir makes a directory. The mount command mounts a specified resource. The chroot command changes the root file system from the Live CD to the desktop. Lastly, the passwd command lets you change the current user’s password.
Incorrect Answers:
Change the password of the Live CD install for the session, Create a password-protected share, and Install a rootkit are incorrect.
These answers do not match the output of the command-line entries.
Incorrect
Correct Answer:
Change the password of the underlying desktop Ubuntu installation is correct.
Let’s walk through the commands: First up, sudo runs everything afterward as a superuser (assuming, of course, you are allowed, as specified in the sudoers file). mkdir makes a directory. The mount command mounts a specified resource. The chroot command changes the root file system from the Live CD to the desktop. Lastly, the passwd command lets you change the current user’s password.
Incorrect Answers:
Change the password of the Live CD install for the session, Create a password-protected share, and Install a rootkit are incorrect.
These answers do not match the output of the command-line entries.
Unattempted
Correct Answer:
Change the password of the underlying desktop Ubuntu installation is correct.
Let’s walk through the commands: First up, sudo runs everything afterward as a superuser (assuming, of course, you are allowed, as specified in the sudoers file). mkdir makes a directory. The mount command mounts a specified resource. The chroot command changes the root file system from the Live CD to the desktop. Lastly, the passwd command lets you change the current user’s password.
Incorrect Answers:
Change the password of the Live CD install for the session, Create a password-protected share, and Install a rootkit are incorrect.
These answers do not match the output of the command-line entries.
Question 60 of 79
60. Question
Which of the following can be used to edit the local security policy of a Windows machine?
Correct
Correct answer:
secpol.msc is correct. Stand-alone computers are not part of Active Directory, and Group Policies do not apply to them, so editing the Local Security Policy is the only option. Microsoft Management Console can be opened via the mmc command, and the Local Security Policy snap-in can be added, or you can just use secpol.msc.
Incorrect answers:
gpedit.msc is used to open the Group Policy Editor
compmgmt.msc is used to open Computer Management
locsec.msc is not a valid command.
Incorrect
Correct answer:
secpol.msc is correct. Stand-alone computers are not part of Active Directory, and Group Policies do not apply to them, so editing the Local Security Policy is the only option. Microsoft Management Console can be opened via the mmc command, and the Local Security Policy snap-in can be added, or you can just use secpol.msc.
Incorrect answers:
gpedit.msc is used to open the Group Policy Editor
compmgmt.msc is used to open Computer Management
locsec.msc is not a valid command.
Unattempted
Correct answer:
secpol.msc is correct. Stand-alone computers are not part of Active Directory, and Group Policies do not apply to them, so editing the Local Security Policy is the only option. Microsoft Management Console can be opened via the mmc command, and the Local Security Policy snap-in can be added, or you can just use secpol.msc.
Incorrect answers:
gpedit.msc is used to open the Group Policy Editor
compmgmt.msc is used to open Computer Management
locsec.msc is not a valid command.
Question 61 of 79
61. Question
Which of the following connection protocols used by IoT devices is based on IEEE 203.15.4 for devices within a range of 10-100 meters?
Correct
Correct answer:
Zigbee is correct. Zigbee is a very popular IoT connection protocol. It’s a short range wireless communication protocol based on the IEEE 203.15.4 standard for devices that transfer data infrequently at a low data rate in a restricted area and within a range of 10–100 meters.
Incorrect answers:
Z-Wave is a low-power, short-range communication method designed primarily for home automation.
Thread is an IPv6-based protocol for IoT devices.
RFID stores data in tags that are then read using electromagnetic fields.
Incorrect
Correct answer:
Zigbee is correct. Zigbee is a very popular IoT connection protocol. It’s a short range wireless communication protocol based on the IEEE 203.15.4 standard for devices that transfer data infrequently at a low data rate in a restricted area and within a range of 10–100 meters.
Incorrect answers:
Z-Wave is a low-power, short-range communication method designed primarily for home automation.
Thread is an IPv6-based protocol for IoT devices.
RFID stores data in tags that are then read using electromagnetic fields.
Unattempted
Correct answer:
Zigbee is correct. Zigbee is a very popular IoT connection protocol. It’s a short range wireless communication protocol based on the IEEE 203.15.4 standard for devices that transfer data infrequently at a low data rate in a restricted area and within a range of 10–100 meters.
Incorrect answers:
Z-Wave is a low-power, short-range communication method designed primarily for home automation.
Thread is an IPv6-based protocol for IoT devices.
RFID stores data in tags that are then read using electromagnetic fields.
Question 62 of 79
62. Question
In NIST cloud architecture, which role acts as the organization that has the responsibility of transferring the data?
Correct
Correct answer:
Cloud carrier is correct. The cloud carrier is the organization that has the responsibility of transferring the data, akin to the power distributor for the electric grid.
Incorrect answers:
The cloud consumer is the individual or organization that acquires and uses cloud products and services.
The cloud auditor is the independent assessor of cloud service and security controls.
The cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers.
Incorrect
Correct answer:
Cloud carrier is correct. The cloud carrier is the organization that has the responsibility of transferring the data, akin to the power distributor for the electric grid.
Incorrect answers:
The cloud consumer is the individual or organization that acquires and uses cloud products and services.
The cloud auditor is the independent assessor of cloud service and security controls.
The cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers.
Unattempted
Correct answer:
Cloud carrier is correct. The cloud carrier is the organization that has the responsibility of transferring the data, akin to the power distributor for the electric grid.
Incorrect answers:
The cloud consumer is the individual or organization that acquires and uses cloud products and services.
The cloud auditor is the independent assessor of cloud service and security controls.
The cloud broker acts to manage the use, performance, and delivery of cloud services as well as the relationships between providers and subscribers.
Question 63 of 79
63. Question
Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data?
Correct
Correct answer
PSH is correct. It really does sound like an urgent request, but the PSH flag is designed for these scenarios.
Incorrect answers:
The URG flag is used to inform the receiving stack that certain data within a segment is urgent and should be prioritized (this flag is not used much by modern protocols).
The RST flag forces a termination of communications (in both directions).
BUF is not a TCP flag.
Incorrect
Correct answer
PSH is correct. It really does sound like an urgent request, but the PSH flag is designed for these scenarios.
Incorrect answers:
The URG flag is used to inform the receiving stack that certain data within a segment is urgent and should be prioritized (this flag is not used much by modern protocols).
The RST flag forces a termination of communications (in both directions).
BUF is not a TCP flag.
Unattempted
Correct answer
PSH is correct. It really does sound like an urgent request, but the PSH flag is designed for these scenarios.
Incorrect answers:
The URG flag is used to inform the receiving stack that certain data within a segment is urgent and should be prioritized (this flag is not used much by modern protocols).
The RST flag forces a termination of communications (in both directions).
BUF is not a TCP flag.
Question 64 of 79
64. Question
Which of the following best describes session key creation in SSL?
Correct
Correct answer:
It is created by the client after the server’s identity is verified is correct. An SSL session always begins with an exchange of messages called the “SSL handshake,” which allows the server to authenticate itself to the client using public-key techniques. Next, the client and the server cooperate in the creation of symmetric keys used for encryption.
Incorrect answers:
All other answers are incorrect. SSL keys are created after the server’s identity has been verified, not immediately upon client connection. The server’s public key is used in the verification process.
Incorrect
Correct answer:
It is created by the client after the server’s identity is verified is correct. An SSL session always begins with an exchange of messages called the “SSL handshake,” which allows the server to authenticate itself to the client using public-key techniques. Next, the client and the server cooperate in the creation of symmetric keys used for encryption.
Incorrect answers:
All other answers are incorrect. SSL keys are created after the server’s identity has been verified, not immediately upon client connection. The server’s public key is used in the verification process.
Unattempted
Correct answer:
It is created by the client after the server’s identity is verified is correct. An SSL session always begins with an exchange of messages called the “SSL handshake,” which allows the server to authenticate itself to the client using public-key techniques. Next, the client and the server cooperate in the creation of symmetric keys used for encryption.
Incorrect answers:
All other answers are incorrect. SSL keys are created after the server’s identity has been verified, not immediately upon client connection. The server’s public key is used in the verification process.
Question 65 of 79
65. Question
A security administrator notices a machine generating a tremendous amount of traffic to port 500 on several other systems. What can be inferred from this traffic?
Correct
Correct Answer:
The system is checking for IPSec on remote machines is correct.
Port 500 is used by Internet Key Exchange (IKE), which is typically used in IPSec-based VPN software. IKE is used to set up the session keys.
Incorrect Answers:
The NIC is jabbering, The system is infected with malware, and The system is checking for SSL vulnerabilities are incorrect.
A jabbering NIC sends just that—jabber.
While it’s possible the system is infected with malware, because of the fixation on port 500, it’s more likely scanning for IPSec.
SSL vulnerabilities have nothing to do with this.
Incorrect
Correct Answer:
The system is checking for IPSec on remote machines is correct.
Port 500 is used by Internet Key Exchange (IKE), which is typically used in IPSec-based VPN software. IKE is used to set up the session keys.
Incorrect Answers:
The NIC is jabbering, The system is infected with malware, and The system is checking for SSL vulnerabilities are incorrect.
A jabbering NIC sends just that—jabber.
While it’s possible the system is infected with malware, because of the fixation on port 500, it’s more likely scanning for IPSec.
SSL vulnerabilities have nothing to do with this.
Unattempted
Correct Answer:
The system is checking for IPSec on remote machines is correct.
Port 500 is used by Internet Key Exchange (IKE), which is typically used in IPSec-based VPN software. IKE is used to set up the session keys.
Incorrect Answers:
The NIC is jabbering, The system is infected with malware, and The system is checking for SSL vulnerabilities are incorrect.
A jabbering NIC sends just that—jabber.
While it’s possible the system is infected with malware, because of the fixation on port 500, it’s more likely scanning for IPSec.
SSL vulnerabilities have nothing to do with this.
Question 66 of 79
66. Question
During an audit several months ago, a team member was able to successfully access sensitive data by trying random versions of the company’s website URL. In the current audit, he tries the same links and finds they no longer appear to work. Of the following, which is the best choice to see past versions of the website?
Correct
Correct answer:
Archive.org is correct. The good-old Wayback Machine (a.k.a. The Internet Archive, http://archive.org) has been used for a long time to pull up old copies of websites, for good and maybe not-so-good purposes. Archive.org includes “snapshots of the World Wide Web,” which are archived copies of pages taken at various points in time dating back to 1996. In the real world, this is only useful for relatively well-known sites, and even that can be hit or miss. For your exam, though, the Wayback Machine is definitely the cat’s meow.
Incorrect answers:
Search.com is simply another search engine at your disposal. It does not hold archived copies.
Google cache holds a copy of the site only from the latest “crawl”—usually nothing older than a few days.
Pasthash.com doesn’t exist and is included as a distractor.
Incorrect
Correct answer:
Archive.org is correct. The good-old Wayback Machine (a.k.a. The Internet Archive, http://archive.org) has been used for a long time to pull up old copies of websites, for good and maybe not-so-good purposes. Archive.org includes “snapshots of the World Wide Web,” which are archived copies of pages taken at various points in time dating back to 1996. In the real world, this is only useful for relatively well-known sites, and even that can be hit or miss. For your exam, though, the Wayback Machine is definitely the cat’s meow.
Incorrect answers:
Search.com is simply another search engine at your disposal. It does not hold archived copies.
Google cache holds a copy of the site only from the latest “crawl”—usually nothing older than a few days.
Pasthash.com doesn’t exist and is included as a distractor.
Unattempted
Correct answer:
Archive.org is correct. The good-old Wayback Machine (a.k.a. The Internet Archive, http://archive.org) has been used for a long time to pull up old copies of websites, for good and maybe not-so-good purposes. Archive.org includes “snapshots of the World Wide Web,” which are archived copies of pages taken at various points in time dating back to 1996. In the real world, this is only useful for relatively well-known sites, and even that can be hit or miss. For your exam, though, the Wayback Machine is definitely the cat’s meow.
Incorrect answers:
Search.com is simply another search engine at your disposal. It does not hold archived copies.
Google cache holds a copy of the site only from the latest “crawl”—usually nothing older than a few days.
Pasthash.com doesn’t exist and is included as a distractor.
Question 67 of 79
67. Question
Which of the following tools can be used for remote password cracking of web servers? (Choose all that apply.)
Correct
Correct answers:
Brutus and THC-Hydra are correct. Brutus is a fast, flexible remote password cracker. It was originally invented to help its creator check routers and network devices for default and common passwords, but has since grown and evolved into much more, and it’s among the more popular security tools available for remote password cracking. THC-Hydra is another remote password cracker. It’s a “parallelized login cracker” that provides the ability to attack over multiple protocols.
Incorrect answers:
Nikto is not a remote password cracker. It’s an open source web-server-centric vulnerability scanner that performs comprehensive tests against web servers for multiple items.
BlackWidow is a web cloning tool, allowing you to copy an entire website for later review.
Incorrect
Correct answers:
Brutus and THC-Hydra are correct. Brutus is a fast, flexible remote password cracker. It was originally invented to help its creator check routers and network devices for default and common passwords, but has since grown and evolved into much more, and it’s among the more popular security tools available for remote password cracking. THC-Hydra is another remote password cracker. It’s a “parallelized login cracker” that provides the ability to attack over multiple protocols.
Incorrect answers:
Nikto is not a remote password cracker. It’s an open source web-server-centric vulnerability scanner that performs comprehensive tests against web servers for multiple items.
BlackWidow is a web cloning tool, allowing you to copy an entire website for later review.
Unattempted
Correct answers:
Brutus and THC-Hydra are correct. Brutus is a fast, flexible remote password cracker. It was originally invented to help its creator check routers and network devices for default and common passwords, but has since grown and evolved into much more, and it’s among the more popular security tools available for remote password cracking. THC-Hydra is another remote password cracker. It’s a “parallelized login cracker” that provides the ability to attack over multiple protocols.
Incorrect answers:
Nikto is not a remote password cracker. It’s an open source web-server-centric vulnerability scanner that performs comprehensive tests against web servers for multiple items.
BlackWidow is a web cloning tool, allowing you to copy an entire website for later review.
Question 68 of 79
68. Question
Which of the following is NOT a role within the cloud architecture, as defined by NIST?
Correct
Correct answer:
Cloud subscriber is correct. The five roles defined by NIST SP 500-292 are cloud carrier, cloud consumer, cloud provider, cloud broker, and cloud auditor. Cloud subscriber sounds good, but it is not recognized within NIST SP 500-292.
Incorrect answers:
All other answers are incorrect. These are all roles within cloud architecture.
Incorrect
Correct answer:
Cloud subscriber is correct. The five roles defined by NIST SP 500-292 are cloud carrier, cloud consumer, cloud provider, cloud broker, and cloud auditor. Cloud subscriber sounds good, but it is not recognized within NIST SP 500-292.
Incorrect answers:
All other answers are incorrect. These are all roles within cloud architecture.
Unattempted
Correct answer:
Cloud subscriber is correct. The five roles defined by NIST SP 500-292 are cloud carrier, cloud consumer, cloud provider, cloud broker, and cloud auditor. Cloud subscriber sounds good, but it is not recognized within NIST SP 500-292.
Incorrect answers:
All other answers are incorrect. These are all roles within cloud architecture.
Question 69 of 79
69. Question
You are examining an ongoing attack against a subnet. An IP address in the subnet has been sending large amounts of ICMP packets containing the MAC address FF:FF:FF:FF:FF:FF. What attack is underway?
Correct
Correct answer:
Smurf is correct. A smurf attack is a generic denial-of-service (DoS) attack against a target machine. The idea is simple: have so many ICMP requests going to the target that all its resources are taken up. To accomplish this, the attacker spoofs the target’s IP address and then sends thousands of ping requests from that spoofed IP to the subnet’s broadcast address. This, in effect, pings every machine on the subnet. Assuming they’re configured to do so, each and every one of the machines will respond to the request, effectively crushing the target’s network resources.
Incorrect answers:
An ICMP flood occurs when the hacker sends ICMP ECHO packets to the target with a spoofed (fake) source address. The target continues to respond to an address that doesn’t exist and eventually reaches a limit of packets per second sent.
A ping of death fragments an ICMP message to send to a target. When the fragments are reassembled, the resulting ICMP packet is larger than the maximum size and crashes the system.
A SYN flood takes place when an attacker sends multiple SYN packets to a target without providing an acknowledgement to the returned SYN/ACK. This is an attack that does not necessarily work on modern systems.
A Fraggle attack uses UDP packets.
Incorrect
Correct answer:
Smurf is correct. A smurf attack is a generic denial-of-service (DoS) attack against a target machine. The idea is simple: have so many ICMP requests going to the target that all its resources are taken up. To accomplish this, the attacker spoofs the target’s IP address and then sends thousands of ping requests from that spoofed IP to the subnet’s broadcast address. This, in effect, pings every machine on the subnet. Assuming they’re configured to do so, each and every one of the machines will respond to the request, effectively crushing the target’s network resources.
Incorrect answers:
An ICMP flood occurs when the hacker sends ICMP ECHO packets to the target with a spoofed (fake) source address. The target continues to respond to an address that doesn’t exist and eventually reaches a limit of packets per second sent.
A ping of death fragments an ICMP message to send to a target. When the fragments are reassembled, the resulting ICMP packet is larger than the maximum size and crashes the system.
A SYN flood takes place when an attacker sends multiple SYN packets to a target without providing an acknowledgement to the returned SYN/ACK. This is an attack that does not necessarily work on modern systems.
A Fraggle attack uses UDP packets.
Unattempted
Correct answer:
Smurf is correct. A smurf attack is a generic denial-of-service (DoS) attack against a target machine. The idea is simple: have so many ICMP requests going to the target that all its resources are taken up. To accomplish this, the attacker spoofs the target’s IP address and then sends thousands of ping requests from that spoofed IP to the subnet’s broadcast address. This, in effect, pings every machine on the subnet. Assuming they’re configured to do so, each and every one of the machines will respond to the request, effectively crushing the target’s network resources.
Incorrect answers:
An ICMP flood occurs when the hacker sends ICMP ECHO packets to the target with a spoofed (fake) source address. The target continues to respond to an address that doesn’t exist and eventually reaches a limit of packets per second sent.
A ping of death fragments an ICMP message to send to a target. When the fragments are reassembled, the resulting ICMP packet is larger than the maximum size and crashes the system.
A SYN flood takes place when an attacker sends multiple SYN packets to a target without providing an acknowledgement to the returned SYN/ACK. This is an attack that does not necessarily work on modern systems.
A Fraggle attack uses UDP packets.
Question 70 of 79
70. Question
What does the “chmod 744 anyfile” command accomplish?
Correct
Correct answer:
Allow all privileges to the user, read-only to the group, and read-only for all others is correct. File permissions in Linux are assigned via the use of the binary equivalent for each rwx group: read-only is equivalent to 4, write is 2, and execute is 1. To accumulate permissions, you add the numbers: 4 is read-only, 6 is read and write, and adding execute to the bunch means a 7. In use, the first number corresponds to the user, the second to the group, and third is to all others.
Incorrect answers:
All other answers are incorrect. The remaining answers do not match the 744 portion of the command.
Incorrect
Correct answer:
Allow all privileges to the user, read-only to the group, and read-only for all others is correct. File permissions in Linux are assigned via the use of the binary equivalent for each rwx group: read-only is equivalent to 4, write is 2, and execute is 1. To accumulate permissions, you add the numbers: 4 is read-only, 6 is read and write, and adding execute to the bunch means a 7. In use, the first number corresponds to the user, the second to the group, and third is to all others.
Incorrect answers:
All other answers are incorrect. The remaining answers do not match the 744 portion of the command.
Unattempted
Correct answer:
Allow all privileges to the user, read-only to the group, and read-only for all others is correct. File permissions in Linux are assigned via the use of the binary equivalent for each rwx group: read-only is equivalent to 4, write is 2, and execute is 1. To accumulate permissions, you add the numbers: 4 is read-only, 6 is read and write, and adding execute to the bunch means a 7. In use, the first number corresponds to the user, the second to the group, and third is to all others.
Incorrect answers:
All other answers are incorrect. The remaining answers do not match the 744 portion of the command.
Question 71 of 79
71. Question
You are examining a host with an IP address of 65.93.24.42/20, and you want to determine the broadcast address for the subnet. Which of the following is the correct broadcast address for the subnet?
Correct
Correct Answer:
65.93.255.255 is correct.
If you view the address 65.93.24.42 in binary, it looks like this: 01000001.01011101.00011000.00101010. The subnet mask given (/20) tells us only the first 24 bits count as the network ID (which cannot change if we are to stay in the same subnet), and the remaining 12 bits belong to the host. Turning off all the host bits (after the 20th) gives us our network ID: 01000001.01011101.00010000.00000000 (52.93.16.0/20). Turning on all the host bits gives us our broadcast address: 01000001.01011101.00011111.11111111 (65.93.31.255/20).
Incorrect Answers:
65.93.24.255, 65.93.0.255, 65.93.32.255, and 65.93.255.255 are incorrect.
These answers do not match the broadcast address for this subnet.
Incorrect
Correct Answer:
65.93.255.255 is correct.
If you view the address 65.93.24.42 in binary, it looks like this: 01000001.01011101.00011000.00101010. The subnet mask given (/20) tells us only the first 24 bits count as the network ID (which cannot change if we are to stay in the same subnet), and the remaining 12 bits belong to the host. Turning off all the host bits (after the 20th) gives us our network ID: 01000001.01011101.00010000.00000000 (52.93.16.0/20). Turning on all the host bits gives us our broadcast address: 01000001.01011101.00011111.11111111 (65.93.31.255/20).
Incorrect Answers:
65.93.24.255, 65.93.0.255, 65.93.32.255, and 65.93.255.255 are incorrect.
These answers do not match the broadcast address for this subnet.
Unattempted
Correct Answer:
65.93.255.255 is correct.
If you view the address 65.93.24.42 in binary, it looks like this: 01000001.01011101.00011000.00101010. The subnet mask given (/20) tells us only the first 24 bits count as the network ID (which cannot change if we are to stay in the same subnet), and the remaining 12 bits belong to the host. Turning off all the host bits (after the 20th) gives us our network ID: 01000001.01011101.00010000.00000000 (52.93.16.0/20). Turning on all the host bits gives us our broadcast address: 01000001.01011101.00011111.11111111 (65.93.31.255/20).
Incorrect Answers:
65.93.24.255, 65.93.0.255, 65.93.32.255, and 65.93.255.255 are incorrect.
These answers do not match the broadcast address for this subnet.
Question 72 of 79
72. Question
In which phase of the Security Development Lifecycle is “fuzz” testing performed?
Correct
Correct answer:
Verification is correct. The Security Development Lifecycle (SDL) phases include Training, Requirements, Design, Implementation, Verification, Release, and Response, and each phase holds specific actions. For example, in the Training phase, core security training for developers is performed. In the Requirements phase, the level of security desired is set. In the Verification phase, dynamic analysis, fuzz testing, and attack surface reviews are performed.
Incorrect answers:
The Implementation phase includes using approved tools and static analysis and turning off unsafe functions.
Design includes requirements, attack surface analysis, and threat modeling.
Release includes an incident response plan, final security review, and certification.
Incorrect
Correct answer:
Verification is correct. The Security Development Lifecycle (SDL) phases include Training, Requirements, Design, Implementation, Verification, Release, and Response, and each phase holds specific actions. For example, in the Training phase, core security training for developers is performed. In the Requirements phase, the level of security desired is set. In the Verification phase, dynamic analysis, fuzz testing, and attack surface reviews are performed.
Incorrect answers:
The Implementation phase includes using approved tools and static analysis and turning off unsafe functions.
Design includes requirements, attack surface analysis, and threat modeling.
Release includes an incident response plan, final security review, and certification.
Unattempted
Correct answer:
Verification is correct. The Security Development Lifecycle (SDL) phases include Training, Requirements, Design, Implementation, Verification, Release, and Response, and each phase holds specific actions. For example, in the Training phase, core security training for developers is performed. In the Requirements phase, the level of security desired is set. In the Verification phase, dynamic analysis, fuzz testing, and attack surface reviews are performed.
Incorrect answers:
The Implementation phase includes using approved tools and static analysis and turning off unsafe functions.
Design includes requirements, attack surface analysis, and threat modeling.
Release includes an incident response plan, final security review, and certification.
Question 73 of 79
73. Question
Which of the following statements is true regarding n-tier architecture?
Correct
Correct Answer:
N-tier allows each tier to be configured and modified independently is correct.
While usually implemented in three tiers, n-tier simply means you have three or more independently monitored, managed, and maintained collections of servers, each providing a specific service or task.
Incorrect Answers:
Each tier must communicate openly with every other tier, N-tier always consists of presentation, logic, and data tiers, and N-tier is usually implemented on one server are incorrect.
These statements are not necessarily true regarding n-tier.
Incorrect
Correct Answer:
N-tier allows each tier to be configured and modified independently is correct.
While usually implemented in three tiers, n-tier simply means you have three or more independently monitored, managed, and maintained collections of servers, each providing a specific service or task.
Incorrect Answers:
Each tier must communicate openly with every other tier, N-tier always consists of presentation, logic, and data tiers, and N-tier is usually implemented on one server are incorrect.
These statements are not necessarily true regarding n-tier.
Unattempted
Correct Answer:
N-tier allows each tier to be configured and modified independently is correct.
While usually implemented in three tiers, n-tier simply means you have three or more independently monitored, managed, and maintained collections of servers, each providing a specific service or task.
Incorrect Answers:
Each tier must communicate openly with every other tier, N-tier always consists of presentation, logic, and data tiers, and N-tier is usually implemented on one server are incorrect.
These statements are not necessarily true regarding n-tier.
Question 74 of 79
74. Question
The IT staff is notified that the company’s website has been defaced. A security employee, working from home, visits the site and sees the message “YOU HAVE BEEN HACKED!” on the front page. He then reboots the system, VPNs to the internal network, and visits the site again, this time noticing nothing out of place. What is the most likely explanation?
Correct
Correct answer:
DNS poisoning is correct. The externally facing DNS server is providing bad resolution to the public, while the internal name server is providing the correct address.
Incorrect answers:
All other answers are incorrect. None of the remaining choices explains the symptoms.
Incorrect
Correct answer:
DNS poisoning is correct. The externally facing DNS server is providing bad resolution to the public, while the internal name server is providing the correct address.
Incorrect answers:
All other answers are incorrect. None of the remaining choices explains the symptoms.
Unattempted
Correct answer:
DNS poisoning is correct. The externally facing DNS server is providing bad resolution to the public, while the internal name server is providing the correct address.
Incorrect answers:
All other answers are incorrect. None of the remaining choices explains the symptoms.
Question 75 of 79
75. Question
Which of the following is considered by OWASP to be the top vulnerability security professionals should be aware of in IoT systems?
Correct
Correct answer:
Insecure web interface is correct. Per OWASP, an insecure web interface can be present when an issue such as account enumeration, lack of account lockout, or weak credentials is present. Insecure web interfaces are prevalent as the intent is to have these interfaces exposed only on internal networks; however, threats from internal users can be just as significant as threats from external users. Issues with the web interface are easy to discover when examining the interface manually, along with automated testing tools to identify other issues such as cross-site scripting.
Incorrect answers:
Insufficient authentication/authorization, insecure network services, and an insecure cloud interface are ranked second, third, and sixth, respectively.
Incorrect
Correct answer:
Insecure web interface is correct. Per OWASP, an insecure web interface can be present when an issue such as account enumeration, lack of account lockout, or weak credentials is present. Insecure web interfaces are prevalent as the intent is to have these interfaces exposed only on internal networks; however, threats from internal users can be just as significant as threats from external users. Issues with the web interface are easy to discover when examining the interface manually, along with automated testing tools to identify other issues such as cross-site scripting.
Incorrect answers:
Insufficient authentication/authorization, insecure network services, and an insecure cloud interface are ranked second, third, and sixth, respectively.
Unattempted
Correct answer:
Insecure web interface is correct. Per OWASP, an insecure web interface can be present when an issue such as account enumeration, lack of account lockout, or weak credentials is present. Insecure web interfaces are prevalent as the intent is to have these interfaces exposed only on internal networks; however, threats from internal users can be just as significant as threats from external users. Issues with the web interface are easy to discover when examining the interface manually, along with automated testing tools to identify other issues such as cross-site scripting.
Incorrect answers:
Insufficient authentication/authorization, insecure network services, and an insecure cloud interface are ranked second, third, and sixth, respectively.
Question 76 of 79
76. Question
Which of the following statements is true regarding session hijacking?
Correct
Correct answer:
The session is hijacked after authentication is correct. Session hijacking involves predicting an acceptable sequence number during an exchange of information and taking over the communications channel. By its very nature, authentication must already be completed in order for it to work.
Incorrect answers:
All other answers are incorrect.
Hijacking occurs after authentication, so the measure used is largely irrelevant.
Session hijacking can be carried out against all operating systems.
Incorrect
Correct answer:
The session is hijacked after authentication is correct. Session hijacking involves predicting an acceptable sequence number during an exchange of information and taking over the communications channel. By its very nature, authentication must already be completed in order for it to work.
Incorrect answers:
All other answers are incorrect.
Hijacking occurs after authentication, so the measure used is largely irrelevant.
Session hijacking can be carried out against all operating systems.
Unattempted
Correct answer:
The session is hijacked after authentication is correct. Session hijacking involves predicting an acceptable sequence number during an exchange of information and taking over the communications channel. By its very nature, authentication must already be completed in order for it to work.
Incorrect answers:
All other answers are incorrect.
Hijacking occurs after authentication, so the measure used is largely irrelevant.
Session hijacking can be carried out against all operating systems.
Question 77 of 79
77. Question
You are reviewing security plans and policies, and you want to provide protection to organization laptops. Which effort listed protects system folders, files, and MBR until valid credentials are provided at pre-boot?
Correct
Correct Answer:
Full disk encryption is correct.
FDE is the appropriate control for data-at-rest protection. Pre-boot authentication provides protection against loss or theft.
Incorrect Answers:
Cloud computing, SSL/TLS, and AES are incorrect.
These answers do not protect against system folders, files, and MBR until valid credentials are provided at pre-boot.
Incorrect
Correct Answer:
Full disk encryption is correct.
FDE is the appropriate control for data-at-rest protection. Pre-boot authentication provides protection against loss or theft.
Incorrect Answers:
Cloud computing, SSL/TLS, and AES are incorrect.
These answers do not protect against system folders, files, and MBR until valid credentials are provided at pre-boot.
Unattempted
Correct Answer:
Full disk encryption is correct.
FDE is the appropriate control for data-at-rest protection. Pre-boot authentication provides protection against loss or theft.
Incorrect Answers:
Cloud computing, SSL/TLS, and AES are incorrect.
These answers do not protect against system folders, files, and MBR until valid credentials are provided at pre-boot.
Question 78 of 79
78. Question
Which IoT attack involves sniffing, jamming, and replaying a car key fob signal?
Correct
Correct answer:
Rolling code is correct. The code used by your key fob to unlock (and in some cases) start your car is called a rolling (or hopping) code. An attacker can sniff for the first part of the code, jam the key fob, and sniff/copy the second part on subsequent attempts, allowing him to steal the code…and your car.
Incorrect answers:
A BlueBorne attack is basically an amalgamation of techniques and attacks against known, already existing Bluetooth vulnerabilities.
KeyFobbing and Auto Scrolling don’t exist.
Incorrect
Correct answer:
Rolling code is correct. The code used by your key fob to unlock (and in some cases) start your car is called a rolling (or hopping) code. An attacker can sniff for the first part of the code, jam the key fob, and sniff/copy the second part on subsequent attempts, allowing him to steal the code…and your car.
Incorrect answers:
A BlueBorne attack is basically an amalgamation of techniques and attacks against known, already existing Bluetooth vulnerabilities.
KeyFobbing and Auto Scrolling don’t exist.
Unattempted
Correct answer:
Rolling code is correct. The code used by your key fob to unlock (and in some cases) start your car is called a rolling (or hopping) code. An attacker can sniff for the first part of the code, jam the key fob, and sniff/copy the second part on subsequent attempts, allowing him to steal the code…and your car.
Incorrect answers:
A BlueBorne attack is basically an amalgamation of techniques and attacks against known, already existing Bluetooth vulnerabilities.
KeyFobbing and Auto Scrolling don’t exist.
Question 79 of 79
79. Question
An application in your environment has proven to contain vulnerabilities. Which of the following actions best describes avoiding the risk?
Correct
Correct answer:
Remove the software from the environment is correct. Removing the software, service, and so on, that contains a vulnerability is described as avoiding the risk—if it’s not there to be exploited, there’s no risk.
Incorrect answers:
Installing patches (or a new version) is an attempt to mitigate risk.
Installing different software without vulnerabilities is called transferring risk (however, I don’t care what the software publisher says, the community will determine if there are vulnerabilities).
Leaving the software in place is an example of accepting the risk: maybe security controls are in place to where the chance of it being exploited is so small you’re willing to just accept the vulnerabilities that exist.
Incorrect
Correct answer:
Remove the software from the environment is correct. Removing the software, service, and so on, that contains a vulnerability is described as avoiding the risk—if it’s not there to be exploited, there’s no risk.
Incorrect answers:
Installing patches (or a new version) is an attempt to mitigate risk.
Installing different software without vulnerabilities is called transferring risk (however, I don’t care what the software publisher says, the community will determine if there are vulnerabilities).
Leaving the software in place is an example of accepting the risk: maybe security controls are in place to where the chance of it being exploited is so small you’re willing to just accept the vulnerabilities that exist.
Unattempted
Correct answer:
Remove the software from the environment is correct. Removing the software, service, and so on, that contains a vulnerability is described as avoiding the risk—if it’s not there to be exploited, there’s no risk.
Incorrect answers:
Installing patches (or a new version) is an attempt to mitigate risk.
Installing different software without vulnerabilities is called transferring risk (however, I don’t care what the software publisher says, the community will determine if there are vulnerabilities).
Leaving the software in place is an example of accepting the risk: maybe security controls are in place to where the chance of it being exploited is so small you’re willing to just accept the vulnerabilities that exist.
X
Use Page numbers below to navigate to other practice tests