You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" CEH Practice Test 22 "
0 of 65 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
CEH
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking on “View Answers” option. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Answered
Review
Question 1 of 65
1. Question
What is the purpose of the demilitarized zone?
Correct
https://en.wikipedia.org/wiki/DMZ_(computing) DMZ Network (demilitarized zone) functions as a subnetwork containing an organization‘s exposed, outward-facing services. It acts as the exposed point to untrusted networks, commonly the Internet. The goal of a DMZ is to add an extra layer of security to an organization‘s local area network. A protected and monitored network node that faces outside the internal network can access what is exposed in the DMZ. In contrast, the rest of the organization‘s network is safe behind a firewall. When implemented properly, a DMZ Network gives organizations extra protection to detect and mitigate security breaches before they reach the internal network, where valuable assets are stored.
Incorrect
https://en.wikipedia.org/wiki/DMZ_(computing) DMZ Network (demilitarized zone) functions as a subnetwork containing an organization‘s exposed, outward-facing services. It acts as the exposed point to untrusted networks, commonly the Internet. The goal of a DMZ is to add an extra layer of security to an organization‘s local area network. A protected and monitored network node that faces outside the internal network can access what is exposed in the DMZ. In contrast, the rest of the organization‘s network is safe behind a firewall. When implemented properly, a DMZ Network gives organizations extra protection to detect and mitigate security breaches before they reach the internal network, where valuable assets are stored.
Unattempted
https://en.wikipedia.org/wiki/DMZ_(computing) DMZ Network (demilitarized zone) functions as a subnetwork containing an organization‘s exposed, outward-facing services. It acts as the exposed point to untrusted networks, commonly the Internet. The goal of a DMZ is to add an extra layer of security to an organization‘s local area network. A protected and monitored network node that faces outside the internal network can access what is exposed in the DMZ. In contrast, the rest of the organization‘s network is safe behind a firewall. When implemented properly, a DMZ Network gives organizations extra protection to detect and mitigate security breaches before they reach the internal network, where valuable assets are stored.
Question 2 of 65
2. Question
Andrew is conducting a penetration test. He is now embarking on sniffing the target network. What is not available for Andrew when sniffing the network?
Correct
· Identifying operating systems, services, protocols and devices, · Collecting unencrypted information about usernames and passwords, · Capturing network traffic for further analysis are passive network sniffing methods since with the help of them we only receive information and do not make any changes to the target network. When modifying and replaying the captured network traffic, we are already starting to make changes and actively interact with it.
Incorrect
· Identifying operating systems, services, protocols and devices, · Collecting unencrypted information about usernames and passwords, · Capturing network traffic for further analysis are passive network sniffing methods since with the help of them we only receive information and do not make any changes to the target network. When modifying and replaying the captured network traffic, we are already starting to make changes and actively interact with it.
Unattempted
· Identifying operating systems, services, protocols and devices, · Collecting unencrypted information about usernames and passwords, · Capturing network traffic for further analysis are passive network sniffing methods since with the help of them we only receive information and do not make any changes to the target network. When modifying and replaying the captured network traffic, we are already starting to make changes and actively interact with it.
Question 3 of 65
3. Question
Rajesh, the system administrator analyzed the IDS logs and noticed that when accessing the external router from the administrator‘s computer to update the router configuration, IDS registered alerts. What type of an alert is this?
Correct
A false positive state is when the IDS identifies an activity as an attack, but the activity is acceptable behavior. A false positive is a false alarm. Incorrect answers: False negative A false negative state is the most serious and dangerous state. This is when the IDS identifies an activity as acceptable when the activity is actually an attack. That is, a false negative is when the IDS misses an attack. This is the most dangerous state since the security professional has no idea that an attack took place. True positive A true positive state is when the IDS identifies an activity as an attack, and the activity is actually an attack. A true positive is a successful identification of an attack. True negative A true negative state is when the IDS identifies an activity as acceptable behavior, and the activity is actually acceptable. A true negative is successfully ignoring acceptable behavior.
Incorrect
A false positive state is when the IDS identifies an activity as an attack, but the activity is acceptable behavior. A false positive is a false alarm. Incorrect answers: False negative A false negative state is the most serious and dangerous state. This is when the IDS identifies an activity as acceptable when the activity is actually an attack. That is, a false negative is when the IDS misses an attack. This is the most dangerous state since the security professional has no idea that an attack took place. True positive A true positive state is when the IDS identifies an activity as an attack, and the activity is actually an attack. A true positive is a successful identification of an attack. True negative A true negative state is when the IDS identifies an activity as acceptable behavior, and the activity is actually acceptable. A true negative is successfully ignoring acceptable behavior.
Unattempted
A false positive state is when the IDS identifies an activity as an attack, but the activity is acceptable behavior. A false positive is a false alarm. Incorrect answers: False negative A false negative state is the most serious and dangerous state. This is when the IDS identifies an activity as acceptable when the activity is actually an attack. That is, a false negative is when the IDS misses an attack. This is the most dangerous state since the security professional has no idea that an attack took place. True positive A true positive state is when the IDS identifies an activity as an attack, and the activity is actually an attack. A true positive is a successful identification of an attack. True negative A true negative state is when the IDS identifies an activity as acceptable behavior, and the activity is actually acceptable. A true negative is successfully ignoring acceptable behavior.
Question 4 of 65
4. Question
While using your bank‘s online servicing you notice the following string in the URL bar: http://www.MyPersonalBank.com/account?id=368940911028389&Damount=10980&Camount=21 You observe that if you modify the Damount & Camount values and submit the request, that data on the web page reflect the changes. Which type of vulnerability is present on this site?
Correct
The Web Parameter Tampering attack is based on manipulating parameters exchanged between client and server to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings and is used to increase application functionality and control. This attack can be performed by a malicious user who wants to exploit the application for their own benefit or an attacker who wishes to attack a third-person using a Man-in-the-middle attack. In both cases, tools like Webscarab and Paros proxy are mostly used. The attack success depends on the integrity and logic validation mechanism errors, and its exploitation can result in other consequences, including XSS, SQL Injection, file inclusion, and path disclosure attacks. Incorrect answers: Cookie Tampering Cookies are files on a user‘s computer which allow a web application to store information that is subsequently used to identify returning users. Actions by a user or user-specific settings for an application are also stored in cookies. Cookie tampering can be used for attacks such as session hijacking, where cookies with session identification information are stolen or modified by an attacker. XSS Reflection https://en.wikipedia.org/wiki/Cross-site_scripting#Non-persistent_(reflected) Cross-site scripting (XSS) is a web application vulnerability that permits an attacker to inject code (typically HTML or JavaScript) into an outside website‘s contents. When a victim views an infected page on the website, the victims browser executes the injected code. Consequently, the attacker has bypassed the browsers same-origin policy and can steal private information from a victim associated with the website. Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victims browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables malicious scripts‘ execution. The vulnerability is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web applications functions and the activation of malicious scripts. To distribute the malicious link, a perpetrator typically embeds it into an email or third-party website (e.g., in a comment section or social media). The link is embedded inside an anchor text that provokes the user to click on it, which initiates the XSS request to an exploited website, reflecting the attack back to the user. SQL injection https://en.wikipedia.org/wiki/SQL_injection SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application‘s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Incorrect
The Web Parameter Tampering attack is based on manipulating parameters exchanged between client and server to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings and is used to increase application functionality and control. This attack can be performed by a malicious user who wants to exploit the application for their own benefit or an attacker who wishes to attack a third-person using a Man-in-the-middle attack. In both cases, tools like Webscarab and Paros proxy are mostly used. The attack success depends on the integrity and logic validation mechanism errors, and its exploitation can result in other consequences, including XSS, SQL Injection, file inclusion, and path disclosure attacks. Incorrect answers: Cookie Tampering Cookies are files on a user‘s computer which allow a web application to store information that is subsequently used to identify returning users. Actions by a user or user-specific settings for an application are also stored in cookies. Cookie tampering can be used for attacks such as session hijacking, where cookies with session identification information are stolen or modified by an attacker. XSS Reflection https://en.wikipedia.org/wiki/Cross-site_scripting#Non-persistent_(reflected) Cross-site scripting (XSS) is a web application vulnerability that permits an attacker to inject code (typically HTML or JavaScript) into an outside website‘s contents. When a victim views an infected page on the website, the victims browser executes the injected code. Consequently, the attacker has bypassed the browsers same-origin policy and can steal private information from a victim associated with the website. Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victims browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables malicious scripts‘ execution. The vulnerability is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web applications functions and the activation of malicious scripts. To distribute the malicious link, a perpetrator typically embeds it into an email or third-party website (e.g., in a comment section or social media). The link is embedded inside an anchor text that provokes the user to click on it, which initiates the XSS request to an exploited website, reflecting the attack back to the user. SQL injection https://en.wikipedia.org/wiki/SQL_injection SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application‘s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Unattempted
The Web Parameter Tampering attack is based on manipulating parameters exchanged between client and server to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings and is used to increase application functionality and control. This attack can be performed by a malicious user who wants to exploit the application for their own benefit or an attacker who wishes to attack a third-person using a Man-in-the-middle attack. In both cases, tools like Webscarab and Paros proxy are mostly used. The attack success depends on the integrity and logic validation mechanism errors, and its exploitation can result in other consequences, including XSS, SQL Injection, file inclusion, and path disclosure attacks. Incorrect answers: Cookie Tampering Cookies are files on a user‘s computer which allow a web application to store information that is subsequently used to identify returning users. Actions by a user or user-specific settings for an application are also stored in cookies. Cookie tampering can be used for attacks such as session hijacking, where cookies with session identification information are stolen or modified by an attacker. XSS Reflection https://en.wikipedia.org/wiki/Cross-site_scripting#Non-persistent_(reflected) Cross-site scripting (XSS) is a web application vulnerability that permits an attacker to inject code (typically HTML or JavaScript) into an outside website‘s contents. When a victim views an infected page on the website, the victims browser executes the injected code. Consequently, the attacker has bypassed the browsers same-origin policy and can steal private information from a victim associated with the website. Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victims browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables malicious scripts‘ execution. The vulnerability is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web applications functions and the activation of malicious scripts. To distribute the malicious link, a perpetrator typically embeds it into an email or third-party website (e.g., in a comment section or social media). The link is embedded inside an anchor text that provokes the user to click on it, which initiates the XSS request to an exploited website, reflecting the attack back to the user. SQL injection https://en.wikipedia.org/wiki/SQL_injection SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application‘s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Question 5 of 65
5. Question
Which of the following cipher is based on factoring the product of two large prime numbers?
Correct
https://en.wikipedia.org/wiki/RSA_(cryptosystem) SA (RivestShamirAdleman) is a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest. The acronym RSA comes from the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly, in 1973 at GCHQ (the British signals intelligence agency), by the English mathematician Clifford Cocks. That system was declassified in 1997. In a public-key cryptosystem, the encryption key is public and distinct from the decryption key, which is kept secret (private). An RSA user creates and publishes a public key based on two large prime numbers, along with an auxiliary value. The prime numbers are kept secret. Messages can be encrypted by anyone, via the public key, but can only be decoded by someone who knows the prime numbers. Incorrect answers: SHA-1 https://en.wikipedia.org/wiki/SHA-1 SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest typically rendered as a hexadecimal number, 40 digits long. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard. SHA-1 produces a message digest based on principles similar to those used by Ronald L. Rivest of MIT in the design of the MD2, MD4 and MD5 message digest algorithms, but generates a larger hash value (160 bits vs. 128 bits). MD5 https://en.wikipedia.org/wiki/MD5 The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption. It remains suitable for other non-cryptographic purposes, for example for determining the partition for a particular key in a partitioned database. RC5 https://en.wikipedia.org/wiki/RC5 RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for “Rivest Cipher“, or alternatively, “Ron‘s Code“ (compare RC2 and RC4). The Advanced Encryption Standard (AES) candidate RC6 was based on RC5.
Incorrect
https://en.wikipedia.org/wiki/RSA_(cryptosystem) SA (RivestShamirAdleman) is a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest. The acronym RSA comes from the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly, in 1973 at GCHQ (the British signals intelligence agency), by the English mathematician Clifford Cocks. That system was declassified in 1997. In a public-key cryptosystem, the encryption key is public and distinct from the decryption key, which is kept secret (private). An RSA user creates and publishes a public key based on two large prime numbers, along with an auxiliary value. The prime numbers are kept secret. Messages can be encrypted by anyone, via the public key, but can only be decoded by someone who knows the prime numbers. Incorrect answers: SHA-1 https://en.wikipedia.org/wiki/SHA-1 SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest typically rendered as a hexadecimal number, 40 digits long. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard. SHA-1 produces a message digest based on principles similar to those used by Ronald L. Rivest of MIT in the design of the MD2, MD4 and MD5 message digest algorithms, but generates a larger hash value (160 bits vs. 128 bits). MD5 https://en.wikipedia.org/wiki/MD5 The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption. It remains suitable for other non-cryptographic purposes, for example for determining the partition for a particular key in a partitioned database. RC5 https://en.wikipedia.org/wiki/RC5 RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for “Rivest Cipher“, or alternatively, “Ron‘s Code“ (compare RC2 and RC4). The Advanced Encryption Standard (AES) candidate RC6 was based on RC5.
Unattempted
https://en.wikipedia.org/wiki/RSA_(cryptosystem) SA (RivestShamirAdleman) is a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest. The acronym RSA comes from the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly, in 1973 at GCHQ (the British signals intelligence agency), by the English mathematician Clifford Cocks. That system was declassified in 1997. In a public-key cryptosystem, the encryption key is public and distinct from the decryption key, which is kept secret (private). An RSA user creates and publishes a public key based on two large prime numbers, along with an auxiliary value. The prime numbers are kept secret. Messages can be encrypted by anyone, via the public key, but can only be decoded by someone who knows the prime numbers. Incorrect answers: SHA-1 https://en.wikipedia.org/wiki/SHA-1 SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest typically rendered as a hexadecimal number, 40 digits long. It was designed by the United States National Security Agency, and is a U.S. Federal Information Processing Standard. SHA-1 produces a message digest based on principles similar to those used by Ronald L. Rivest of MIT in the design of the MD2, MD4 and MD5 message digest algorithms, but generates a larger hash value (160 bits vs. 128 bits). MD5 https://en.wikipedia.org/wiki/MD5 The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption. It remains suitable for other non-cryptographic purposes, for example for determining the partition for a particular key in a partitioned database. RC5 https://en.wikipedia.org/wiki/RC5 RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for “Rivest Cipher“, or alternatively, “Ron‘s Code“ (compare RC2 and RC4). The Advanced Encryption Standard (AES) candidate RC6 was based on RC5.
Question 6 of 65
6. Question
The evil hacker Antonio is trying to attack the IoT device. He will use several fake identities to create a strong illusion of traffic congestion, affecting communication between neighbouring nodes and networks. What kind of attack does Antonio perform?
Correct
https://en.wikipedia.org/wiki/Sybil_attack The Sybil attack in computer security is an attack wherein a reputation system is subverted by creating multiple identities. A reputation system‘s vulnerability to a Sybil attack depends on how cheaply identities can be generated, the degree to which the reputation system accepts inputs from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically. As of 2012, evidence showed that large-scale Sybil attacks could be carried out in a very cheap and efficient way in extant realistic systems such as BitTorrent Mainline DHT. An entity on a peer-to-peer network is a piece of software which has access to local resources. An entity advertises itself on the peer-to-peer network by presenting an identity. More than one identity can correspond to a single entity. In other words, the mapping of identities to entities is many to one. Entities in peer-to-peer networks use multiple identities for purposes of redundancy, resource sharing, reliability and integrity. In peer-to-peer networks, the identity is used as an abstraction so that a remote entity can be aware of identities without necessarily knowing the correspondence of identities to local entities. By default, each distinct identity is usually assumed to correspond to a distinct local entity. In reality, many identities may correspond to the same local entity. Incorrect answers: Exploit Kits An exploit kit is simply a collection of exploits, which is a simple one-in-all tool for managing a variety of exploits altogether. Exploit kits act as a kind of repository and make it easy for users without much technical knowledge to use exploits. Users can add their own exploits to it and use them simultaneously apart from the pre-installed ones. Side-Channel Attack https://en.wikipedia.org/wiki/Side-channel_attack A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited. Some side-channel attacks require technical knowledge of the internal operation of the system, although others such as differential power analysis are effective as black-box attacks. The rise of Web 2.0 applications and software-as-a-service has also significantly raised the possibility of side-channel attacks on the web, even when transmissions between a web browser and server are encrypted (e.g. through HTTPS or WiFi encryption), according to researchers from Microsoft Research and Indiana University.
Incorrect
https://en.wikipedia.org/wiki/Sybil_attack The Sybil attack in computer security is an attack wherein a reputation system is subverted by creating multiple identities. A reputation system‘s vulnerability to a Sybil attack depends on how cheaply identities can be generated, the degree to which the reputation system accepts inputs from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically. As of 2012, evidence showed that large-scale Sybil attacks could be carried out in a very cheap and efficient way in extant realistic systems such as BitTorrent Mainline DHT. An entity on a peer-to-peer network is a piece of software which has access to local resources. An entity advertises itself on the peer-to-peer network by presenting an identity. More than one identity can correspond to a single entity. In other words, the mapping of identities to entities is many to one. Entities in peer-to-peer networks use multiple identities for purposes of redundancy, resource sharing, reliability and integrity. In peer-to-peer networks, the identity is used as an abstraction so that a remote entity can be aware of identities without necessarily knowing the correspondence of identities to local entities. By default, each distinct identity is usually assumed to correspond to a distinct local entity. In reality, many identities may correspond to the same local entity. Incorrect answers: Exploit Kits An exploit kit is simply a collection of exploits, which is a simple one-in-all tool for managing a variety of exploits altogether. Exploit kits act as a kind of repository and make it easy for users without much technical knowledge to use exploits. Users can add their own exploits to it and use them simultaneously apart from the pre-installed ones. Side-Channel Attack https://en.wikipedia.org/wiki/Side-channel_attack A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited. Some side-channel attacks require technical knowledge of the internal operation of the system, although others such as differential power analysis are effective as black-box attacks. The rise of Web 2.0 applications and software-as-a-service has also significantly raised the possibility of side-channel attacks on the web, even when transmissions between a web browser and server are encrypted (e.g. through HTTPS or WiFi encryption), according to researchers from Microsoft Research and Indiana University.
Unattempted
https://en.wikipedia.org/wiki/Sybil_attack The Sybil attack in computer security is an attack wherein a reputation system is subverted by creating multiple identities. A reputation system‘s vulnerability to a Sybil attack depends on how cheaply identities can be generated, the degree to which the reputation system accepts inputs from entities that do not have a chain of trust linking them to a trusted entity, and whether the reputation system treats all entities identically. As of 2012, evidence showed that large-scale Sybil attacks could be carried out in a very cheap and efficient way in extant realistic systems such as BitTorrent Mainline DHT. An entity on a peer-to-peer network is a piece of software which has access to local resources. An entity advertises itself on the peer-to-peer network by presenting an identity. More than one identity can correspond to a single entity. In other words, the mapping of identities to entities is many to one. Entities in peer-to-peer networks use multiple identities for purposes of redundancy, resource sharing, reliability and integrity. In peer-to-peer networks, the identity is used as an abstraction so that a remote entity can be aware of identities without necessarily knowing the correspondence of identities to local entities. By default, each distinct identity is usually assumed to correspond to a distinct local entity. In reality, many identities may correspond to the same local entity. Incorrect answers: Exploit Kits An exploit kit is simply a collection of exploits, which is a simple one-in-all tool for managing a variety of exploits altogether. Exploit kits act as a kind of repository and make it easy for users without much technical knowledge to use exploits. Users can add their own exploits to it and use them simultaneously apart from the pre-installed ones. Side-Channel Attack https://en.wikipedia.org/wiki/Side-channel_attack A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited. Some side-channel attacks require technical knowledge of the internal operation of the system, although others such as differential power analysis are effective as black-box attacks. The rise of Web 2.0 applications and software-as-a-service has also significantly raised the possibility of side-channel attacks on the web, even when transmissions between a web browser and server are encrypted (e.g. through HTTPS or WiFi encryption), according to researchers from Microsoft Research and Indiana University.
Question 7 of 65
7. Question
The company “Usual company“ asked a cybersecurity specialist to check their perimeter email gateway security. To do this, the specialist creates a specially formatted email message: From: [email protected] To: [email protected] Subject: Test message Date: 5/8/2021 11:22 He sends this message over the Internet, and a “Usual company “ employee receives it. This means that the gateway of this company doesn‘t prevent _____.
Correct
https://en.wikipedia.org/wiki/Email_spoofing Email spoofing is the fabrication of an email header in the hopes of duping the recipient into thinking the email originated from someone or somewhere other than the intended source. Because core email protocols do not have a built-in method of authentication, it is common for spam and phishing emails to use said spoofing to trick the recipient into trusting the origin of the message. The ultimate goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation. Although the spoofed messages are usually just a nuisance requiring little action besides removal, the more malicious varieties can cause significant problems and sometimes pose a real security threat. Incorrect answers: Email Phishing https://en.wikipedia.org/wiki/Phishing Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. When an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, leading to a malware installation, freezing the system as part of a ransomware attack, or revealing sensitive information. Email Masquerading A masquerade attack is one where the perpetrator assumes the identity of a fellow network user or co-employee to trick victims into providing user credentials that he/she can then use to gain access to other connected accounts. Threat actors carry out masquerade attacks by stealing username-and-password combinations via phishing and other means, exploiting security weaknesses or vulnerabilities, or bypassing authentication processes. But the attacker always does so from within the organization. A masquerade attacker is comparable to a wolf in sheep‘s clothing. He / She assumes the identity of someone harmless to gain an unsuspecting victims trust. NOTE: Very similar to spoofing, isn‘t it? Indeed, but here the situation is a little different; the attacker can not only fake the email header, but also, for example, really write on behalf of your friend/boss by gaining access to his/her account. This is a slightly broader concept than spoofing. Email Harvesting https://en.wikipedia.org/wiki/Email-address_harvesting Email harvesting or scraping is the process of obtaining lists of email addresses using various methods. Typically these are then used for bulk email or spam.
Incorrect
https://en.wikipedia.org/wiki/Email_spoofing Email spoofing is the fabrication of an email header in the hopes of duping the recipient into thinking the email originated from someone or somewhere other than the intended source. Because core email protocols do not have a built-in method of authentication, it is common for spam and phishing emails to use said spoofing to trick the recipient into trusting the origin of the message. The ultimate goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation. Although the spoofed messages are usually just a nuisance requiring little action besides removal, the more malicious varieties can cause significant problems and sometimes pose a real security threat. Incorrect answers: Email Phishing https://en.wikipedia.org/wiki/Phishing Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. When an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, leading to a malware installation, freezing the system as part of a ransomware attack, or revealing sensitive information. Email Masquerading A masquerade attack is one where the perpetrator assumes the identity of a fellow network user or co-employee to trick victims into providing user credentials that he/she can then use to gain access to other connected accounts. Threat actors carry out masquerade attacks by stealing username-and-password combinations via phishing and other means, exploiting security weaknesses or vulnerabilities, or bypassing authentication processes. But the attacker always does so from within the organization. A masquerade attacker is comparable to a wolf in sheep‘s clothing. He / She assumes the identity of someone harmless to gain an unsuspecting victims trust. NOTE: Very similar to spoofing, isn‘t it? Indeed, but here the situation is a little different; the attacker can not only fake the email header, but also, for example, really write on behalf of your friend/boss by gaining access to his/her account. This is a slightly broader concept than spoofing. Email Harvesting https://en.wikipedia.org/wiki/Email-address_harvesting Email harvesting or scraping is the process of obtaining lists of email addresses using various methods. Typically these are then used for bulk email or spam.
Unattempted
https://en.wikipedia.org/wiki/Email_spoofing Email spoofing is the fabrication of an email header in the hopes of duping the recipient into thinking the email originated from someone or somewhere other than the intended source. Because core email protocols do not have a built-in method of authentication, it is common for spam and phishing emails to use said spoofing to trick the recipient into trusting the origin of the message. The ultimate goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation. Although the spoofed messages are usually just a nuisance requiring little action besides removal, the more malicious varieties can cause significant problems and sometimes pose a real security threat. Incorrect answers: Email Phishing https://en.wikipedia.org/wiki/Phishing Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. When an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, leading to a malware installation, freezing the system as part of a ransomware attack, or revealing sensitive information. Email Masquerading A masquerade attack is one where the perpetrator assumes the identity of a fellow network user or co-employee to trick victims into providing user credentials that he/she can then use to gain access to other connected accounts. Threat actors carry out masquerade attacks by stealing username-and-password combinations via phishing and other means, exploiting security weaknesses or vulnerabilities, or bypassing authentication processes. But the attacker always does so from within the organization. A masquerade attacker is comparable to a wolf in sheep‘s clothing. He / She assumes the identity of someone harmless to gain an unsuspecting victims trust. NOTE: Very similar to spoofing, isn‘t it? Indeed, but here the situation is a little different; the attacker can not only fake the email header, but also, for example, really write on behalf of your friend/boss by gaining access to his/her account. This is a slightly broader concept than spoofing. Email Harvesting https://en.wikipedia.org/wiki/Email-address_harvesting Email harvesting or scraping is the process of obtaining lists of email addresses using various methods. Typically these are then used for bulk email or spam.
Question 8 of 65
8. Question
Which of the following Nmap‘s commands allows you to most reduce the probability of detection by IDS when scanning common ports?
Correct
https://nmap.org/book/man-performance.html Nmap offers a simple approach, with six timing templates. You can specify them with the -T option and their number (05) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed. NOTE: The trick here is to choose the slowest scan. And here everything is obvious (T0). Without an explicit indication of the speed, the default mode (T3).
Incorrect
https://nmap.org/book/man-performance.html Nmap offers a simple approach, with six timing templates. You can specify them with the -T option and their number (05) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed. NOTE: The trick here is to choose the slowest scan. And here everything is obvious (T0). Without an explicit indication of the speed, the default mode (T3).
Unattempted
https://nmap.org/book/man-performance.html Nmap offers a simple approach, with six timing templates. You can specify them with the -T option and their number (05) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed. NOTE: The trick here is to choose the slowest scan. And here everything is obvious (T0). Without an explicit indication of the speed, the default mode (T3).
Question 9 of 65
9. Question
Which of the following methods is best suited to protect confidential information on your laptop which can be stolen while travelling?
Correct
https://en.wikipedia.org/wiki/Disk_encryption#Full_disk_encryption The best solution of all the above options is Full Disk encryption as it provides the highest security. Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of disk encryption: · Nearly everything including the swap space and the temporary files is encrypted. Encrypting these files is important, as they can reveal important confidential data. With a software implementation, the bootstrapping code cannot be encrypted however. For example, BitLocker Drive Encryption leaves an unencrypted volume to boot from, while the volume containing the operating system is fully encrypted. · With full disk encryption, the decision of which individual files to encrypt is not left up to users‘ discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files. · Immediate data destruction, such as simply destroying the cryptographic keys (crypto-shredding), renders the contained data useless. However, if security towards future attacks is a concern, purging or physical destruction is advised.
Incorrect
https://en.wikipedia.org/wiki/Disk_encryption#Full_disk_encryption The best solution of all the above options is Full Disk encryption as it provides the highest security. Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of disk encryption: · Nearly everything including the swap space and the temporary files is encrypted. Encrypting these files is important, as they can reveal important confidential data. With a software implementation, the bootstrapping code cannot be encrypted however. For example, BitLocker Drive Encryption leaves an unencrypted volume to boot from, while the volume containing the operating system is fully encrypted. · With full disk encryption, the decision of which individual files to encrypt is not left up to users‘ discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files. · Immediate data destruction, such as simply destroying the cryptographic keys (crypto-shredding), renders the contained data useless. However, if security towards future attacks is a concern, purging or physical destruction is advised.
Unattempted
https://en.wikipedia.org/wiki/Disk_encryption#Full_disk_encryption The best solution of all the above options is Full Disk encryption as it provides the highest security. Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of disk encryption: · Nearly everything including the swap space and the temporary files is encrypted. Encrypting these files is important, as they can reveal important confidential data. With a software implementation, the bootstrapping code cannot be encrypted however. For example, BitLocker Drive Encryption leaves an unencrypted volume to boot from, while the volume containing the operating system is fully encrypted. · With full disk encryption, the decision of which individual files to encrypt is not left up to users‘ discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files. · Immediate data destruction, such as simply destroying the cryptographic keys (crypto-shredding), renders the contained data useless. However, if security towards future attacks is a concern, purging or physical destruction is advised.
Question 10 of 65
10. Question
What are the two main conditions for a digital signature?
Correct
This is a digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital signatures are significant for electronic commerce and are a key component of most authentication schemes. To be effective, digital signatures must be unforgeable. There are several different encryption techniques to guarantee this level of security. The digital signature should also have the capability of being transported to other recipients. For instance, if a document is sent to a third party and they need to verify that the signature is authentic and if it is not readable on their software, it means that it will not be possible for them to access the document.
Incorrect
This is a digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital signatures are significant for electronic commerce and are a key component of most authentication schemes. To be effective, digital signatures must be unforgeable. There are several different encryption techniques to guarantee this level of security. The digital signature should also have the capability of being transported to other recipients. For instance, if a document is sent to a third party and they need to verify that the signature is authentic and if it is not readable on their software, it means that it will not be possible for them to access the document.
Unattempted
This is a digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital signatures are significant for electronic commerce and are a key component of most authentication schemes. To be effective, digital signatures must be unforgeable. There are several different encryption techniques to guarantee this level of security. The digital signature should also have the capability of being transported to other recipients. For instance, if a document is sent to a third party and they need to verify that the signature is authentic and if it is not readable on their software, it means that it will not be possible for them to access the document.
Question 11 of 65
11. Question
John, a system administrator, is learning how to work with new technology: Docker. He will use it to create a network connection between the container interfaces and its parent host interface. Which of the following network drivers is suitable for John?
Correct
https://docs.docker.com/network/macvlan/ Some applications, especially legacy applications or applications which monitor network traffic, expect to be directly connected to the physical network. In this type of situation, you can use the macvlan network driver to assign a MAC address to each containers virtual network interface, making it appear to be a physical network interface directly connected to the physical network. In this case, you need to designate a physical interface on your Docker host to use for the macvlan, as well as the subnet and gateway of the macvlan. You can even isolate your macvlan networks using different physical network interfaces. Keep the following things in mind: It is very easy to unintentionally damage your network due to IP address exhaustion or to VLAN spread, which is a situation in which you have an inappropriately large number of unique MAC addresses in your network. Your networking equipment needs to be able to handle promiscuous mode, where one physical interface can be assigned multiple MAC addresses. If your application can work using a bridge (on a single Docker host) or overlay (to communicate across multiple Docker hosts), these solutions may be better in the long term. Incorrect answers: Bridge networking https://docs.docker.com/network/bridge/ In terms of Docker, a bridge network uses a software bridge which allows containers connected to the same bridge network to communicate, while providing isolation from containers which are not connected to that bridge network. The Docker bridge driver automatically installs rules in the host machine so that containers on different bridge networks cannot communicate directly with each other. Host networking https://docs.docker.com/network/host/ If you use the host network mode for a container, that containers network stack is not isolated from the Docker host (the container shares the hosts networking namespace), and the container does not get its own IP-address allocated. For instance, if you run a container which binds to port 80 and you use host networking, the containers application is available on port 80 on the hosts IP address. Host mode networking can be useful to optimize performance, and in situations where a container needs to handle a large range of ports, as it does not require network address translation (NAT), and no userland-proxy is created for each port. The host networking driver only works on Linux hosts, and is not supported on Docker Desktop for Mac, Docker Desktop for Windows, or Docker EE for Windows Server. Overlay networking https://docs.docker.com/network/overlay/ The overlay network driver creates a distributed network among multiple Docker daemon hosts. This network sits on top of (overlays) the host-specific networks, allowing containers connected to it (including swarm service containers) to communicate securely when encryption is enabled. Docker transparently handles routing of each packet to and from the correct Docker daemon host and the correct destination container.
Incorrect
https://docs.docker.com/network/macvlan/ Some applications, especially legacy applications or applications which monitor network traffic, expect to be directly connected to the physical network. In this type of situation, you can use the macvlan network driver to assign a MAC address to each containers virtual network interface, making it appear to be a physical network interface directly connected to the physical network. In this case, you need to designate a physical interface on your Docker host to use for the macvlan, as well as the subnet and gateway of the macvlan. You can even isolate your macvlan networks using different physical network interfaces. Keep the following things in mind: It is very easy to unintentionally damage your network due to IP address exhaustion or to VLAN spread, which is a situation in which you have an inappropriately large number of unique MAC addresses in your network. Your networking equipment needs to be able to handle promiscuous mode, where one physical interface can be assigned multiple MAC addresses. If your application can work using a bridge (on a single Docker host) or overlay (to communicate across multiple Docker hosts), these solutions may be better in the long term. Incorrect answers: Bridge networking https://docs.docker.com/network/bridge/ In terms of Docker, a bridge network uses a software bridge which allows containers connected to the same bridge network to communicate, while providing isolation from containers which are not connected to that bridge network. The Docker bridge driver automatically installs rules in the host machine so that containers on different bridge networks cannot communicate directly with each other. Host networking https://docs.docker.com/network/host/ If you use the host network mode for a container, that containers network stack is not isolated from the Docker host (the container shares the hosts networking namespace), and the container does not get its own IP-address allocated. For instance, if you run a container which binds to port 80 and you use host networking, the containers application is available on port 80 on the hosts IP address. Host mode networking can be useful to optimize performance, and in situations where a container needs to handle a large range of ports, as it does not require network address translation (NAT), and no userland-proxy is created for each port. The host networking driver only works on Linux hosts, and is not supported on Docker Desktop for Mac, Docker Desktop for Windows, or Docker EE for Windows Server. Overlay networking https://docs.docker.com/network/overlay/ The overlay network driver creates a distributed network among multiple Docker daemon hosts. This network sits on top of (overlays) the host-specific networks, allowing containers connected to it (including swarm service containers) to communicate securely when encryption is enabled. Docker transparently handles routing of each packet to and from the correct Docker daemon host and the correct destination container.
Unattempted
https://docs.docker.com/network/macvlan/ Some applications, especially legacy applications or applications which monitor network traffic, expect to be directly connected to the physical network. In this type of situation, you can use the macvlan network driver to assign a MAC address to each containers virtual network interface, making it appear to be a physical network interface directly connected to the physical network. In this case, you need to designate a physical interface on your Docker host to use for the macvlan, as well as the subnet and gateway of the macvlan. You can even isolate your macvlan networks using different physical network interfaces. Keep the following things in mind: It is very easy to unintentionally damage your network due to IP address exhaustion or to VLAN spread, which is a situation in which you have an inappropriately large number of unique MAC addresses in your network. Your networking equipment needs to be able to handle promiscuous mode, where one physical interface can be assigned multiple MAC addresses. If your application can work using a bridge (on a single Docker host) or overlay (to communicate across multiple Docker hosts), these solutions may be better in the long term. Incorrect answers: Bridge networking https://docs.docker.com/network/bridge/ In terms of Docker, a bridge network uses a software bridge which allows containers connected to the same bridge network to communicate, while providing isolation from containers which are not connected to that bridge network. The Docker bridge driver automatically installs rules in the host machine so that containers on different bridge networks cannot communicate directly with each other. Host networking https://docs.docker.com/network/host/ If you use the host network mode for a container, that containers network stack is not isolated from the Docker host (the container shares the hosts networking namespace), and the container does not get its own IP-address allocated. For instance, if you run a container which binds to port 80 and you use host networking, the containers application is available on port 80 on the hosts IP address. Host mode networking can be useful to optimize performance, and in situations where a container needs to handle a large range of ports, as it does not require network address translation (NAT), and no userland-proxy is created for each port. The host networking driver only works on Linux hosts, and is not supported on Docker Desktop for Mac, Docker Desktop for Windows, or Docker EE for Windows Server. Overlay networking https://docs.docker.com/network/overlay/ The overlay network driver creates a distributed network among multiple Docker daemon hosts. This network sits on top of (overlays) the host-specific networks, allowing containers connected to it (including swarm service containers) to communicate securely when encryption is enabled. Docker transparently handles routing of each packet to and from the correct Docker daemon host and the correct destination container.
Question 12 of 65
12. Question
What identifies malware by collecting data from protected computers while analyzing it on the providers infrastructure instead of locally?
Correct
Cloud-based detection identifies malware by collecting data from protected computers while analyzing it on the providers infrastructure instead of locally. This is usually done by capturing the relevant details about the file and the context of its execution on the endpoint and providing them to the cloud engine for processing. The local antivirus agent only needs to perform minimal processing. Moreover, the vendors cloud engine can derive malware characteristics and behavior patterns by correlating data from multiple systems. In contrast, other antivirus components base decisions, mostly on locally observed attributes and behaviors. A cloud-based antivirus engine allows individual users of the tool to benefit from other community members‘ experiences. Incorrect answers: Behavioral-based detection Behavioral detection observes how the program executes, rather than merely emulating its execution. This approach attempts to identify malware by looking for suspicious behaviors, such as unpacking of malcode, modifying the hosts file, or observing keystrokes. Noticing such actions allows an antivirus tool to detect the presence of previously unseen malware on the protected system. As with heuristics, each of these actions by itself might not be sufficient to classify the program as malware. However, taken together, they could be indicative of a malicious program. The use of behavioral techniques brings antivirus tools closer to host intrusion prevention systems (HIPS), which have traditionally existed as a separate product category. Heuristics-based detection Heuristics-based detection aims at generically detecting new malware by statically examining files for suspicious characteristics without an exact signature match. For instance, an antivirus tool might look for the presence of rare instructions or junk code in the examined file. The tool might also emulate running the file to see what it would do if executed, attempting to do this without noticeably slowing down the system. A single suspicious attribute might not be enough to flag the file as malicious. However, several such characteristics might exceed the expected risk threshold, leading the tool to classify the malware file. The biggest downside of heuristics is it can inadvertently flag legitimate files as malicious. Real-time protection Real-time protection is a security feature that helps stop malware from being installed on your device. This feature is built into Microsoft Defender, a comprehensive virus and threat detection program that is part of the Windows 10 security system.
Incorrect
Cloud-based detection identifies malware by collecting data from protected computers while analyzing it on the providers infrastructure instead of locally. This is usually done by capturing the relevant details about the file and the context of its execution on the endpoint and providing them to the cloud engine for processing. The local antivirus agent only needs to perform minimal processing. Moreover, the vendors cloud engine can derive malware characteristics and behavior patterns by correlating data from multiple systems. In contrast, other antivirus components base decisions, mostly on locally observed attributes and behaviors. A cloud-based antivirus engine allows individual users of the tool to benefit from other community members‘ experiences. Incorrect answers: Behavioral-based detection Behavioral detection observes how the program executes, rather than merely emulating its execution. This approach attempts to identify malware by looking for suspicious behaviors, such as unpacking of malcode, modifying the hosts file, or observing keystrokes. Noticing such actions allows an antivirus tool to detect the presence of previously unseen malware on the protected system. As with heuristics, each of these actions by itself might not be sufficient to classify the program as malware. However, taken together, they could be indicative of a malicious program. The use of behavioral techniques brings antivirus tools closer to host intrusion prevention systems (HIPS), which have traditionally existed as a separate product category. Heuristics-based detection Heuristics-based detection aims at generically detecting new malware by statically examining files for suspicious characteristics without an exact signature match. For instance, an antivirus tool might look for the presence of rare instructions or junk code in the examined file. The tool might also emulate running the file to see what it would do if executed, attempting to do this without noticeably slowing down the system. A single suspicious attribute might not be enough to flag the file as malicious. However, several such characteristics might exceed the expected risk threshold, leading the tool to classify the malware file. The biggest downside of heuristics is it can inadvertently flag legitimate files as malicious. Real-time protection Real-time protection is a security feature that helps stop malware from being installed on your device. This feature is built into Microsoft Defender, a comprehensive virus and threat detection program that is part of the Windows 10 security system.
Unattempted
Cloud-based detection identifies malware by collecting data from protected computers while analyzing it on the providers infrastructure instead of locally. This is usually done by capturing the relevant details about the file and the context of its execution on the endpoint and providing them to the cloud engine for processing. The local antivirus agent only needs to perform minimal processing. Moreover, the vendors cloud engine can derive malware characteristics and behavior patterns by correlating data from multiple systems. In contrast, other antivirus components base decisions, mostly on locally observed attributes and behaviors. A cloud-based antivirus engine allows individual users of the tool to benefit from other community members‘ experiences. Incorrect answers: Behavioral-based detection Behavioral detection observes how the program executes, rather than merely emulating its execution. This approach attempts to identify malware by looking for suspicious behaviors, such as unpacking of malcode, modifying the hosts file, or observing keystrokes. Noticing such actions allows an antivirus tool to detect the presence of previously unseen malware on the protected system. As with heuristics, each of these actions by itself might not be sufficient to classify the program as malware. However, taken together, they could be indicative of a malicious program. The use of behavioral techniques brings antivirus tools closer to host intrusion prevention systems (HIPS), which have traditionally existed as a separate product category. Heuristics-based detection Heuristics-based detection aims at generically detecting new malware by statically examining files for suspicious characteristics without an exact signature match. For instance, an antivirus tool might look for the presence of rare instructions or junk code in the examined file. The tool might also emulate running the file to see what it would do if executed, attempting to do this without noticeably slowing down the system. A single suspicious attribute might not be enough to flag the file as malicious. However, several such characteristics might exceed the expected risk threshold, leading the tool to classify the malware file. The biggest downside of heuristics is it can inadvertently flag legitimate files as malicious. Real-time protection Real-time protection is a security feature that helps stop malware from being installed on your device. This feature is built into Microsoft Defender, a comprehensive virus and threat detection program that is part of the Windows 10 security system.
Question 13 of 65
13. Question
Which of the following will allow you to prevent unauthorized network access to local area networks and other information assets by wireless devices?
Correct
https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system A Wireless Intrusion Prevention System (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention). Incorrect answers: HIDS https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates. This was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent. NIDS https://en.wikipedia.org/wiki/Intrusion_detection_system#Network_intrusion_detection_systems Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network. OPNET and NetSim are commonly used tools for simulating network intrusion detection systems. NIDS are also capable of comparing signatures for similar packets to link and drop harmful detected packets which have a signature matching the records in the NIDS. When we classify the design of the NIDS according to the system interactivity property, there are two types: on-line and off-line NIDS, often referred to as inline and tap mode, respectively. On-line NIDS deals with the network in real-time. It analyses the Ethernet packets and applies some rules, to decide if it is an attack or not. Off-line NIDS deals with stored data and passes it through some processes to decide if it is an attack or not. AIDS Anomaly-based intrusion detection systems were primarily introduced to detect unknown attacks, in part due to the rapid development of malware. The basic approach is to use machine learning to create a model of trustworthy activity, and then compare new behavior against this model. Since these models can be trained according to the applications and hardware configurations, machine learning based method has a better generalized property in comparison to traditional signature-based IDS. Although this approach enables the detection of previously unknown attacks, it may suffer from false positives: previously unknown legitimate activity may also be classified as malicious. Most of the existing IDSs suffer from the time-consuming during detection process that degrades the performance of IDSs. Efficient feature selection algorithm makes the classification process used in detection more reliable.
Incorrect
https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system A Wireless Intrusion Prevention System (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention). Incorrect answers: HIDS https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates. This was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent. NIDS https://en.wikipedia.org/wiki/Intrusion_detection_system#Network_intrusion_detection_systems Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network. OPNET and NetSim are commonly used tools for simulating network intrusion detection systems. NIDS are also capable of comparing signatures for similar packets to link and drop harmful detected packets which have a signature matching the records in the NIDS. When we classify the design of the NIDS according to the system interactivity property, there are two types: on-line and off-line NIDS, often referred to as inline and tap mode, respectively. On-line NIDS deals with the network in real-time. It analyses the Ethernet packets and applies some rules, to decide if it is an attack or not. Off-line NIDS deals with stored data and passes it through some processes to decide if it is an attack or not. AIDS Anomaly-based intrusion detection systems were primarily introduced to detect unknown attacks, in part due to the rapid development of malware. The basic approach is to use machine learning to create a model of trustworthy activity, and then compare new behavior against this model. Since these models can be trained according to the applications and hardware configurations, machine learning based method has a better generalized property in comparison to traditional signature-based IDS. Although this approach enables the detection of previously unknown attacks, it may suffer from false positives: previously unknown legitimate activity may also be classified as malicious. Most of the existing IDSs suffer from the time-consuming during detection process that degrades the performance of IDSs. Efficient feature selection algorithm makes the classification process used in detection more reliable.
Unattempted
https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system A Wireless Intrusion Prevention System (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention). Incorrect answers: HIDS https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates. This was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent. NIDS https://en.wikipedia.org/wiki/Intrusion_detection_system#Network_intrusion_detection_systems Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network. OPNET and NetSim are commonly used tools for simulating network intrusion detection systems. NIDS are also capable of comparing signatures for similar packets to link and drop harmful detected packets which have a signature matching the records in the NIDS. When we classify the design of the NIDS according to the system interactivity property, there are two types: on-line and off-line NIDS, often referred to as inline and tap mode, respectively. On-line NIDS deals with the network in real-time. It analyses the Ethernet packets and applies some rules, to decide if it is an attack or not. Off-line NIDS deals with stored data and passes it through some processes to decide if it is an attack or not. AIDS Anomaly-based intrusion detection systems were primarily introduced to detect unknown attacks, in part due to the rapid development of malware. The basic approach is to use machine learning to create a model of trustworthy activity, and then compare new behavior against this model. Since these models can be trained according to the applications and hardware configurations, machine learning based method has a better generalized property in comparison to traditional signature-based IDS. Although this approach enables the detection of previously unknown attacks, it may suffer from false positives: previously unknown legitimate activity may also be classified as malicious. Most of the existing IDSs suffer from the time-consuming during detection process that degrades the performance of IDSs. Efficient feature selection algorithm makes the classification process used in detection more reliable.
Question 14 of 65
14. Question
You are configuring the connection of a new employee‘s laptop to join an 802.11 network. The new laptop has the same hardware and software as the laptops of other employees. You used the wireless packet sniffer and found that it shows that the Wireless Access Point (WAR) is not responding to the association requests being sent by the laptop. What can cause this problem?
Correct
https://en.wikipedia.org/wiki/MAC_filtering MAC filtering is a security method based on access control. Each address is assigned a 48-bit address, which is used to determine whether we can access a network or not. It helps in listing a set of allowed devices that you need on your Wi-Fi and the list of denied devices that you dont want on your Wi-Fi. It helps in preventing unwanted access to the network. In a way, we can blacklist or white list certain computers based on their MAC address. We can configure the filter to allow connection only to those devices included in the white list. White lists provide greater security than blacklists because the router grants access only to selected devices. It is used on enterprise wireless networks having multiple access points to prevent clients from communicating with each other. The access point can be configured only to allow clients to talk to the default gateway, but not other wireless clients. It increases the efficiency of access to a network. The router allows configuring a list of allowed MAC addresses in its web interface, allowing you to choose which devices can connect to your network. The router has several functions designed to improve the network‘s security, but not all are useful. Media access control may seem advantageous, but there are certain flaws. On a wireless network, the device with the proper credentials such as SSID and password can authenticate with the router and join the network, which gets an IP address and access to the internet and any shared resources. MAC address filtering adds an extra layer of security that checks the devices MAC address against a list of agreed addresses. If the clients address matches one on the routers list, access is granted; otherwise, it doesnt join the network.
Incorrect
https://en.wikipedia.org/wiki/MAC_filtering MAC filtering is a security method based on access control. Each address is assigned a 48-bit address, which is used to determine whether we can access a network or not. It helps in listing a set of allowed devices that you need on your Wi-Fi and the list of denied devices that you dont want on your Wi-Fi. It helps in preventing unwanted access to the network. In a way, we can blacklist or white list certain computers based on their MAC address. We can configure the filter to allow connection only to those devices included in the white list. White lists provide greater security than blacklists because the router grants access only to selected devices. It is used on enterprise wireless networks having multiple access points to prevent clients from communicating with each other. The access point can be configured only to allow clients to talk to the default gateway, but not other wireless clients. It increases the efficiency of access to a network. The router allows configuring a list of allowed MAC addresses in its web interface, allowing you to choose which devices can connect to your network. The router has several functions designed to improve the network‘s security, but not all are useful. Media access control may seem advantageous, but there are certain flaws. On a wireless network, the device with the proper credentials such as SSID and password can authenticate with the router and join the network, which gets an IP address and access to the internet and any shared resources. MAC address filtering adds an extra layer of security that checks the devices MAC address against a list of agreed addresses. If the clients address matches one on the routers list, access is granted; otherwise, it doesnt join the network.
Unattempted
https://en.wikipedia.org/wiki/MAC_filtering MAC filtering is a security method based on access control. Each address is assigned a 48-bit address, which is used to determine whether we can access a network or not. It helps in listing a set of allowed devices that you need on your Wi-Fi and the list of denied devices that you dont want on your Wi-Fi. It helps in preventing unwanted access to the network. In a way, we can blacklist or white list certain computers based on their MAC address. We can configure the filter to allow connection only to those devices included in the white list. White lists provide greater security than blacklists because the router grants access only to selected devices. It is used on enterprise wireless networks having multiple access points to prevent clients from communicating with each other. The access point can be configured only to allow clients to talk to the default gateway, but not other wireless clients. It increases the efficiency of access to a network. The router allows configuring a list of allowed MAC addresses in its web interface, allowing you to choose which devices can connect to your network. The router has several functions designed to improve the network‘s security, but not all are useful. Media access control may seem advantageous, but there are certain flaws. On a wireless network, the device with the proper credentials such as SSID and password can authenticate with the router and join the network, which gets an IP address and access to the internet and any shared resources. MAC address filtering adds an extra layer of security that checks the devices MAC address against a list of agreed addresses. If the clients address matches one on the routers list, access is granted; otherwise, it doesnt join the network.
Question 15 of 65
15. Question
You have been assigned the task of defending the company from network sniffing. Which of the following is the best option for this task?
Correct
https://en.wikipedia.org/wiki/Sniffing_attack To prevent networks from sniffing attacks, organizations and individual users should keep away from applications using insecure protocols, like basic HTTP authentication, File Transfer Protocol (FTP), and Telnet. Instead, secure protocols such as HTTPS, Secure File Transfer Protocol (SFTP), and Secure Shell (SSH) should be preferred. In case there is a necessity for using any insecure protocol in any application, all the data transmission should be encrypted. If required, VPN (Virtual Private Networks) can be used to provide secure access to users. NOTE: I want to note that the wording “best option“ is valid only for the EC-Council‘s exam since the other options will not help against sniffing or will only help from some specific attack vectors. The sniffing attack surface is huge. To protect against it, you will need to implement a complex of measures at all levels of abstraction and apply controls at the physical, administrative, and technical levels. However, encryption is indeed the best option of all, even if your data is intercepted – an attacker cannot understand it.
Incorrect
https://en.wikipedia.org/wiki/Sniffing_attack To prevent networks from sniffing attacks, organizations and individual users should keep away from applications using insecure protocols, like basic HTTP authentication, File Transfer Protocol (FTP), and Telnet. Instead, secure protocols such as HTTPS, Secure File Transfer Protocol (SFTP), and Secure Shell (SSH) should be preferred. In case there is a necessity for using any insecure protocol in any application, all the data transmission should be encrypted. If required, VPN (Virtual Private Networks) can be used to provide secure access to users. NOTE: I want to note that the wording “best option“ is valid only for the EC-Council‘s exam since the other options will not help against sniffing or will only help from some specific attack vectors. The sniffing attack surface is huge. To protect against it, you will need to implement a complex of measures at all levels of abstraction and apply controls at the physical, administrative, and technical levels. However, encryption is indeed the best option of all, even if your data is intercepted – an attacker cannot understand it.
Unattempted
https://en.wikipedia.org/wiki/Sniffing_attack To prevent networks from sniffing attacks, organizations and individual users should keep away from applications using insecure protocols, like basic HTTP authentication, File Transfer Protocol (FTP), and Telnet. Instead, secure protocols such as HTTPS, Secure File Transfer Protocol (SFTP), and Secure Shell (SSH) should be preferred. In case there is a necessity for using any insecure protocol in any application, all the data transmission should be encrypted. If required, VPN (Virtual Private Networks) can be used to provide secure access to users. NOTE: I want to note that the wording “best option“ is valid only for the EC-Council‘s exam since the other options will not help against sniffing or will only help from some specific attack vectors. The sniffing attack surface is huge. To protect against it, you will need to implement a complex of measures at all levels of abstraction and apply controls at the physical, administrative, and technical levels. However, encryption is indeed the best option of all, even if your data is intercepted – an attacker cannot understand it.
Question 16 of 65
16. Question
Maria is surfing the internet and try to find information about Super Security LLC. Which process is Maria doing?
Correct
https://en.wikipedia.org/wiki/Footprinting Footprinting is a part of the reconnaissance process used to gather possible information about a target computer system or network. It could be both passive and active. Reviewing a companys website is an example of passive footprinting, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering. Footprinting is basically the first step where hacker gathers as much information as possible to find ways to intrude into a target system or at least decide what type of attacks will be more suitable for the target. During this phase, a hacker can collect the following information: · Domain name · IP Addresses · Namespaces · Employee information · Phone numbers · E-mails · Job Information Incorrect answers: Scanning Security scanning can mean many different things, but it can be described as scanning a website‘s security, web-based program, network, or file system for either vulnerabilities or unwanted file changes. The type of security scanning required for a particular system depends on what that system is used. The more complicated and intricate the system or network is, the more in-depth the security scan has. Security scanning can be done as a one-time check, but most companies who incorporate this into their security practices buy a service that continually scans their systems and networks. One of the more popular open-source software platforms that run security scans is called Nmap. It has been around for a very long time and has the ability to find and exploit vulnerabilities in a network. Several online scans are available; however, these come with varying degrees of effectiveness and cost-efficiency. NOTE: In the context of an EC-Council course and exam, think of these definitions like this: Footprinting is a passive collection of information without touching the target system/network/computer. Scanning is an active collection of information associated with a direct impact on the target. Yes, that‘s not entirely true, but this course has big problems with abstraction levels. It is almost impossible to present a lot of topics in such a short period of time. Enumeration Enumeration is defined as a process that establishes an active connection to the target hosts to discover potential attack vectors in the system. The same can be used to exploit the system further. Enumeration is used to gather the below: · Usernames, Group names · Hostnames · Network shares and services · IP tables and routing tables · Service settings and Audit configurations · Application and banners · SNMP and DNS Details System Hacking System hacking is a vast subject that consists of hacking the different software-based technological systems such as laptops, desktops, etc. System hacking is defined as compromising computer systems and software to access the target computer and steal or misuse their sensitive information. Here, the malicious hacker exploits a computer system‘s weaknesses or network to gain unauthorized access to its data or take illegal advantage.
Incorrect
https://en.wikipedia.org/wiki/Footprinting Footprinting is a part of the reconnaissance process used to gather possible information about a target computer system or network. It could be both passive and active. Reviewing a companys website is an example of passive footprinting, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering. Footprinting is basically the first step where hacker gathers as much information as possible to find ways to intrude into a target system or at least decide what type of attacks will be more suitable for the target. During this phase, a hacker can collect the following information: · Domain name · IP Addresses · Namespaces · Employee information · Phone numbers · E-mails · Job Information Incorrect answers: Scanning Security scanning can mean many different things, but it can be described as scanning a website‘s security, web-based program, network, or file system for either vulnerabilities or unwanted file changes. The type of security scanning required for a particular system depends on what that system is used. The more complicated and intricate the system or network is, the more in-depth the security scan has. Security scanning can be done as a one-time check, but most companies who incorporate this into their security practices buy a service that continually scans their systems and networks. One of the more popular open-source software platforms that run security scans is called Nmap. It has been around for a very long time and has the ability to find and exploit vulnerabilities in a network. Several online scans are available; however, these come with varying degrees of effectiveness and cost-efficiency. NOTE: In the context of an EC-Council course and exam, think of these definitions like this: Footprinting is a passive collection of information without touching the target system/network/computer. Scanning is an active collection of information associated with a direct impact on the target. Yes, that‘s not entirely true, but this course has big problems with abstraction levels. It is almost impossible to present a lot of topics in such a short period of time. Enumeration Enumeration is defined as a process that establishes an active connection to the target hosts to discover potential attack vectors in the system. The same can be used to exploit the system further. Enumeration is used to gather the below: · Usernames, Group names · Hostnames · Network shares and services · IP tables and routing tables · Service settings and Audit configurations · Application and banners · SNMP and DNS Details System Hacking System hacking is a vast subject that consists of hacking the different software-based technological systems such as laptops, desktops, etc. System hacking is defined as compromising computer systems and software to access the target computer and steal or misuse their sensitive information. Here, the malicious hacker exploits a computer system‘s weaknesses or network to gain unauthorized access to its data or take illegal advantage.
Unattempted
https://en.wikipedia.org/wiki/Footprinting Footprinting is a part of the reconnaissance process used to gather possible information about a target computer system or network. It could be both passive and active. Reviewing a companys website is an example of passive footprinting, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering. Footprinting is basically the first step where hacker gathers as much information as possible to find ways to intrude into a target system or at least decide what type of attacks will be more suitable for the target. During this phase, a hacker can collect the following information: · Domain name · IP Addresses · Namespaces · Employee information · Phone numbers · E-mails · Job Information Incorrect answers: Scanning Security scanning can mean many different things, but it can be described as scanning a website‘s security, web-based program, network, or file system for either vulnerabilities or unwanted file changes. The type of security scanning required for a particular system depends on what that system is used. The more complicated and intricate the system or network is, the more in-depth the security scan has. Security scanning can be done as a one-time check, but most companies who incorporate this into their security practices buy a service that continually scans their systems and networks. One of the more popular open-source software platforms that run security scans is called Nmap. It has been around for a very long time and has the ability to find and exploit vulnerabilities in a network. Several online scans are available; however, these come with varying degrees of effectiveness and cost-efficiency. NOTE: In the context of an EC-Council course and exam, think of these definitions like this: Footprinting is a passive collection of information without touching the target system/network/computer. Scanning is an active collection of information associated with a direct impact on the target. Yes, that‘s not entirely true, but this course has big problems with abstraction levels. It is almost impossible to present a lot of topics in such a short period of time. Enumeration Enumeration is defined as a process that establishes an active connection to the target hosts to discover potential attack vectors in the system. The same can be used to exploit the system further. Enumeration is used to gather the below: · Usernames, Group names · Hostnames · Network shares and services · IP tables and routing tables · Service settings and Audit configurations · Application and banners · SNMP and DNS Details System Hacking System hacking is a vast subject that consists of hacking the different software-based technological systems such as laptops, desktops, etc. System hacking is defined as compromising computer systems and software to access the target computer and steal or misuse their sensitive information. Here, the malicious hacker exploits a computer system‘s weaknesses or network to gain unauthorized access to its data or take illegal advantage.
Question 17 of 65
17. Question
Determine what of the list below is the type of honeypots that simulates the real production network of the target organization?
Correct
https://en.wikipedia.org/wiki/Honeypot_(computing) Pure honeypots are full-fledged production systems. The attacker‘s activities are monitored by using a bug tap installed on the honeypot‘s link to the network. No other software needs to be installed. Even though a pure honeypot is useful, a more controlled mechanism stealthiness of the defense mechanisms can be ensured. Incorrect answers: Low-interaction Honeypots A low interaction honeypot will only give an attacker minimal access to the operating system. Low interaction means precisely that the adversary will not be able to interact with your decoy system in any depth, as it is a much more static environment. A low interaction honeypot will usually emulate a small number of internet protocols and network services, just enough to deceive the attacker and no more. In general, most businesses simulate TCP and IP protocols, which allows the attacker to think they are connecting to a real system and not a honeypot environment. A low interaction honeypot is simple to deploy, does not give access to a real root shell, and does not use significant resources to maintain. However, a low interaction honeypot may not be effective enough, as it is only the basic simulation of a machine. It may not fool attackers into engaging, and its certainly not in-depth enough to capture complex threats such as zero-day exploits. High interaction honeypots A high interaction honeypot emulates certain protocols or services. The attacker is provided with real systems to attack, making it far less likely they will guess they are being diverted or observed. As the systems are only present as a decoy, any traffic that is found is by its very existence malicious, making it easy to spot threats and track and trace an attacker‘s behavior. Using a high interaction honeypot, researchers can learn the tools an attacker uses to escalate privileges or the lateral movements they make to attempt to uncover sensitive data. Research honeypots Research honeypots are run to gather information about the black hat community‘s motives and tactics targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats that organizations face and to learn how to better protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information and are used primarily by research, military, or government organizations.
Incorrect
https://en.wikipedia.org/wiki/Honeypot_(computing) Pure honeypots are full-fledged production systems. The attacker‘s activities are monitored by using a bug tap installed on the honeypot‘s link to the network. No other software needs to be installed. Even though a pure honeypot is useful, a more controlled mechanism stealthiness of the defense mechanisms can be ensured. Incorrect answers: Low-interaction Honeypots A low interaction honeypot will only give an attacker minimal access to the operating system. Low interaction means precisely that the adversary will not be able to interact with your decoy system in any depth, as it is a much more static environment. A low interaction honeypot will usually emulate a small number of internet protocols and network services, just enough to deceive the attacker and no more. In general, most businesses simulate TCP and IP protocols, which allows the attacker to think they are connecting to a real system and not a honeypot environment. A low interaction honeypot is simple to deploy, does not give access to a real root shell, and does not use significant resources to maintain. However, a low interaction honeypot may not be effective enough, as it is only the basic simulation of a machine. It may not fool attackers into engaging, and its certainly not in-depth enough to capture complex threats such as zero-day exploits. High interaction honeypots A high interaction honeypot emulates certain protocols or services. The attacker is provided with real systems to attack, making it far less likely they will guess they are being diverted or observed. As the systems are only present as a decoy, any traffic that is found is by its very existence malicious, making it easy to spot threats and track and trace an attacker‘s behavior. Using a high interaction honeypot, researchers can learn the tools an attacker uses to escalate privileges or the lateral movements they make to attempt to uncover sensitive data. Research honeypots Research honeypots are run to gather information about the black hat community‘s motives and tactics targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats that organizations face and to learn how to better protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information and are used primarily by research, military, or government organizations.
Unattempted
https://en.wikipedia.org/wiki/Honeypot_(computing) Pure honeypots are full-fledged production systems. The attacker‘s activities are monitored by using a bug tap installed on the honeypot‘s link to the network. No other software needs to be installed. Even though a pure honeypot is useful, a more controlled mechanism stealthiness of the defense mechanisms can be ensured. Incorrect answers: Low-interaction Honeypots A low interaction honeypot will only give an attacker minimal access to the operating system. Low interaction means precisely that the adversary will not be able to interact with your decoy system in any depth, as it is a much more static environment. A low interaction honeypot will usually emulate a small number of internet protocols and network services, just enough to deceive the attacker and no more. In general, most businesses simulate TCP and IP protocols, which allows the attacker to think they are connecting to a real system and not a honeypot environment. A low interaction honeypot is simple to deploy, does not give access to a real root shell, and does not use significant resources to maintain. However, a low interaction honeypot may not be effective enough, as it is only the basic simulation of a machine. It may not fool attackers into engaging, and its certainly not in-depth enough to capture complex threats such as zero-day exploits. High interaction honeypots A high interaction honeypot emulates certain protocols or services. The attacker is provided with real systems to attack, making it far less likely they will guess they are being diverted or observed. As the systems are only present as a decoy, any traffic that is found is by its very existence malicious, making it easy to spot threats and track and trace an attacker‘s behavior. Using a high interaction honeypot, researchers can learn the tools an attacker uses to escalate privileges or the lateral movements they make to attempt to uncover sensitive data. Research honeypots Research honeypots are run to gather information about the black hat community‘s motives and tactics targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats that organizations face and to learn how to better protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information and are used primarily by research, military, or government organizations.
Question 18 of 65
18. Question
Which of the following flags will trigger Xmas scan?
Correct
-sX https://nmap.org/book/scan-methods-null-fin-xmas-scan.html These three scan types (even more are possible with the –scanflags option described in the next section) exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. Page 65 of RFC 793 says that if the [destination] port state is CLOSED …. an incoming segment not containing an RST causes an RST to be sent in response. Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: you are unlikely to get here, but if you do, drop the segment, and return. When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types: Null scan (-sN) Does not set any bits (TCP flag header is 0) FIN scan (-sF) Sets just the TCP FIN bit. Xmas scan (-sX) Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. Incorrect answers: -sP -sP (Skip port scan). This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a ping scan, but you can also request that traceroute and NSE host scripts be run. -sA -sA (TCP ACK scan). This scan is never determining open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered. -sV -sV (Version detection). Enables version detection. Alternatively, you can use -A, which enables version detection among other things.
Incorrect
-sX https://nmap.org/book/scan-methods-null-fin-xmas-scan.html These three scan types (even more are possible with the –scanflags option described in the next section) exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. Page 65 of RFC 793 says that if the [destination] port state is CLOSED …. an incoming segment not containing an RST causes an RST to be sent in response. Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: you are unlikely to get here, but if you do, drop the segment, and return. When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types: Null scan (-sN) Does not set any bits (TCP flag header is 0) FIN scan (-sF) Sets just the TCP FIN bit. Xmas scan (-sX) Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. Incorrect answers: -sP -sP (Skip port scan). This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a ping scan, but you can also request that traceroute and NSE host scripts be run. -sA -sA (TCP ACK scan). This scan is never determining open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered. -sV -sV (Version detection). Enables version detection. Alternatively, you can use -A, which enables version detection among other things.
Unattempted
-sX https://nmap.org/book/scan-methods-null-fin-xmas-scan.html These three scan types (even more are possible with the –scanflags option described in the next section) exploit a subtle loophole in the TCP RFC to differentiate between open and closed ports. Page 65 of RFC 793 says that if the [destination] port state is CLOSED …. an incoming segment not containing an RST causes an RST to be sent in response. Then the next page discusses packets sent to open ports without the SYN, RST, or ACK bits set, stating that: you are unlikely to get here, but if you do, drop the segment, and return. When scanning systems compliant with this RFC text, any packet not containing SYN, RST, or ACK bits will result in a returned RST if the port is closed and no response at all if the port is open. As long as none of those three bits are included, any combination of the other three (FIN, PSH, and URG) are OK. Nmap exploits this with three scan types: Null scan (-sN) Does not set any bits (TCP flag header is 0) FIN scan (-sF) Sets just the TCP FIN bit. Xmas scan (-sX) Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. Incorrect answers: -sP -sP (Skip port scan). This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the scan. This is often known as a ping scan, but you can also request that traceroute and NSE host scripts be run. -sA -sA (TCP ACK scan). This scan is never determining open (or even open|filtered) ports. It is used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered. -sV -sV (Version detection). Enables version detection. Alternatively, you can use -A, which enables version detection among other things.
Question 19 of 65
19. Question
What is a set of extensions to DNS that provide to DNS clients (resolvers) origin authentication, authenticated denial of existence and data integrity, but not availability or confidentiality?
Correct
The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by DNS for use on IP networks. DNSSEC is a set of extensions to DNS provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality. DNSSEC is necessary because the original DNS design did not include security but was designed to be a scalable distributed system. DNSSEC adds security while maintaining backward compatibility.
Incorrect
The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by DNS for use on IP networks. DNSSEC is a set of extensions to DNS provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality. DNSSEC is necessary because the original DNS design did not include security but was designed to be a scalable distributed system. DNSSEC adds security while maintaining backward compatibility.
Unattempted
The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by DNS for use on IP networks. DNSSEC is a set of extensions to DNS provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality. DNSSEC is necessary because the original DNS design did not include security but was designed to be a scalable distributed system. DNSSEC adds security while maintaining backward compatibility.
Question 20 of 65
20. Question
Identify a vulnerability in OpenSSL that allows stealing the information protected under normal conditions by the SSL/TLS encryption used to secure the Internet?
Correct
https://en.wikipedia.org/wiki/Heartbleed Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension. The vulnerability is classified as a buffer over-read, a situation where more data can be read than should be allowed. Incorrect answers: SSL/TLS Renegotiation Vulnerability The vulnerability is with the renegotiation feature, which allows one part of an encrypted connection (the one taking place before renegotiation) to be controlled by one party with the other part (the one taking place after renegotiation) to be controlled by another. A MITM attacker can open a connection to an SSL server, send some data, request renegotiation, and, from that point on, continue to forward to the SSL server the data coming from a genuine user. One could argue that this is not a fault in the protocols, but it is certainly a severe usability issue. The protocols do not ensure continuity before and after negotiation. To make things worse, web servers will combine the data they receive prior to renegotiation (which is coming from an attacker) with the data they receive after renegotiation (which is coming from a victim). This issue is the one affecting the majority of SSL users. Shellshock https://en.wikipedia.org/wiki/Shellshock_(software_bug) Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests. POODLE https://en.wikipedia.org/wiki/POODLE The POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption“) is a man-in-the-middle exploit which takes advantage of Internet and security software clients‘ fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated “September 2014“). On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.
Incorrect
https://en.wikipedia.org/wiki/Heartbleed Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension. The vulnerability is classified as a buffer over-read, a situation where more data can be read than should be allowed. Incorrect answers: SSL/TLS Renegotiation Vulnerability The vulnerability is with the renegotiation feature, which allows one part of an encrypted connection (the one taking place before renegotiation) to be controlled by one party with the other part (the one taking place after renegotiation) to be controlled by another. A MITM attacker can open a connection to an SSL server, send some data, request renegotiation, and, from that point on, continue to forward to the SSL server the data coming from a genuine user. One could argue that this is not a fault in the protocols, but it is certainly a severe usability issue. The protocols do not ensure continuity before and after negotiation. To make things worse, web servers will combine the data they receive prior to renegotiation (which is coming from an attacker) with the data they receive after renegotiation (which is coming from a victim). This issue is the one affecting the majority of SSL users. Shellshock https://en.wikipedia.org/wiki/Shellshock_(software_bug) Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests. POODLE https://en.wikipedia.org/wiki/POODLE The POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption“) is a man-in-the-middle exploit which takes advantage of Internet and security software clients‘ fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated “September 2014“). On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.
Unattempted
https://en.wikipedia.org/wiki/Heartbleed Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension. The vulnerability is classified as a buffer over-read, a situation where more data can be read than should be allowed. Incorrect answers: SSL/TLS Renegotiation Vulnerability The vulnerability is with the renegotiation feature, which allows one part of an encrypted connection (the one taking place before renegotiation) to be controlled by one party with the other part (the one taking place after renegotiation) to be controlled by another. A MITM attacker can open a connection to an SSL server, send some data, request renegotiation, and, from that point on, continue to forward to the SSL server the data coming from a genuine user. One could argue that this is not a fault in the protocols, but it is certainly a severe usability issue. The protocols do not ensure continuity before and after negotiation. To make things worse, web servers will combine the data they receive prior to renegotiation (which is coming from an attacker) with the data they receive after renegotiation (which is coming from a victim). This issue is the one affecting the majority of SSL users. Shellshock https://en.wikipedia.org/wiki/Shellshock_(software_bug) Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests. POODLE https://en.wikipedia.org/wiki/POODLE The POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption“) is a man-in-the-middle exploit which takes advantage of Internet and security software clients‘ fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated “September 2014“). On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.
Question 21 of 65
21. Question
Which of the following Nmap options will you use if you want to scan fewer ports than the default?
Correct
https://nmap.org/book/man-port-specification.html -F (Fast (limited port) scan) Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100.
Incorrect
https://nmap.org/book/man-port-specification.html -F (Fast (limited port) scan) Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100.
Unattempted
https://nmap.org/book/man-port-specification.html -F (Fast (limited port) scan) Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100.
Question 22 of 65
22. Question
Determine the attack by the description:
Correct
https://en.wikipedia.org/wiki/Meet-in-the-middle_attack The meet-in-the-middle attack (MITM), a known plaintext attack, is a generic spacetime tradeoff cryptographic attack against encryption schemes that rely on performing multiple encryption operations in sequence. The MITM attack is the primary reason why Double DES is not used and why a Triple DES key (168-bit) can be bruteforced by an attacker with 256 space and 2112 operations. The intruder has to know some parts of plaintext and their ciphertexts. Using meet-in-the-middle attacks it is possible to break ciphers, which have two or more secret keys for multiple encryption using the same algorithm. For example, the 3DES cipher works in this way. Meet-in-the-middle attack was first presented by Diffie and Hellman for cryptanalysis of DES algorithm. Incorrect answers: Man-in-the-Middle Attack https://en.wikipedia.org/wiki/Man-in-the-middle_attack In cryptography and computer security, a man-in-the-middle is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. Replay attack https://en.wikipedia.org/wiki/Replay_attack A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack. Another way of describing such an attack is: “an attack on a security protocol using replay of messages from a different context into the intended (or original and expected) context, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol run. Traffic analysis attack https://en.wikipedia.org/wiki/Traffic_analysis Similar to eavesdropping attacks, traffic analysis attacks are based on what the attacker hears in the network. However, in this type of attack, the attacker does not have to compromise the actual data. The attacker simply listens to the network communication to perform traffic analysis to determine the location of key nodes, the routing structure, and even application behavior patterns. Traffic analysis method can be used to break the anonymity of anonymous networks, e.g., TORs. There are two methods of traffic-analysis attack, passive and active. · In passive traffic-analysis method, the attacker extracts features from the traffic of a specific flow on one side of the network and looks for those features on the other side of the network. · In active traffic-analysis method, the attacker alters the timings of the packets of a flow according to a specific pattern and looks for that pattern on the other side of the network; therefore, the attacker can link the flows in one side to the other side of the network and break the anonymity of it. It is shown, although timing noise is added to the packets, there are active traffic analysis methods robust against such a noise.
Incorrect
https://en.wikipedia.org/wiki/Meet-in-the-middle_attack The meet-in-the-middle attack (MITM), a known plaintext attack, is a generic spacetime tradeoff cryptographic attack against encryption schemes that rely on performing multiple encryption operations in sequence. The MITM attack is the primary reason why Double DES is not used and why a Triple DES key (168-bit) can be bruteforced by an attacker with 256 space and 2112 operations. The intruder has to know some parts of plaintext and their ciphertexts. Using meet-in-the-middle attacks it is possible to break ciphers, which have two or more secret keys for multiple encryption using the same algorithm. For example, the 3DES cipher works in this way. Meet-in-the-middle attack was first presented by Diffie and Hellman for cryptanalysis of DES algorithm. Incorrect answers: Man-in-the-Middle Attack https://en.wikipedia.org/wiki/Man-in-the-middle_attack In cryptography and computer security, a man-in-the-middle is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. Replay attack https://en.wikipedia.org/wiki/Replay_attack A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack. Another way of describing such an attack is: “an attack on a security protocol using replay of messages from a different context into the intended (or original and expected) context, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol run. Traffic analysis attack https://en.wikipedia.org/wiki/Traffic_analysis Similar to eavesdropping attacks, traffic analysis attacks are based on what the attacker hears in the network. However, in this type of attack, the attacker does not have to compromise the actual data. The attacker simply listens to the network communication to perform traffic analysis to determine the location of key nodes, the routing structure, and even application behavior patterns. Traffic analysis method can be used to break the anonymity of anonymous networks, e.g., TORs. There are two methods of traffic-analysis attack, passive and active. · In passive traffic-analysis method, the attacker extracts features from the traffic of a specific flow on one side of the network and looks for those features on the other side of the network. · In active traffic-analysis method, the attacker alters the timings of the packets of a flow according to a specific pattern and looks for that pattern on the other side of the network; therefore, the attacker can link the flows in one side to the other side of the network and break the anonymity of it. It is shown, although timing noise is added to the packets, there are active traffic analysis methods robust against such a noise.
Unattempted
https://en.wikipedia.org/wiki/Meet-in-the-middle_attack The meet-in-the-middle attack (MITM), a known plaintext attack, is a generic spacetime tradeoff cryptographic attack against encryption schemes that rely on performing multiple encryption operations in sequence. The MITM attack is the primary reason why Double DES is not used and why a Triple DES key (168-bit) can be bruteforced by an attacker with 256 space and 2112 operations. The intruder has to know some parts of plaintext and their ciphertexts. Using meet-in-the-middle attacks it is possible to break ciphers, which have two or more secret keys for multiple encryption using the same algorithm. For example, the 3DES cipher works in this way. Meet-in-the-middle attack was first presented by Diffie and Hellman for cryptanalysis of DES algorithm. Incorrect answers: Man-in-the-Middle Attack https://en.wikipedia.org/wiki/Man-in-the-middle_attack In cryptography and computer security, a man-in-the-middle is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. Replay attack https://en.wikipedia.org/wiki/Replay_attack A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a spoofing attack by IP packet substitution. This is one of the lower-tier versions of a man-in-the-middle attack. Another way of describing such an attack is: “an attack on a security protocol using replay of messages from a different context into the intended (or original and expected) context, thereby fooling the honest participant(s) into thinking they have successfully completed the protocol run. Traffic analysis attack https://en.wikipedia.org/wiki/Traffic_analysis Similar to eavesdropping attacks, traffic analysis attacks are based on what the attacker hears in the network. However, in this type of attack, the attacker does not have to compromise the actual data. The attacker simply listens to the network communication to perform traffic analysis to determine the location of key nodes, the routing structure, and even application behavior patterns. Traffic analysis method can be used to break the anonymity of anonymous networks, e.g., TORs. There are two methods of traffic-analysis attack, passive and active. · In passive traffic-analysis method, the attacker extracts features from the traffic of a specific flow on one side of the network and looks for those features on the other side of the network. · In active traffic-analysis method, the attacker alters the timings of the packets of a flow according to a specific pattern and looks for that pattern on the other side of the network; therefore, the attacker can link the flows in one side to the other side of the network and break the anonymity of it. It is shown, although timing noise is added to the packets, there are active traffic analysis methods robust against such a noise.
Question 23 of 65
23. Question
Identify the standard by the description: A regulation contains a set of guidelines that everyone who processes any electronic data in medicine should adhere to. It includes information on medical practices, ensuring that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to secure patient data.
Correct
Correct answer: HIPAA Explanation: https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the KennedyKassebaum Act) is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It was created primarily to modernize the flow of healthcare information, stipulate how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. The act consists of five titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts. Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies. Incorrect answers: FISMA https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002 The Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107347 (text) (pdf), 116 Stat. 2899). The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a “risk-based policy for cost-effective security.“ FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency‘s information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. In FY 2008, federal agencies spent $6.2 billion securing the government‘s total information technology investment of approximately $68 billion or about 9.2 percent of the total information technology portfolio. ISO/IEC 27002 https://en.wikipedia.org/wiki/ISO/IEC_27002 ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology Security techniques Code of practice for information security controls. The ISO/IEC 27000-series standards are descended from a corporate security standard donated by Shell to a UK government initiative in the early 1990s.[1] The Shell standard was developed into British Standard BS 7799 in the mid-1990s, and was adopted as ISO/IEC 17799 in 2000. The ISO/IEC standard was revised in 2005, and renumbered ISO/IEC 27002 in 2007 to align with the other ISO/IEC 27000-series standards. It was revised again in 2013. Later in 2015 the ISO/IEC 27017 was created from that standard in order to suggesting additional security controls for the cloud which were not completely defined in ISO/IEC 27002. COBIT https://en.wikipedia.org/wiki/COBIT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model.
Incorrect
Correct answer: HIPAA Explanation: https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the KennedyKassebaum Act) is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It was created primarily to modernize the flow of healthcare information, stipulate how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. The act consists of five titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts. Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies. Incorrect answers: FISMA https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002 The Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107347 (text) (pdf), 116 Stat. 2899). The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a “risk-based policy for cost-effective security.“ FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency‘s information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. In FY 2008, federal agencies spent $6.2 billion securing the government‘s total information technology investment of approximately $68 billion or about 9.2 percent of the total information technology portfolio. ISO/IEC 27002 https://en.wikipedia.org/wiki/ISO/IEC_27002 ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology Security techniques Code of practice for information security controls. The ISO/IEC 27000-series standards are descended from a corporate security standard donated by Shell to a UK government initiative in the early 1990s.[1] The Shell standard was developed into British Standard BS 7799 in the mid-1990s, and was adopted as ISO/IEC 17799 in 2000. The ISO/IEC standard was revised in 2005, and renumbered ISO/IEC 27002 in 2007 to align with the other ISO/IEC 27000-series standards. It was revised again in 2013. Later in 2015 the ISO/IEC 27017 was created from that standard in order to suggesting additional security controls for the cloud which were not completely defined in ISO/IEC 27002. COBIT https://en.wikipedia.org/wiki/COBIT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model.
Unattempted
Correct answer: HIPAA Explanation: https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the KennedyKassebaum Act) is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It was created primarily to modernize the flow of healthcare information, stipulate how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. The act consists of five titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts. Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies. Incorrect answers: FISMA https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002 The Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107347 (text) (pdf), 116 Stat. 2899). The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a “risk-based policy for cost-effective security.“ FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency‘s information security program and report the results to Office of Management and Budget (OMB). OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act. In FY 2008, federal agencies spent $6.2 billion securing the government‘s total information technology investment of approximately $68 billion or about 9.2 percent of the total information technology portfolio. ISO/IEC 27002 https://en.wikipedia.org/wiki/ISO/IEC_27002 ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology Security techniques Code of practice for information security controls. The ISO/IEC 27000-series standards are descended from a corporate security standard donated by Shell to a UK government initiative in the early 1990s.[1] The Shell standard was developed into British Standard BS 7799 in the mid-1990s, and was adopted as ISO/IEC 17799 in 2000. The ISO/IEC standard was revised in 2005, and renumbered ISO/IEC 27002 in 2007 to align with the other ISO/IEC 27000-series standards. It was revised again in 2013. Later in 2015 the ISO/IEC 27017 was created from that standard in order to suggesting additional security controls for the cloud which were not completely defined in ISO/IEC 27002. COBIT https://en.wikipedia.org/wiki/COBIT COBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for information technology (IT) management and IT governance. The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model.
Question 24 of 65
24. Question
What is meant by a “rubber-hose“ attack in cryptography?
Correct
https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis A powerful and often the most effective cryptanalysis method in which the attack is directed at the most vulnerable link in the cryptosystem – the person. In this attack, the cryptanalyst uses blackmail, threats, torture, extortion, bribery, etc. This method‘s main advantage is the decryption time‘s fundamental independence from the volume of secret information, the length of the key, and the cipher‘s mathematical strength. The method can reduce the time to guess a password, for example, for AES, to an acceptable level; however, it requires special authorization from the relevant regulatory authorities. Therefore, it is outside the scope of this course and is not considered in its practical part. (Pss, it‘s a joke, ok? ^_^)
Incorrect
https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis A powerful and often the most effective cryptanalysis method in which the attack is directed at the most vulnerable link in the cryptosystem – the person. In this attack, the cryptanalyst uses blackmail, threats, torture, extortion, bribery, etc. This method‘s main advantage is the decryption time‘s fundamental independence from the volume of secret information, the length of the key, and the cipher‘s mathematical strength. The method can reduce the time to guess a password, for example, for AES, to an acceptable level; however, it requires special authorization from the relevant regulatory authorities. Therefore, it is outside the scope of this course and is not considered in its practical part. (Pss, it‘s a joke, ok? ^_^)
Unattempted
https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis A powerful and often the most effective cryptanalysis method in which the attack is directed at the most vulnerable link in the cryptosystem – the person. In this attack, the cryptanalyst uses blackmail, threats, torture, extortion, bribery, etc. This method‘s main advantage is the decryption time‘s fundamental independence from the volume of secret information, the length of the key, and the cipher‘s mathematical strength. The method can reduce the time to guess a password, for example, for AES, to an acceptable level; however, it requires special authorization from the relevant regulatory authorities. Therefore, it is outside the scope of this course and is not considered in its practical part. (Pss, it‘s a joke, ok? ^_^)
Question 25 of 65
25. Question
The Web development team is holding an urgent meeting, as they have received information from testers about a new vulnerability in their Web software. They make an urgent decision to reduce the likelihood of using the vulnerability. The team beside to modify the software requirements to disallow users from entering HTML as input into their Web application. Determine the type of vulnerability that the test team found?
Correct
There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS flaws: non-persistent and persistent. In this issue, we consider the non-persistent cross-site scripting vulnerability. The non-persistent (or reflected) cross-site scripting vulnerability is by far the most basic type of web vulnerability. These holes show up when the data provided by a web client, most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the content. Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue. Incorrect answers: Website defacement vulnerability Website defacements are the unauthorized modification of web pages, including the addition, removal, or alteration of existing content. These attacks are commonly carried out by hacktivists, who compromise a website or web server and replace or alter the hosted website information with their own messages. SQL injection vulnerability https://en.wikipedia.org/wiki/SQL_injection SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application‘s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. Cross-site Request Forgery vulnerability https://en.wikipedia.org/wiki/Cross-site_request_forgery Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user‘s interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user‘s browser.
Incorrect
There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS flaws: non-persistent and persistent. In this issue, we consider the non-persistent cross-site scripting vulnerability. The non-persistent (or reflected) cross-site scripting vulnerability is by far the most basic type of web vulnerability. These holes show up when the data provided by a web client, most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the content. Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue. Incorrect answers: Website defacement vulnerability Website defacements are the unauthorized modification of web pages, including the addition, removal, or alteration of existing content. These attacks are commonly carried out by hacktivists, who compromise a website or web server and replace or alter the hosted website information with their own messages. SQL injection vulnerability https://en.wikipedia.org/wiki/SQL_injection SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application‘s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. Cross-site Request Forgery vulnerability https://en.wikipedia.org/wiki/Cross-site_request_forgery Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user‘s interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user‘s browser.
Unattempted
There is no single, standardized classification of cross-site scripting flaws, but most experts distinguish between at least two primary flavors of XSS flaws: non-persistent and persistent. In this issue, we consider the non-persistent cross-site scripting vulnerability. The non-persistent (or reflected) cross-site scripting vulnerability is by far the most basic type of web vulnerability. These holes show up when the data provided by a web client, most commonly in HTTP query parameters (e.g. HTML form submission), is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the content. Because HTML documents have a flat, serial structure that mixes control statements, formatting, and the actual content, any non-validated user-supplied data included in the resulting page without proper HTML encoding, may lead to markup injection. A classic example of a potential vector is a site search engine: if one searches for a string, the search string will typically be redisplayed verbatim on the result page to indicate what was searched for. If this response does not properly escape or reject HTML control characters, a cross-site scripting flaw will ensue. Incorrect answers: Website defacement vulnerability Website defacements are the unauthorized modification of web pages, including the addition, removal, or alteration of existing content. These attacks are commonly carried out by hacktivists, who compromise a website or web server and replace or alter the hosted website information with their own messages. SQL injection vulnerability https://en.wikipedia.org/wiki/SQL_injection SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application‘s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. Cross-site Request Forgery vulnerability https://en.wikipedia.org/wiki/Cross-site_request_forgery Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user‘s interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user‘s browser.
Question 26 of 65
26. Question
Identify Bluetooth attck techniques that is used in to send messages to users without the recipient‘s consent, for example for guerrilla marketing campaigns?
Correct
https://en.wikipedia.org/wiki/Bluejacking Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or bluechat) to another Bluetooth-enabled device via the OBEX protocol. Bluejacking is usually harmless, but because bluejacked people generally don‘t know what has happened, they may think that their phone is malfunctioning. Usually, a bluejacker will only send a text message, but with modern phones it‘s possible to send images or sounds as well. Bluejacking has been used in guerrilla marketing campaigns to promote advergames. Bluejacking is also confused with Bluesnarfing, which is the way in which mobile phones are illegally hacked via Bluetooth. Incorrect answers: Bluesmacking Bluesmack is a cyber attack done on bluetooth enabled devices. The attack uses L2CAP (Logic Link Control And Adaptation Protocol) layer to transfer an oversized packet to the Bluetooth enabled devices, resulting in the Denial of Service (DoS) attack. The attack can be performed in a very limited range, usually around 10 meters for the smartphones. For laptops, it can reach up to the 100 meters with powerful transmitters. Bluesnarfing https://en.wikipedia.org/wiki/Bluesnarfing Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs (personal digital assistant). This allows access to calendars, contact lists, emails and text messages, and on some phones, users can copy pictures and private videos. Both Bluesnarfing and Bluejacking exploit others‘ Bluetooth connections without their knowledge. While Bluejacking is essentially harmless as it only transmits data to the target device, Bluesnarfing is the theft of information from the target device. Bluebugging https://en.wikipedia.org/wiki/Bluebugging Bluebugging is a form of Bluetooth attack often caused by a lack of awareness. It was developed after the onset of bluejacking and bluesnarfing. Similar to bluesnarfing, bluebugging accesses and uses all phone featuresbut is limited by the transmitting power of class 2 Bluetooth radios, normally capping its range at 1015 meters.
Incorrect
https://en.wikipedia.org/wiki/Bluejacking Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or bluechat) to another Bluetooth-enabled device via the OBEX protocol. Bluejacking is usually harmless, but because bluejacked people generally don‘t know what has happened, they may think that their phone is malfunctioning. Usually, a bluejacker will only send a text message, but with modern phones it‘s possible to send images or sounds as well. Bluejacking has been used in guerrilla marketing campaigns to promote advergames. Bluejacking is also confused with Bluesnarfing, which is the way in which mobile phones are illegally hacked via Bluetooth. Incorrect answers: Bluesmacking Bluesmack is a cyber attack done on bluetooth enabled devices. The attack uses L2CAP (Logic Link Control And Adaptation Protocol) layer to transfer an oversized packet to the Bluetooth enabled devices, resulting in the Denial of Service (DoS) attack. The attack can be performed in a very limited range, usually around 10 meters for the smartphones. For laptops, it can reach up to the 100 meters with powerful transmitters. Bluesnarfing https://en.wikipedia.org/wiki/Bluesnarfing Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs (personal digital assistant). This allows access to calendars, contact lists, emails and text messages, and on some phones, users can copy pictures and private videos. Both Bluesnarfing and Bluejacking exploit others‘ Bluetooth connections without their knowledge. While Bluejacking is essentially harmless as it only transmits data to the target device, Bluesnarfing is the theft of information from the target device. Bluebugging https://en.wikipedia.org/wiki/Bluebugging Bluebugging is a form of Bluetooth attack often caused by a lack of awareness. It was developed after the onset of bluejacking and bluesnarfing. Similar to bluesnarfing, bluebugging accesses and uses all phone featuresbut is limited by the transmitting power of class 2 Bluetooth radios, normally capping its range at 1015 meters.
Unattempted
https://en.wikipedia.org/wiki/Bluejacking Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e., for bluedating or bluechat) to another Bluetooth-enabled device via the OBEX protocol. Bluejacking is usually harmless, but because bluejacked people generally don‘t know what has happened, they may think that their phone is malfunctioning. Usually, a bluejacker will only send a text message, but with modern phones it‘s possible to send images or sounds as well. Bluejacking has been used in guerrilla marketing campaigns to promote advergames. Bluejacking is also confused with Bluesnarfing, which is the way in which mobile phones are illegally hacked via Bluetooth. Incorrect answers: Bluesmacking Bluesmack is a cyber attack done on bluetooth enabled devices. The attack uses L2CAP (Logic Link Control And Adaptation Protocol) layer to transfer an oversized packet to the Bluetooth enabled devices, resulting in the Denial of Service (DoS) attack. The attack can be performed in a very limited range, usually around 10 meters for the smartphones. For laptops, it can reach up to the 100 meters with powerful transmitters. Bluesnarfing https://en.wikipedia.org/wiki/Bluesnarfing Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs (personal digital assistant). This allows access to calendars, contact lists, emails and text messages, and on some phones, users can copy pictures and private videos. Both Bluesnarfing and Bluejacking exploit others‘ Bluetooth connections without their knowledge. While Bluejacking is essentially harmless as it only transmits data to the target device, Bluesnarfing is the theft of information from the target device. Bluebugging https://en.wikipedia.org/wiki/Bluebugging Bluebugging is a form of Bluetooth attack often caused by a lack of awareness. It was developed after the onset of bluejacking and bluesnarfing. Similar to bluesnarfing, bluebugging accesses and uses all phone featuresbut is limited by the transmitting power of class 2 Bluetooth radios, normally capping its range at 1015 meters.
Question 27 of 65
27. Question
Which of the following can be designated as “Wireshark for CLI“?
Correct
https://www.tcpdump.org/ Tcpdump is a data-network packet analyzer computer program that runs under a command-line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. https://www.wireshark.org/ Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. NOTE: Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options. Incorrect answers: Nessus https://www.tenable.com/ Nessus is a program for automatically searching for known flaws in the protection of information systems. It is able to detect the most common types of vulnerabilities, for example: · Availability of vulnerable versions of services or domains; · Configuration errors (for example, no need for authorization on the SMTP server); · The presence of default passwords, blank, or weak passwords; The program has a client-server architecture, which greatly expands the scanning capabilities. Ethereal – the project was renamed Wireshark in May 2006 due to trademark issues. John the Ripper https://en.wikipedia.org/wiki/John_the_Ripper John the Ripper is a free password cracking software tool.
Incorrect
https://www.tcpdump.org/ Tcpdump is a data-network packet analyzer computer program that runs under a command-line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. https://www.wireshark.org/ Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. NOTE: Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options. Incorrect answers: Nessus https://www.tenable.com/ Nessus is a program for automatically searching for known flaws in the protection of information systems. It is able to detect the most common types of vulnerabilities, for example: · Availability of vulnerable versions of services or domains; · Configuration errors (for example, no need for authorization on the SMTP server); · The presence of default passwords, blank, or weak passwords; The program has a client-server architecture, which greatly expands the scanning capabilities. Ethereal – the project was renamed Wireshark in May 2006 due to trademark issues. John the Ripper https://en.wikipedia.org/wiki/John_the_Ripper John the Ripper is a free password cracking software tool.
Unattempted
https://www.tcpdump.org/ Tcpdump is a data-network packet analyzer computer program that runs under a command-line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software. https://www.wireshark.org/ Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. NOTE: Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options. Incorrect answers: Nessus https://www.tenable.com/ Nessus is a program for automatically searching for known flaws in the protection of information systems. It is able to detect the most common types of vulnerabilities, for example: · Availability of vulnerable versions of services or domains; · Configuration errors (for example, no need for authorization on the SMTP server); · The presence of default passwords, blank, or weak passwords; The program has a client-server architecture, which greatly expands the scanning capabilities. Ethereal – the project was renamed Wireshark in May 2006 due to trademark issues. John the Ripper https://en.wikipedia.org/wiki/John_the_Ripper John the Ripper is a free password cracking software tool.
Question 28 of 65
28. Question
Alex, the penetration tester, performs a server scan. To do this, he uses the method where the TCP Header is split into many packets so that it becomes difficult to determine what packages are used for. Determine the scanning technique that Alex uses?
Correct
https://en.wikipedia.org/wiki/IP_fragmentation_attack IP fragmentation attacks are a kind of computer security attack based on how the Internet Protocol (IP) requires data to be transmitted and processed. Specifically, it invokes IP fragmentation, a process used to partition messages (the service data unit (SDU); typically a packet) from one layer of a network into multiple smaller payloads that can fit within the lower layer‘s protocol data unit (PDU). Every network link has a maximum size of messages that may be transmitted, called the maximum transmission unit (MTU). If the SDU plus metadata added at the link-layer exceeds the MTU, the SDU must be fragmented. IP fragmentation attacks exploit this process as an attack vector. Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the Internet Layer of this model. IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector. Incorrect answers: ACK scanning https://en.wikipedia.org/wiki/Port_scanner#ACK_scanning ACK scanning is one of the more unusual scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and its rulesets. Simple packet filtering will allow established connections (packets with the ACK bit set), whereas a more sophisticated stateful firewall might not. TCP scanning https://en.wikipedia.org/wiki/Port_scanner#TCP_scanning The simplest port scanners use the operating system‘s network functions and are generally the next option to go to when SYN is not a feasible option (described next). Nmap calls this mode connect scan, named after the Unix connect() system call. If a port is open, the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection to avoid performing a Denial-of-service attack. Otherwise an error code is returned. This scan mode has the advantage that the user does not require special privileges. However, using the OS network functions prevents low-level control, so this scan type is less common. This method is “noisy“, particularly if it is a “portsweep“: the services can log the sender IP address and Intrusion detection systems can raise an alarm. Inverse TCP flag scanning Inverse TCP flag scanning works by sending TCP probe packets with or without TCP flags. Based on the response, it is possible to determine whether the port is open or closed. If there is no response, then the port is open. If the response is RST, then the port is closed.
Incorrect
https://en.wikipedia.org/wiki/IP_fragmentation_attack IP fragmentation attacks are a kind of computer security attack based on how the Internet Protocol (IP) requires data to be transmitted and processed. Specifically, it invokes IP fragmentation, a process used to partition messages (the service data unit (SDU); typically a packet) from one layer of a network into multiple smaller payloads that can fit within the lower layer‘s protocol data unit (PDU). Every network link has a maximum size of messages that may be transmitted, called the maximum transmission unit (MTU). If the SDU plus metadata added at the link-layer exceeds the MTU, the SDU must be fragmented. IP fragmentation attacks exploit this process as an attack vector. Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the Internet Layer of this model. IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector. Incorrect answers: ACK scanning https://en.wikipedia.org/wiki/Port_scanner#ACK_scanning ACK scanning is one of the more unusual scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and its rulesets. Simple packet filtering will allow established connections (packets with the ACK bit set), whereas a more sophisticated stateful firewall might not. TCP scanning https://en.wikipedia.org/wiki/Port_scanner#TCP_scanning The simplest port scanners use the operating system‘s network functions and are generally the next option to go to when SYN is not a feasible option (described next). Nmap calls this mode connect scan, named after the Unix connect() system call. If a port is open, the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection to avoid performing a Denial-of-service attack. Otherwise an error code is returned. This scan mode has the advantage that the user does not require special privileges. However, using the OS network functions prevents low-level control, so this scan type is less common. This method is “noisy“, particularly if it is a “portsweep“: the services can log the sender IP address and Intrusion detection systems can raise an alarm. Inverse TCP flag scanning Inverse TCP flag scanning works by sending TCP probe packets with or without TCP flags. Based on the response, it is possible to determine whether the port is open or closed. If there is no response, then the port is open. If the response is RST, then the port is closed.
Unattempted
https://en.wikipedia.org/wiki/IP_fragmentation_attack IP fragmentation attacks are a kind of computer security attack based on how the Internet Protocol (IP) requires data to be transmitted and processed. Specifically, it invokes IP fragmentation, a process used to partition messages (the service data unit (SDU); typically a packet) from one layer of a network into multiple smaller payloads that can fit within the lower layer‘s protocol data unit (PDU). Every network link has a maximum size of messages that may be transmitted, called the maximum transmission unit (MTU). If the SDU plus metadata added at the link-layer exceeds the MTU, the SDU must be fragmented. IP fragmentation attacks exploit this process as an attack vector. Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the Internet Layer of this model. IP is responsible for the transmission of packets between network end points. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector. Incorrect answers: ACK scanning https://en.wikipedia.org/wiki/Port_scanner#ACK_scanning ACK scanning is one of the more unusual scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and its rulesets. Simple packet filtering will allow established connections (packets with the ACK bit set), whereas a more sophisticated stateful firewall might not. TCP scanning https://en.wikipedia.org/wiki/Port_scanner#TCP_scanning The simplest port scanners use the operating system‘s network functions and are generally the next option to go to when SYN is not a feasible option (described next). Nmap calls this mode connect scan, named after the Unix connect() system call. If a port is open, the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection to avoid performing a Denial-of-service attack. Otherwise an error code is returned. This scan mode has the advantage that the user does not require special privileges. However, using the OS network functions prevents low-level control, so this scan type is less common. This method is “noisy“, particularly if it is a “portsweep“: the services can log the sender IP address and Intrusion detection systems can raise an alarm. Inverse TCP flag scanning Inverse TCP flag scanning works by sending TCP probe packets with or without TCP flags. Based on the response, it is possible to determine whether the port is open or closed. If there is no response, then the port is open. If the response is RST, then the port is closed.
Question 29 of 65
29. Question
Elon plans to make it difficult for the packet filter to determine the purpose of the packet when scanning. Which of the following scanning techniques will Elon use?
Correct
SYN/FIN scanning using IP fragments is a process of scanning that was developed to avoid false positives generated by other scans because of a packet filtering device on the target system. The TCP header splits into several packets to evade the packet filter. For any transmission, every TCP header must have the source and destination port for the initial packet (8-octet, 64-bit). The initialized flags in the next packet allow the remote host to reassemble the packets upon receipt via an Internet protocol module that detects the fragmented data packets using field-equivalent values of the source, destination, protocol, and identification. Incorrect answers: ICMP scanning The Internet Control Message Protocol (ICMP) is like the TCP protocol; both support protocols in the internet protocol suite. ICMP is used for checking live systems; ping is the most well-known utility that uses ICMP requests. Its principle is very simpleICMP scanning sends requests to hosts and waits for an echo request to check whether the system is alive. ACK scanning ACK scanning is one of the more unusual scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and its rulesets. IPID scanning https://en.wikipedia.org/wiki/Idle_scan Idle scans take advantage of predictable Identification field value from IP header: every IP packet from a given source has an ID that uniquely identifies fragments of an original IP datagram; the protocol implementation assigns values to this mandatory field generally by a fixed value (1) increment. Because transmitted packets are numbered in a sequence you can say how many packets are transmitted between two packets that you receive. An attacker would first scan for a host with a sequential and predictable sequence number (IPID). The latest versions of Linux, Solaris, OpenBSD, and Windows Vista are not suitable as zombie, since the IPID has been implemented with patches that randomized the IPID. Computers chosen to be used in this stage are known as “zombies“. Once a suitable zombie is found the next step would be to try to establish a TCP connection with a given service (port) of the target system, impersonating the zombie. It is done by sending a SYN packet to the target computer, spoofing the IP address from the zombie, i.e. with the source address equal to zombie IP address. If the port of the target computer is open it will accept the connection for the service, responding with a SYN/ACK packet back to the zombie. The zombie computer will then send a RST packet to the target computer (to reset the connection) because it did not actually send the SYN packet in the first place. Since the zombie had to send the RST packet it will increment its IPID. This is how an attacker would find out if the target‘s port is open. The attacker will send another packet to the zombie. If the IPID is incremented only by a step then the attacker would know that the particular port is closed. The method assumes that zombie has no other interactions: if there is any message sent for other reasons between the first interaction of the attacker with the zombie and the second interaction other than RST message, there will be a false positive.
Incorrect
SYN/FIN scanning using IP fragments is a process of scanning that was developed to avoid false positives generated by other scans because of a packet filtering device on the target system. The TCP header splits into several packets to evade the packet filter. For any transmission, every TCP header must have the source and destination port for the initial packet (8-octet, 64-bit). The initialized flags in the next packet allow the remote host to reassemble the packets upon receipt via an Internet protocol module that detects the fragmented data packets using field-equivalent values of the source, destination, protocol, and identification. Incorrect answers: ICMP scanning The Internet Control Message Protocol (ICMP) is like the TCP protocol; both support protocols in the internet protocol suite. ICMP is used for checking live systems; ping is the most well-known utility that uses ICMP requests. Its principle is very simpleICMP scanning sends requests to hosts and waits for an echo request to check whether the system is alive. ACK scanning ACK scanning is one of the more unusual scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and its rulesets. IPID scanning https://en.wikipedia.org/wiki/Idle_scan Idle scans take advantage of predictable Identification field value from IP header: every IP packet from a given source has an ID that uniquely identifies fragments of an original IP datagram; the protocol implementation assigns values to this mandatory field generally by a fixed value (1) increment. Because transmitted packets are numbered in a sequence you can say how many packets are transmitted between two packets that you receive. An attacker would first scan for a host with a sequential and predictable sequence number (IPID). The latest versions of Linux, Solaris, OpenBSD, and Windows Vista are not suitable as zombie, since the IPID has been implemented with patches that randomized the IPID. Computers chosen to be used in this stage are known as “zombies“. Once a suitable zombie is found the next step would be to try to establish a TCP connection with a given service (port) of the target system, impersonating the zombie. It is done by sending a SYN packet to the target computer, spoofing the IP address from the zombie, i.e. with the source address equal to zombie IP address. If the port of the target computer is open it will accept the connection for the service, responding with a SYN/ACK packet back to the zombie. The zombie computer will then send a RST packet to the target computer (to reset the connection) because it did not actually send the SYN packet in the first place. Since the zombie had to send the RST packet it will increment its IPID. This is how an attacker would find out if the target‘s port is open. The attacker will send another packet to the zombie. If the IPID is incremented only by a step then the attacker would know that the particular port is closed. The method assumes that zombie has no other interactions: if there is any message sent for other reasons between the first interaction of the attacker with the zombie and the second interaction other than RST message, there will be a false positive.
Unattempted
SYN/FIN scanning using IP fragments is a process of scanning that was developed to avoid false positives generated by other scans because of a packet filtering device on the target system. The TCP header splits into several packets to evade the packet filter. For any transmission, every TCP header must have the source and destination port for the initial packet (8-octet, 64-bit). The initialized flags in the next packet allow the remote host to reassemble the packets upon receipt via an Internet protocol module that detects the fragmented data packets using field-equivalent values of the source, destination, protocol, and identification. Incorrect answers: ICMP scanning The Internet Control Message Protocol (ICMP) is like the TCP protocol; both support protocols in the internet protocol suite. ICMP is used for checking live systems; ping is the most well-known utility that uses ICMP requests. Its principle is very simpleICMP scanning sends requests to hosts and waits for an echo request to check whether the system is alive. ACK scanning ACK scanning is one of the more unusual scan types, as it does not exactly determine whether the port is open or closed, but whether the port is filtered or unfiltered. This is especially good when attempting to probe for the existence of a firewall and its rulesets. IPID scanning https://en.wikipedia.org/wiki/Idle_scan Idle scans take advantage of predictable Identification field value from IP header: every IP packet from a given source has an ID that uniquely identifies fragments of an original IP datagram; the protocol implementation assigns values to this mandatory field generally by a fixed value (1) increment. Because transmitted packets are numbered in a sequence you can say how many packets are transmitted between two packets that you receive. An attacker would first scan for a host with a sequential and predictable sequence number (IPID). The latest versions of Linux, Solaris, OpenBSD, and Windows Vista are not suitable as zombie, since the IPID has been implemented with patches that randomized the IPID. Computers chosen to be used in this stage are known as “zombies“. Once a suitable zombie is found the next step would be to try to establish a TCP connection with a given service (port) of the target system, impersonating the zombie. It is done by sending a SYN packet to the target computer, spoofing the IP address from the zombie, i.e. with the source address equal to zombie IP address. If the port of the target computer is open it will accept the connection for the service, responding with a SYN/ACK packet back to the zombie. The zombie computer will then send a RST packet to the target computer (to reset the connection) because it did not actually send the SYN packet in the first place. Since the zombie had to send the RST packet it will increment its IPID. This is how an attacker would find out if the target‘s port is open. The attacker will send another packet to the zombie. If the IPID is incremented only by a step then the attacker would know that the particular port is closed. The method assumes that zombie has no other interactions: if there is any message sent for other reasons between the first interaction of the attacker with the zombie and the second interaction other than RST message, there will be a false positive.
Question 30 of 65
30. Question
Mark, the network administrator, must allow UDP traffic on the host 10.0.0.3 and Internet traffic in the host 10.0.0.2. In addition to the main task, he needs to allow all FTP traffic to the rest of the network and deny all other traffic. Mark applies his ACL configuration on the router, and everyone has a problem with accessing FTP. In addition, hosts that are allowed access to the Internet cannot connect to it. In accordance with the following configuration, determine what happened on the network?
access-list 102 deny tcp any any
access-list 104 permit udp host 10.0.0.3 any
access-list 110 permit tcp host 10.0.0.2 eq www any
access-list 108 permit tcp any eq ftp any
Correct
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
Since the first line prohibits any TCP traffic (access-list 102 deny tcp any any), the lines below will simply be ignored by the router. Below you will find the example from CISCO documentation.
This figure shows that FTP (TCP, port 21) and FTP data (port 20) traffic sourced from NetB destined to NetA is denied, while all other IP traffic is permitted.
FTP uses port 21 and port 20. TCP traffic destined to port 21 and port 20 is denied and everything else is explicitly permitted.
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 permit ip any any
Incorrect
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
Since the first line prohibits any TCP traffic (access-list 102 deny tcp any any), the lines below will simply be ignored by the router. Below you will find the example from CISCO documentation.
This figure shows that FTP (TCP, port 21) and FTP data (port 20) traffic sourced from NetB destined to NetA is denied, while all other IP traffic is permitted.
FTP uses port 21 and port 20. TCP traffic destined to port 21 and port 20 is denied and everything else is explicitly permitted.
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 permit ip any any
Unattempted
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
Since the first line prohibits any TCP traffic (access-list 102 deny tcp any any), the lines below will simply be ignored by the router. Below you will find the example from CISCO documentation.
This figure shows that FTP (TCP, port 21) and FTP data (port 20) traffic sourced from NetB destined to NetA is denied, while all other IP traffic is permitted.
FTP uses port 21 and port 20. TCP traffic destined to port 21 and port 20 is denied and everything else is explicitly permitted.
access-list 102 deny tcp any any eq ftp
access-list 102 deny tcp any any eq ftp-data
access-list 102 permit ip any any
Question 31 of 65
31. Question
Wireshark is one of the most important tools for a cybersecurity specialist. It is used for network troubleshooting, analysis, software, etc. And you often have to work with a packet bytes pane. In what format is the data presented in this pane?
NOTE: One thing is important to understand: there is no standard for parsers, at least for now. No one will force you, when developing your product, for example, IDS, to create a rule language the same as that of Snort. The question does not specify the manufacturer, although the example clearly hints at the Snort rules, other manufacturers can use the same syntax for anything. In some products, you may not even see the syntax at all cause you may only have access to the graphical user interface. For example, in cloud services, where the stratification of services by levels of abstraction is most clearly visible.
NOTE: One thing is important to understand: there is no standard for parsers, at least for now. No one will force you, when developing your product, for example, IDS, to create a rule language the same as that of Snort. The question does not specify the manufacturer, although the example clearly hints at the Snort rules, other manufacturers can use the same syntax for anything. In some products, you may not even see the syntax at all cause you may only have access to the graphical user interface. For example, in cloud services, where the stratification of services by levels of abstraction is most clearly visible.
NOTE: One thing is important to understand: there is no standard for parsers, at least for now. No one will force you, when developing your product, for example, IDS, to create a rule language the same as that of Snort. The question does not specify the manufacturer, although the example clearly hints at the Snort rules, other manufacturers can use the same syntax for anything. In some products, you may not even see the syntax at all cause you may only have access to the graphical user interface. For example, in cloud services, where the stratification of services by levels of abstraction is most clearly visible.
Question 33 of 65
33. Question
Your company has a risk assessment, and according to its results, the risk of a breach in the main company application is 40%. Your cybersecurity department has made changes to the application and requested a re-assessment of the risks. The assessment showed that the risk fell to 12%, with a risk threshold of 20%. Which of the following options would be the best from a business point of view?
Correct
Risk Mitigation
Risk mitigation can be defined as taking steps to reduce adverse effects. There are four types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating risk, it’s important to develop a strategy that closely relates to and matches your company’s profile.
Risk Acceptance
Risk acceptance does not reduce any effects; however, it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesnt want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
Risk Avoidance
Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Its important to note that risk avoidance is usually the most expensive of all risk mitigation options.
Risk Limitation
Risk limitation is the most common risk management strategy used by businesses. This strategy limits a companys exposure by taking some action. It is a strategy employing a bit of risk acceptance and a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
Risk Transference
Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on its core competencies.
NOTE: On my own, I would like to add. It is possible to create absolute protection (0% risk), but with an increase in protection, the system‘s complexity also grows (and monetary costs, of course). At some point, you can get a complete absence of risks and clients. So you have to compromise and take some risks. This is a profound and interesting topic.
Incorrect
Risk Mitigation
Risk mitigation can be defined as taking steps to reduce adverse effects. There are four types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating risk, it’s important to develop a strategy that closely relates to and matches your company’s profile.
Risk Acceptance
Risk acceptance does not reduce any effects; however, it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesnt want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
Risk Avoidance
Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Its important to note that risk avoidance is usually the most expensive of all risk mitigation options.
Risk Limitation
Risk limitation is the most common risk management strategy used by businesses. This strategy limits a companys exposure by taking some action. It is a strategy employing a bit of risk acceptance and a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
Risk Transference
Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on its core competencies.
NOTE: On my own, I would like to add. It is possible to create absolute protection (0% risk), but with an increase in protection, the system‘s complexity also grows (and monetary costs, of course). At some point, you can get a complete absence of risks and clients. So you have to compromise and take some risks. This is a profound and interesting topic.
Unattempted
Risk Mitigation
Risk mitigation can be defined as taking steps to reduce adverse effects. There are four types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. When mitigating risk, it’s important to develop a strategy that closely relates to and matches your company’s profile.
Risk Acceptance
Risk acceptance does not reduce any effects; however, it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesnt want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
Risk Avoidance
Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Its important to note that risk avoidance is usually the most expensive of all risk mitigation options.
Risk Limitation
Risk limitation is the most common risk management strategy used by businesses. This strategy limits a companys exposure by taking some action. It is a strategy employing a bit of risk acceptance and a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
Risk Transference
Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on its core competencies.
NOTE: On my own, I would like to add. It is possible to create absolute protection (0% risk), but with an increase in protection, the system‘s complexity also grows (and monetary costs, of course). At some point, you can get a complete absence of risks and clients. So you have to compromise and take some risks. This is a profound and interesting topic.
Question 34 of 65
34. Question
Ivan, a black hat hacker, sends partial HTTP requests to the target webserver to exhaust the target servers maximum concurrent connection pool. He wants to ensure that all additional connection attempts are rejected. What type of attack does Ivan implement?
Correct
https://en.wikipedia.org/wiki/Slowloris_(computer_security) Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine‘s web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to, but never completed, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. The program was named after Slow lorises, a group of primates that are known for their slow movement. Incorrect answers: HTTP GET/POST (HTTP Flood) https://en.wikipedia.org/wiki/HTTP_Flood HTTP Flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker manipulates HTTP and POST unwanted requests in order to attack a web server or application. These attacks often use interconnected computers that have been taken over with the aid of malware such as Trojan Horses. Instead of using malformed packets, spoofing and reflection techniques, HTTP floods require less bandwidth to attack the targeted sites or servers. Spoofed Session Flood Fake Session attacks try to bypass security under the disguise of a valid TCP session by carrying an SYN, multiple ACK and one or more RST or FIN packets. This attack can bypass defence mechanisms that are only monitoring incoming traffic on the network. These DDoS attacks can also exhaust the targets resources and result in a complete system shutdown or unacceptable system performance. Fragmentation https://en.wikipedia.org/wiki/IP_fragmentation_attack IP fragmentation attacks are a kind of computer security attack based on how the Internet Protocol (IP) requires data to be transmitted and processed. Specifically, it invokes IP fragmentation, a process used to partition messages (the service data unit (SDU); typically a packet) from one layer of a network into multiple smaller payloads that can fit within the lower layer‘s protocol data unit (PDU). Every network link has a maximum size of messages that may be transmitted, called the maximum transmission unit (MTU). If the SDU plus metadata added at the link-layer exceeds the MTU, the SDU must be fragmented. IP fragmentation attacks exploit this process as an attack vector. Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the Internet Layer of this model. IP is responsible for the transmission of packets between network endpoints. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (a type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector.
Incorrect
https://en.wikipedia.org/wiki/Slowloris_(computer_security) Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine‘s web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to, but never completed, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. The program was named after Slow lorises, a group of primates that are known for their slow movement. Incorrect answers: HTTP GET/POST (HTTP Flood) https://en.wikipedia.org/wiki/HTTP_Flood HTTP Flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker manipulates HTTP and POST unwanted requests in order to attack a web server or application. These attacks often use interconnected computers that have been taken over with the aid of malware such as Trojan Horses. Instead of using malformed packets, spoofing and reflection techniques, HTTP floods require less bandwidth to attack the targeted sites or servers. Spoofed Session Flood Fake Session attacks try to bypass security under the disguise of a valid TCP session by carrying an SYN, multiple ACK and one or more RST or FIN packets. This attack can bypass defence mechanisms that are only monitoring incoming traffic on the network. These DDoS attacks can also exhaust the targets resources and result in a complete system shutdown or unacceptable system performance. Fragmentation https://en.wikipedia.org/wiki/IP_fragmentation_attack IP fragmentation attacks are a kind of computer security attack based on how the Internet Protocol (IP) requires data to be transmitted and processed. Specifically, it invokes IP fragmentation, a process used to partition messages (the service data unit (SDU); typically a packet) from one layer of a network into multiple smaller payloads that can fit within the lower layer‘s protocol data unit (PDU). Every network link has a maximum size of messages that may be transmitted, called the maximum transmission unit (MTU). If the SDU plus metadata added at the link-layer exceeds the MTU, the SDU must be fragmented. IP fragmentation attacks exploit this process as an attack vector. Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the Internet Layer of this model. IP is responsible for the transmission of packets between network endpoints. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (a type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector.
Unattempted
https://en.wikipedia.org/wiki/Slowloris_(computer_security) Slowloris is a type of denial of service attack tool which allows a single machine to take down another machine‘s web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to, but never completed, the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. The program was named after Slow lorises, a group of primates that are known for their slow movement. Incorrect answers: HTTP GET/POST (HTTP Flood) https://en.wikipedia.org/wiki/HTTP_Flood HTTP Flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker manipulates HTTP and POST unwanted requests in order to attack a web server or application. These attacks often use interconnected computers that have been taken over with the aid of malware such as Trojan Horses. Instead of using malformed packets, spoofing and reflection techniques, HTTP floods require less bandwidth to attack the targeted sites or servers. Spoofed Session Flood Fake Session attacks try to bypass security under the disguise of a valid TCP session by carrying an SYN, multiple ACK and one or more RST or FIN packets. This attack can bypass defence mechanisms that are only monitoring incoming traffic on the network. These DDoS attacks can also exhaust the targets resources and result in a complete system shutdown or unacceptable system performance. Fragmentation https://en.wikipedia.org/wiki/IP_fragmentation_attack IP fragmentation attacks are a kind of computer security attack based on how the Internet Protocol (IP) requires data to be transmitted and processed. Specifically, it invokes IP fragmentation, a process used to partition messages (the service data unit (SDU); typically a packet) from one layer of a network into multiple smaller payloads that can fit within the lower layer‘s protocol data unit (PDU). Every network link has a maximum size of messages that may be transmitted, called the maximum transmission unit (MTU). If the SDU plus metadata added at the link-layer exceeds the MTU, the SDU must be fragmented. IP fragmentation attacks exploit this process as an attack vector. Part of the TCP/IP suite is the Internet Protocol (IP) which resides at the Internet Layer of this model. IP is responsible for the transmission of packets between network endpoints. IP includes some features which provide basic measures of fault-tolerance (time to live, checksum), traffic prioritization (a type of service) and support for the fragmentation of larger packets into multiple smaller packets (ID field, fragment offset). The support for fragmentation of larger packets provides a protocol allowing routers to fragment a packet into smaller packets when the original packet is too large for the supporting datalink frames. IP fragmentation exploits (attacks) use the fragmentation protocol within IP as an attack vector.
Question 35 of 65
35. Question
Maria conducted a successful attack and gained access to a Linux server. She wants to avoid that NIDS will not catch the succeeding outgoing traffic from this server in the future. Which of the following is the best way to avoid detection of NIDS?
Correct
https://www.techrepublic.com/article/avoid-these-five-common-ids-implementation-errors/ When the NIDS encounters encrypted traffic, the only analysis it can perform is packet level analysis, since the application layer contents are inaccessible. Given that exploits against todays networks are primarily targeted against network services (application layer entities), the packet-level analysis ends up doing very little to protect our core business assets.
Incorrect
https://www.techrepublic.com/article/avoid-these-five-common-ids-implementation-errors/ When the NIDS encounters encrypted traffic, the only analysis it can perform is packet level analysis, since the application layer contents are inaccessible. Given that exploits against todays networks are primarily targeted against network services (application layer entities), the packet-level analysis ends up doing very little to protect our core business assets.
Unattempted
https://www.techrepublic.com/article/avoid-these-five-common-ids-implementation-errors/ When the NIDS encounters encrypted traffic, the only analysis it can perform is packet level analysis, since the application layer contents are inaccessible. Given that exploits against todays networks are primarily targeted against network services (application layer entities), the packet-level analysis ends up doing very little to protect our core business assets.
Question 36 of 65
36. Question
Philip, a cybersecurity specialist, needs a tool that can function as a network sniffer, record network activity, prevent and detect network intrusion. Which of the following tools is suitable for Philip?
Correct
https://en.wikipedia.org/wiki/Snort_(software) Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013. Snort‘s open-source network-based intrusion detection/prevention system (IDS/IPS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching and matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, semantic URL attacks, buffer overflows, server message block probes, and stealth port scans. Snort can be configured in three main modes: 1. sniffer, 2. packet logger, and 3. network intrusion detection. Sniffer Mode The program will read network packets and display them on the console. Packet Logger Mode In packet logger mode, the program will log packets to the disk. Network Intrusion Detection System Mode In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified. Incorrect answers: Nmap https://en.wikipedia.org/wiki/Nmap Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including latency and congestion during a scan. Cain & Abel https://en.wikipedia.org/wiki/Cain_and_Abel Cain and Abel (often abbreviated to Cain) is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain and Abel. Cain and Abel is maintained by Massimiliano Montoro and Sean Babcock. Nessus https://en.wikipedia.org/wiki/Nessus_(software) Nessus is a proprietary vulnerability scanner developed by Tenable, Inc.
Incorrect
https://en.wikipedia.org/wiki/Snort_(software) Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013. Snort‘s open-source network-based intrusion detection/prevention system (IDS/IPS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching and matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, semantic URL attacks, buffer overflows, server message block probes, and stealth port scans. Snort can be configured in three main modes: 1. sniffer, 2. packet logger, and 3. network intrusion detection. Sniffer Mode The program will read network packets and display them on the console. Packet Logger Mode In packet logger mode, the program will log packets to the disk. Network Intrusion Detection System Mode In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified. Incorrect answers: Nmap https://en.wikipedia.org/wiki/Nmap Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including latency and congestion during a scan. Cain & Abel https://en.wikipedia.org/wiki/Cain_and_Abel Cain and Abel (often abbreviated to Cain) is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain and Abel. Cain and Abel is maintained by Massimiliano Montoro and Sean Babcock. Nessus https://en.wikipedia.org/wiki/Nessus_(software) Nessus is a proprietary vulnerability scanner developed by Tenable, Inc.
Unattempted
https://en.wikipedia.org/wiki/Snort_(software) Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013. Snort‘s open-source network-based intrusion detection/prevention system (IDS/IPS) has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching and matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, semantic URL attacks, buffer overflows, server message block probes, and stealth port scans. Snort can be configured in three main modes: 1. sniffer, 2. packet logger, and 3. network intrusion detection. Sniffer Mode The program will read network packets and display them on the console. Packet Logger Mode In packet logger mode, the program will log packets to the disk. Network Intrusion Detection System Mode In intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by the user. The program will then perform a specific action based on what has been identified. Incorrect answers: Nmap https://en.wikipedia.org/wiki/Nmap Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including latency and congestion during a scan. Cain & Abel https://en.wikipedia.org/wiki/Cain_and_Abel Cain and Abel (often abbreviated to Cain) is a password recovery tool for Microsoft Windows. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain and Abel. Cain and Abel is maintained by Massimiliano Montoro and Sean Babcock. Nessus https://en.wikipedia.org/wiki/Nessus_(software) Nessus is a proprietary vulnerability scanner developed by Tenable, Inc.
Question 37 of 65
37. Question
Ivan, the black hat hacker, split the attack traffic into many packets such that no single packet triggers the IDS. Which IDS evasion technique does Ivan use?
Correct
https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques#Fragmentation_and_small_packets One basic technique is to split the attack payload into multiple small packets so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. The ‘whisker‘ evasion tool calls crafting packets with small payloads ‘session splicing‘. By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet re-assemblers but not the target computer. Incorrect answers: Unicode invasion Using Unicode representation, where each character has a unique value regardless of the platform, program, or language, is also an effective way to evade IDSs. For example, an attacker might evade an IDS by using the Unicode character c1 to represent a slash for a Web page request. Flooding https://en.wikipedia.org/wiki/Denial-of-service_attack Flood attacks are also known as Denial of Service (DoS) attacks. In a flood attack, attackers send a very high volume of traffic to a system so that it cannot examine and allow permitted network traffic. For example, an ICMP flood attack occurs when a system receives too many ICMP ping commands and must use all its resources to send reply commands. Low-bandwidth attacks https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques#Low-bandwidth_attacks Attacks which are spread out across a long period of time or a large number of source IPs, such as nmap‘s slow scan, can be difficult to pick out of the background of benign traffic. An online password cracker which tests one password for each user every day will look nearly identical to a normal user who mistyped their password.
Incorrect
https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques#Fragmentation_and_small_packets One basic technique is to split the attack payload into multiple small packets so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. The ‘whisker‘ evasion tool calls crafting packets with small payloads ‘session splicing‘. By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet re-assemblers but not the target computer. Incorrect answers: Unicode invasion Using Unicode representation, where each character has a unique value regardless of the platform, program, or language, is also an effective way to evade IDSs. For example, an attacker might evade an IDS by using the Unicode character c1 to represent a slash for a Web page request. Flooding https://en.wikipedia.org/wiki/Denial-of-service_attack Flood attacks are also known as Denial of Service (DoS) attacks. In a flood attack, attackers send a very high volume of traffic to a system so that it cannot examine and allow permitted network traffic. For example, an ICMP flood attack occurs when a system receives too many ICMP ping commands and must use all its resources to send reply commands. Low-bandwidth attacks https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques#Low-bandwidth_attacks Attacks which are spread out across a long period of time or a large number of source IPs, such as nmap‘s slow scan, can be difficult to pick out of the background of benign traffic. An online password cracker which tests one password for each user every day will look nearly identical to a normal user who mistyped their password.
Unattempted
https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques#Fragmentation_and_small_packets One basic technique is to split the attack payload into multiple small packets so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. The ‘whisker‘ evasion tool calls crafting packets with small payloads ‘session splicing‘. By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet re-assemblers but not the target computer. Incorrect answers: Unicode invasion Using Unicode representation, where each character has a unique value regardless of the platform, program, or language, is also an effective way to evade IDSs. For example, an attacker might evade an IDS by using the Unicode character c1 to represent a slash for a Web page request. Flooding https://en.wikipedia.org/wiki/Denial-of-service_attack Flood attacks are also known as Denial of Service (DoS) attacks. In a flood attack, attackers send a very high volume of traffic to a system so that it cannot examine and allow permitted network traffic. For example, an ICMP flood attack occurs when a system receives too many ICMP ping commands and must use all its resources to send reply commands. Low-bandwidth attacks https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques#Low-bandwidth_attacks Attacks which are spread out across a long period of time or a large number of source IPs, such as nmap‘s slow scan, can be difficult to pick out of the background of benign traffic. An online password cracker which tests one password for each user every day will look nearly identical to a normal user who mistyped their password.
Question 38 of 65
38. Question
You makes a series of interactive queries, choosing subsequent plaintexts based on the information from the previous encryptions. What type of attack are you trying to perform?
Correct
A shape adaptive chosen-plaintext attack is a chosen-plaintext attack scenario in which the attacker has the ability to make his choice of the inputs to the encryption function based on the previous chosen-plaintext queries and their corresponding ciphertexts. The scenario is clearly more powerful than the basic chosen-plaintext attack but is probably less practical in real life since it requires the interaction of the attacker with the encryption device. Incorrect answers: Chosen-plaintext attack https://en.wikipedia.org/wiki/Chosen-plaintext_attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts. The goal of the attack is to gain information that reduces the security of the encryption scheme. Modern ciphers aim to provide semantic security, also known as ciphertext indistinguishability under chosen-plaintext attack and are therefore by design generally immune to chosen-plaintext attacks if correctly implemented. Ciphertext-only attack https://en.wikipedia.org/wiki/Ciphertext-only_attack A ciphertext-only attack (COA) or known ciphertext attack is an attack model for cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts. While the attacker has no channel providing access to the plaintext prior to encryption, in all practical ciphertext-only attacks, the attacker still has some knowledge of the plaintext. For instance, the attacker might know the language in which the plaintext is written or the expected statistical distribution of characters in the plaintext. Standard protocol data and messages are commonly part of the plaintext in many deployed systems and can usually be guessed or known efficiently as part of a ciphertext-only attack on these systems. Known-plaintext attack https://en.wikipedia.org/wiki/Known-plaintext_attack A known-plaintext attack (KPA) is an attack model for cryptanalysis where the attacker has access to both the plaintext (called a crib), and its encrypted version (ciphertext). These can be used to reveal further secret information such as secret keys and codebooks.
Incorrect
A shape adaptive chosen-plaintext attack is a chosen-plaintext attack scenario in which the attacker has the ability to make his choice of the inputs to the encryption function based on the previous chosen-plaintext queries and their corresponding ciphertexts. The scenario is clearly more powerful than the basic chosen-plaintext attack but is probably less practical in real life since it requires the interaction of the attacker with the encryption device. Incorrect answers: Chosen-plaintext attack https://en.wikipedia.org/wiki/Chosen-plaintext_attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts. The goal of the attack is to gain information that reduces the security of the encryption scheme. Modern ciphers aim to provide semantic security, also known as ciphertext indistinguishability under chosen-plaintext attack and are therefore by design generally immune to chosen-plaintext attacks if correctly implemented. Ciphertext-only attack https://en.wikipedia.org/wiki/Ciphertext-only_attack A ciphertext-only attack (COA) or known ciphertext attack is an attack model for cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts. While the attacker has no channel providing access to the plaintext prior to encryption, in all practical ciphertext-only attacks, the attacker still has some knowledge of the plaintext. For instance, the attacker might know the language in which the plaintext is written or the expected statistical distribution of characters in the plaintext. Standard protocol data and messages are commonly part of the plaintext in many deployed systems and can usually be guessed or known efficiently as part of a ciphertext-only attack on these systems. Known-plaintext attack https://en.wikipedia.org/wiki/Known-plaintext_attack A known-plaintext attack (KPA) is an attack model for cryptanalysis where the attacker has access to both the plaintext (called a crib), and its encrypted version (ciphertext). These can be used to reveal further secret information such as secret keys and codebooks.
Unattempted
A shape adaptive chosen-plaintext attack is a chosen-plaintext attack scenario in which the attacker has the ability to make his choice of the inputs to the encryption function based on the previous chosen-plaintext queries and their corresponding ciphertexts. The scenario is clearly more powerful than the basic chosen-plaintext attack but is probably less practical in real life since it requires the interaction of the attacker with the encryption device. Incorrect answers: Chosen-plaintext attack https://en.wikipedia.org/wiki/Chosen-plaintext_attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts. The goal of the attack is to gain information that reduces the security of the encryption scheme. Modern ciphers aim to provide semantic security, also known as ciphertext indistinguishability under chosen-plaintext attack and are therefore by design generally immune to chosen-plaintext attacks if correctly implemented. Ciphertext-only attack https://en.wikipedia.org/wiki/Ciphertext-only_attack A ciphertext-only attack (COA) or known ciphertext attack is an attack model for cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts. While the attacker has no channel providing access to the plaintext prior to encryption, in all practical ciphertext-only attacks, the attacker still has some knowledge of the plaintext. For instance, the attacker might know the language in which the plaintext is written or the expected statistical distribution of characters in the plaintext. Standard protocol data and messages are commonly part of the plaintext in many deployed systems and can usually be guessed or known efficiently as part of a ciphertext-only attack on these systems. Known-plaintext attack https://en.wikipedia.org/wiki/Known-plaintext_attack A known-plaintext attack (KPA) is an attack model for cryptanalysis where the attacker has access to both the plaintext (called a crib), and its encrypted version (ciphertext). These can be used to reveal further secret information such as secret keys and codebooks.
Question 39 of 65
39. Question
Which of the following is the type of violation when an unauthorized individual enters a building following an employee through the employee entrance?
Correct
The tailgating attack, also known as piggybacking, involves an attacker seeking entry to a restricted area that lacks the proper authentication. The attacker can simply walk in behind a person who is authorized to access the area. In a typical attack scenario, a person impersonates a delivery driver loaded down with packages and waits until an employee opens their door. The attacker asks that the employee hold the door, bypassing the security measures in place (e.g., electronic access control). Incorrect answers: Pretexting The term pretexting indicates the practice of presenting oneself as someone else to obtain private information. Usually, attackers create a fake identity and use it to manipulate the receipt of information. Attackers leveraging this specific social engineering technique adopt several identities they have created. This bad habit could expose their operations to the investigations conducted by security experts and law enforcement. Reverse Social Engineering A reverse social engineering attack is a person-to-person attack in which an attacker convinces the target that he or she has a problem or might have a certain problem in the future and that he, the attacker, is ready to help solve the problem.
Incorrect
The tailgating attack, also known as piggybacking, involves an attacker seeking entry to a restricted area that lacks the proper authentication. The attacker can simply walk in behind a person who is authorized to access the area. In a typical attack scenario, a person impersonates a delivery driver loaded down with packages and waits until an employee opens their door. The attacker asks that the employee hold the door, bypassing the security measures in place (e.g., electronic access control). Incorrect answers: Pretexting The term pretexting indicates the practice of presenting oneself as someone else to obtain private information. Usually, attackers create a fake identity and use it to manipulate the receipt of information. Attackers leveraging this specific social engineering technique adopt several identities they have created. This bad habit could expose their operations to the investigations conducted by security experts and law enforcement. Reverse Social Engineering A reverse social engineering attack is a person-to-person attack in which an attacker convinces the target that he or she has a problem or might have a certain problem in the future and that he, the attacker, is ready to help solve the problem.
Unattempted
The tailgating attack, also known as piggybacking, involves an attacker seeking entry to a restricted area that lacks the proper authentication. The attacker can simply walk in behind a person who is authorized to access the area. In a typical attack scenario, a person impersonates a delivery driver loaded down with packages and waits until an employee opens their door. The attacker asks that the employee hold the door, bypassing the security measures in place (e.g., electronic access control). Incorrect answers: Pretexting The term pretexting indicates the practice of presenting oneself as someone else to obtain private information. Usually, attackers create a fake identity and use it to manipulate the receipt of information. Attackers leveraging this specific social engineering technique adopt several identities they have created. This bad habit could expose their operations to the investigations conducted by security experts and law enforcement. Reverse Social Engineering A reverse social engineering attack is a person-to-person attack in which an attacker convinces the target that he or she has a problem or might have a certain problem in the future and that he, the attacker, is ready to help solve the problem.
Question 40 of 65
40. Question
Which of the following option is a security feature on switches leverages the DHCP snooping database to help prevent man-in-the-middle attacks?
Correct
Dynamic ARP inspection (DAI) protects switching devices against Address Resolution Protocol (ARP) packet spoofing (also known as ARP poisoning or ARP cache poisoning). DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. When an attacker tries to use a forged ARP packet to spoof an address, the switch compares the address with entries in the database. If the media access control (MAC) address or IP address in the ARP packet does not match a valid entry in the DHCP snooping database, the packet is dropped. Incorrect answers: Port security Port Security helps secure the network by preventing unknown devices from forwarding packets. When a link goes down, all dynamically locked addresses are freed. The port security feature offers the following benefits: · You can limit the number of MAC addresses on a given port. Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecure packets) are restricted. · You can enable port security on a per port basis. Port security implements two traffic filtering methods, dynamic locking and static locking. These methods can be used concurrently. · Dynamic locking. You can specify the maximum number of MAC addresses that can be learned on a port. The maximum number of MAC addresses is platform dependent and is given in the software Release Notes. After the limit is reached, additional MAC addresses are not learned. Only frames with an allowable source MAC addresses are forwarded. NOTE: If you want to set a specific MAC address for a port, set the dynamic entries to 0, then allow only packets with a MAC address matching the MAC address in the static list. Dynamically locked addresses can be converted to statically locked addresses. Dynamically locked MAC addresses are aged out if another packet with that address is not seen within the age-out time. You can set the time out value. Dynamically locked MAC addresses are eligible to be learned by another port. Static MAC addresses are not eligible for aging. · Static locking. You can manually specify a list of static MAC addresses for a port. Dynamically locked addresses can be converted to statically locked addresses. DHCP relay You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect supported Juniper devices against attacks including spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. In a common scenario, various hosts are connected to the network via untrusted access interfaces on the switch, and these hosts request and are assigned IP addresses from the DHCP server. Bad actors can spoof DHCP requests using forged network addresses, however, to gain an improper connection to the network. Spanning tree https://en.wikipedia.org/wiki/Spanning_Tree_Protocol The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allows a network design to include backup links providing fault tolerance if an active link fails. As the name suggests, STP creates a spanning tree that characterizes the relationship of nodes within a network of connected layer-2 bridges, and disables those links that are not part of the spanning tree, leaving a single active path between any two network nodes.
Incorrect
Dynamic ARP inspection (DAI) protects switching devices against Address Resolution Protocol (ARP) packet spoofing (also known as ARP poisoning or ARP cache poisoning). DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. When an attacker tries to use a forged ARP packet to spoof an address, the switch compares the address with entries in the database. If the media access control (MAC) address or IP address in the ARP packet does not match a valid entry in the DHCP snooping database, the packet is dropped. Incorrect answers: Port security Port Security helps secure the network by preventing unknown devices from forwarding packets. When a link goes down, all dynamically locked addresses are freed. The port security feature offers the following benefits: · You can limit the number of MAC addresses on a given port. Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecure packets) are restricted. · You can enable port security on a per port basis. Port security implements two traffic filtering methods, dynamic locking and static locking. These methods can be used concurrently. · Dynamic locking. You can specify the maximum number of MAC addresses that can be learned on a port. The maximum number of MAC addresses is platform dependent and is given in the software Release Notes. After the limit is reached, additional MAC addresses are not learned. Only frames with an allowable source MAC addresses are forwarded. NOTE: If you want to set a specific MAC address for a port, set the dynamic entries to 0, then allow only packets with a MAC address matching the MAC address in the static list. Dynamically locked addresses can be converted to statically locked addresses. Dynamically locked MAC addresses are aged out if another packet with that address is not seen within the age-out time. You can set the time out value. Dynamically locked MAC addresses are eligible to be learned by another port. Static MAC addresses are not eligible for aging. · Static locking. You can manually specify a list of static MAC addresses for a port. Dynamically locked addresses can be converted to statically locked addresses. DHCP relay You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect supported Juniper devices against attacks including spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. In a common scenario, various hosts are connected to the network via untrusted access interfaces on the switch, and these hosts request and are assigned IP addresses from the DHCP server. Bad actors can spoof DHCP requests using forged network addresses, however, to gain an improper connection to the network. Spanning tree https://en.wikipedia.org/wiki/Spanning_Tree_Protocol The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allows a network design to include backup links providing fault tolerance if an active link fails. As the name suggests, STP creates a spanning tree that characterizes the relationship of nodes within a network of connected layer-2 bridges, and disables those links that are not part of the spanning tree, leaving a single active path between any two network nodes.
Unattempted
Dynamic ARP inspection (DAI) protects switching devices against Address Resolution Protocol (ARP) packet spoofing (also known as ARP poisoning or ARP cache poisoning). DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. When an attacker tries to use a forged ARP packet to spoof an address, the switch compares the address with entries in the database. If the media access control (MAC) address or IP address in the ARP packet does not match a valid entry in the DHCP snooping database, the packet is dropped. Incorrect answers: Port security Port Security helps secure the network by preventing unknown devices from forwarding packets. When a link goes down, all dynamically locked addresses are freed. The port security feature offers the following benefits: · You can limit the number of MAC addresses on a given port. Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecure packets) are restricted. · You can enable port security on a per port basis. Port security implements two traffic filtering methods, dynamic locking and static locking. These methods can be used concurrently. · Dynamic locking. You can specify the maximum number of MAC addresses that can be learned on a port. The maximum number of MAC addresses is platform dependent and is given in the software Release Notes. After the limit is reached, additional MAC addresses are not learned. Only frames with an allowable source MAC addresses are forwarded. NOTE: If you want to set a specific MAC address for a port, set the dynamic entries to 0, then allow only packets with a MAC address matching the MAC address in the static list. Dynamically locked addresses can be converted to statically locked addresses. Dynamically locked MAC addresses are aged out if another packet with that address is not seen within the age-out time. You can set the time out value. Dynamically locked MAC addresses are eligible to be learned by another port. Static MAC addresses are not eligible for aging. · Static locking. You can manually specify a list of static MAC addresses for a port. Dynamically locked addresses can be converted to statically locked addresses. DHCP relay You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect supported Juniper devices against attacks including spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. In a common scenario, various hosts are connected to the network via untrusted access interfaces on the switch, and these hosts request and are assigned IP addresses from the DHCP server. Bad actors can spoof DHCP requests using forged network addresses, however, to gain an improper connection to the network. Spanning tree https://en.wikipedia.org/wiki/Spanning_Tree_Protocol The Spanning Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. The basic function of STP is to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allows a network design to include backup links providing fault tolerance if an active link fails. As the name suggests, STP creates a spanning tree that characterizes the relationship of nodes within a network of connected layer-2 bridges, and disables those links that are not part of the spanning tree, leaving a single active path between any two network nodes.
Question 41 of 65
41. Question
For the company, an important criterion is the immutability of the financial reports sent by the financial director to the accountant. They need to be sure that the accountant received the reports and it hasn‘t been changed. How can this be achieved?
Correct
File verification is the process of using an algorithm for verifying the integrity of a computer file. This can be done by comparing two files bit-by-bit, but requires two copies of the same file and may miss systematic corruptions that might occur to both files. A more popular approach is to generate a hash of the copied file and comparing that to the hash of the original file. File integrity can be compromised, usually referred to as the file becoming corrupted. A file can become corrupted in various ways: faulty storage media, transmission errors, write errors during copying or moving, software bugs, and so on. Hash-based verification ensures that a file has not been corrupted by comparing its hash value to a previously calculated value. If these values match, the file is presumed to be unmodified. Due to the nature of hash functions, hash collisions may result in false positives, but the likelihood of collisions is often negligible with random corruption. It is often desirable to verify that a file hasn‘t been modified in transmission or storage by untrusted parties, including malicious code such as viruses or backdoors. To verify the authenticity, a classical hash function is not enough as they are not designed to be collision resistant; it is computationally trivial for an attacker to cause deliberate hash collisions, meaning that a hash comparison does not detect a malicious change in the file. In cryptography, this attack is called a preimage attack. For this purpose, cryptographic hash functions are employed often. As long as the hash sums cannot be tampered with for example, if they are communicated over a secure channel the files can be presumed to be intact. Alternatively, digital signatures can be employed to assure tamper resistance.
Incorrect
File verification is the process of using an algorithm for verifying the integrity of a computer file. This can be done by comparing two files bit-by-bit, but requires two copies of the same file and may miss systematic corruptions that might occur to both files. A more popular approach is to generate a hash of the copied file and comparing that to the hash of the original file. File integrity can be compromised, usually referred to as the file becoming corrupted. A file can become corrupted in various ways: faulty storage media, transmission errors, write errors during copying or moving, software bugs, and so on. Hash-based verification ensures that a file has not been corrupted by comparing its hash value to a previously calculated value. If these values match, the file is presumed to be unmodified. Due to the nature of hash functions, hash collisions may result in false positives, but the likelihood of collisions is often negligible with random corruption. It is often desirable to verify that a file hasn‘t been modified in transmission or storage by untrusted parties, including malicious code such as viruses or backdoors. To verify the authenticity, a classical hash function is not enough as they are not designed to be collision resistant; it is computationally trivial for an attacker to cause deliberate hash collisions, meaning that a hash comparison does not detect a malicious change in the file. In cryptography, this attack is called a preimage attack. For this purpose, cryptographic hash functions are employed often. As long as the hash sums cannot be tampered with for example, if they are communicated over a secure channel the files can be presumed to be intact. Alternatively, digital signatures can be employed to assure tamper resistance.
Unattempted
File verification is the process of using an algorithm for verifying the integrity of a computer file. This can be done by comparing two files bit-by-bit, but requires two copies of the same file and may miss systematic corruptions that might occur to both files. A more popular approach is to generate a hash of the copied file and comparing that to the hash of the original file. File integrity can be compromised, usually referred to as the file becoming corrupted. A file can become corrupted in various ways: faulty storage media, transmission errors, write errors during copying or moving, software bugs, and so on. Hash-based verification ensures that a file has not been corrupted by comparing its hash value to a previously calculated value. If these values match, the file is presumed to be unmodified. Due to the nature of hash functions, hash collisions may result in false positives, but the likelihood of collisions is often negligible with random corruption. It is often desirable to verify that a file hasn‘t been modified in transmission or storage by untrusted parties, including malicious code such as viruses or backdoors. To verify the authenticity, a classical hash function is not enough as they are not designed to be collision resistant; it is computationally trivial for an attacker to cause deliberate hash collisions, meaning that a hash comparison does not detect a malicious change in the file. In cryptography, this attack is called a preimage attack. For this purpose, cryptographic hash functions are employed often. As long as the hash sums cannot be tampered with for example, if they are communicated over a secure channel the files can be presumed to be intact. Alternatively, digital signatures can be employed to assure tamper resistance.
Question 42 of 65
42. Question
Which of the following layers in IoT architecture helps bridge the gap between two endpoints, such as a device and a client, and carries out message routing, message identification, and subscribing?
Correct
https://www.jigsawacademy.com/4-layers-of-the-internet-of-things/ https://www.globalsign.com/en/blog/what-is-an-iot-gateway-device The first layer of the Internet of Things consists of Sensor-connected IOT devices: These are the small, memory-constrained, often battery-operated electronics devices with onboard sensors and actuators. These could either function as standalone sensing devices or be embedded as part of a bigger machinery for sensing and control. Three main capabilities of a typical IOT device are: · being able to sense and record data · being able to perform light computing and finally · being able to connect to a network and communicate the data Examples of these include fitness trackers, agricultural soil moisture sensors, medical sensors for measuring blood glucose levels and more. There are a huge number of startups and established companies competing to come up with newer and newer sensors, actuators and devices. The second layer consists of IOT gateway devices: The various IOT devices of layer 1 need to be connected to the internet via a more powerful computing device called the IOT gateway which primarily acts like a networking device. So, similar to how a WiFi router helps us connect many laptops, phones and tablets to the internet at home, the IOT gateway aggregates data from numerous sensing devices and relays it to the cloud. These gateways are critical components of the IOT ecosystem. Typically, IOT gateways are equipped with multiple communication capabilities (like Bluetooth, Zigbee, LoRa WAN, Sub-GHz proprietary protocols) to talk to the IOT devices on one end and a connection to the IP (Internet) based network on the other side (over WiFi, Ethernet or Cellular link). The Third layer of IOT is the Cloud: All the sensor data relayed by IOT gateways is stored on cloud hosted servers. These servers accept, store and process data for analysis and decision making. This layer also enables creation of live dashboards which decision makers can monitor and take proactive data driven decisions. Today, almost all cloud computing companies have custom service offerings for IOT solutions. The forth layer is IOT Analytics: This is where the magic happens and the collected raw data is converted into actionable business insights, which can help improve business operations, efficiency or even predict future events like machine failure. This layer employs different data science and analytics techniques including machine learning algorithms to make sense of the data and enable corrective action.
Incorrect
https://www.jigsawacademy.com/4-layers-of-the-internet-of-things/ https://www.globalsign.com/en/blog/what-is-an-iot-gateway-device The first layer of the Internet of Things consists of Sensor-connected IOT devices: These are the small, memory-constrained, often battery-operated electronics devices with onboard sensors and actuators. These could either function as standalone sensing devices or be embedded as part of a bigger machinery for sensing and control. Three main capabilities of a typical IOT device are: · being able to sense and record data · being able to perform light computing and finally · being able to connect to a network and communicate the data Examples of these include fitness trackers, agricultural soil moisture sensors, medical sensors for measuring blood glucose levels and more. There are a huge number of startups and established companies competing to come up with newer and newer sensors, actuators and devices. The second layer consists of IOT gateway devices: The various IOT devices of layer 1 need to be connected to the internet via a more powerful computing device called the IOT gateway which primarily acts like a networking device. So, similar to how a WiFi router helps us connect many laptops, phones and tablets to the internet at home, the IOT gateway aggregates data from numerous sensing devices and relays it to the cloud. These gateways are critical components of the IOT ecosystem. Typically, IOT gateways are equipped with multiple communication capabilities (like Bluetooth, Zigbee, LoRa WAN, Sub-GHz proprietary protocols) to talk to the IOT devices on one end and a connection to the IP (Internet) based network on the other side (over WiFi, Ethernet or Cellular link). The Third layer of IOT is the Cloud: All the sensor data relayed by IOT gateways is stored on cloud hosted servers. These servers accept, store and process data for analysis and decision making. This layer also enables creation of live dashboards which decision makers can monitor and take proactive data driven decisions. Today, almost all cloud computing companies have custom service offerings for IOT solutions. The forth layer is IOT Analytics: This is where the magic happens and the collected raw data is converted into actionable business insights, which can help improve business operations, efficiency or even predict future events like machine failure. This layer employs different data science and analytics techniques including machine learning algorithms to make sense of the data and enable corrective action.
Unattempted
https://www.jigsawacademy.com/4-layers-of-the-internet-of-things/ https://www.globalsign.com/en/blog/what-is-an-iot-gateway-device The first layer of the Internet of Things consists of Sensor-connected IOT devices: These are the small, memory-constrained, often battery-operated electronics devices with onboard sensors and actuators. These could either function as standalone sensing devices or be embedded as part of a bigger machinery for sensing and control. Three main capabilities of a typical IOT device are: · being able to sense and record data · being able to perform light computing and finally · being able to connect to a network and communicate the data Examples of these include fitness trackers, agricultural soil moisture sensors, medical sensors for measuring blood glucose levels and more. There are a huge number of startups and established companies competing to come up with newer and newer sensors, actuators and devices. The second layer consists of IOT gateway devices: The various IOT devices of layer 1 need to be connected to the internet via a more powerful computing device called the IOT gateway which primarily acts like a networking device. So, similar to how a WiFi router helps us connect many laptops, phones and tablets to the internet at home, the IOT gateway aggregates data from numerous sensing devices and relays it to the cloud. These gateways are critical components of the IOT ecosystem. Typically, IOT gateways are equipped with multiple communication capabilities (like Bluetooth, Zigbee, LoRa WAN, Sub-GHz proprietary protocols) to talk to the IOT devices on one end and a connection to the IP (Internet) based network on the other side (over WiFi, Ethernet or Cellular link). The Third layer of IOT is the Cloud: All the sensor data relayed by IOT gateways is stored on cloud hosted servers. These servers accept, store and process data for analysis and decision making. This layer also enables creation of live dashboards which decision makers can monitor and take proactive data driven decisions. Today, almost all cloud computing companies have custom service offerings for IOT solutions. The forth layer is IOT Analytics: This is where the magic happens and the collected raw data is converted into actionable business insights, which can help improve business operations, efficiency or even predict future events like machine failure. This layer employs different data science and analytics techniques including machine learning algorithms to make sense of the data and enable corrective action.
Question 43 of 65
43. Question
Which of the following program attack both the boot sector and executable files?
Correct
A multipartite virus is a computer virus that can attack both the boot sector and executable files of an infected computer. If youre familiar with cyber threats, you probably know that most computer viruses either attack the boot sector or executable files. However, multipartite viruses are unique because of their ability to attack both the boot sector and executable files simultaneously, thereby allowing them to spread in multiple ways. According to Wikipedia, the first reported multipartite virus was identified in 1989. Known as Ghostball, it targeted the executable .com files and boot sectors of the infected computer. Since the internet was still in its early years, Ghostball wasnt able to reach many victims. With roughly half of the global population now connected to the internet, multipartite viruses pose a serious threat to businesses and consumers alike. Incorrect answers: Stealth Virus It is a very tricky virus as it changes the code that can be used to detect it. Hence, the detection of the virus becomes very difficult. For example, it can change the read system call such that whenever the user asks to read a code modified by a virus, the original form of code is shown rather than infected code. Polymorphic virus https://en.wikipedia.org/wiki/Polymorphic_code Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using “signatures“. Antivirus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. Macro virus https://en.wikipedia.org/wiki/Macro_virus A macro virus is a computer virus written in the same macro language used for software programs, including Microsoft Excel or word processors such as Microsoft Word. When a macro virus infects a software application, it causes a sequence of actions to begin automatically when the application is opened. Since a macro virus centers on an application and not an operating system, it typically can infect any computer running any operating system. Macro viruses work by embedding malicious code in the macros associated with documents, spreadsheets, and other data files, causing the malicious programs to run as soon as the documents are opened. Typically, macro malware is transmitted through phishing emails containing malicious attachments. The macro virus spreads quickly as users share infected documents. Once an infected macro is executed, it will typically infect every other document on a user‘s computer. Some macro viruses cause irregularities in text documents, such as inserting or deleting words. Other macro malware accesses email accounts and sends out copies of infected files to all of the users‘ contacts, who then open and access these files because they come from trusted sources.
Incorrect
A multipartite virus is a computer virus that can attack both the boot sector and executable files of an infected computer. If youre familiar with cyber threats, you probably know that most computer viruses either attack the boot sector or executable files. However, multipartite viruses are unique because of their ability to attack both the boot sector and executable files simultaneously, thereby allowing them to spread in multiple ways. According to Wikipedia, the first reported multipartite virus was identified in 1989. Known as Ghostball, it targeted the executable .com files and boot sectors of the infected computer. Since the internet was still in its early years, Ghostball wasnt able to reach many victims. With roughly half of the global population now connected to the internet, multipartite viruses pose a serious threat to businesses and consumers alike. Incorrect answers: Stealth Virus It is a very tricky virus as it changes the code that can be used to detect it. Hence, the detection of the virus becomes very difficult. For example, it can change the read system call such that whenever the user asks to read a code modified by a virus, the original form of code is shown rather than infected code. Polymorphic virus https://en.wikipedia.org/wiki/Polymorphic_code Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using “signatures“. Antivirus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. Macro virus https://en.wikipedia.org/wiki/Macro_virus A macro virus is a computer virus written in the same macro language used for software programs, including Microsoft Excel or word processors such as Microsoft Word. When a macro virus infects a software application, it causes a sequence of actions to begin automatically when the application is opened. Since a macro virus centers on an application and not an operating system, it typically can infect any computer running any operating system. Macro viruses work by embedding malicious code in the macros associated with documents, spreadsheets, and other data files, causing the malicious programs to run as soon as the documents are opened. Typically, macro malware is transmitted through phishing emails containing malicious attachments. The macro virus spreads quickly as users share infected documents. Once an infected macro is executed, it will typically infect every other document on a user‘s computer. Some macro viruses cause irregularities in text documents, such as inserting or deleting words. Other macro malware accesses email accounts and sends out copies of infected files to all of the users‘ contacts, who then open and access these files because they come from trusted sources.
Unattempted
A multipartite virus is a computer virus that can attack both the boot sector and executable files of an infected computer. If youre familiar with cyber threats, you probably know that most computer viruses either attack the boot sector or executable files. However, multipartite viruses are unique because of their ability to attack both the boot sector and executable files simultaneously, thereby allowing them to spread in multiple ways. According to Wikipedia, the first reported multipartite virus was identified in 1989. Known as Ghostball, it targeted the executable .com files and boot sectors of the infected computer. Since the internet was still in its early years, Ghostball wasnt able to reach many victims. With roughly half of the global population now connected to the internet, multipartite viruses pose a serious threat to businesses and consumers alike. Incorrect answers: Stealth Virus It is a very tricky virus as it changes the code that can be used to detect it. Hence, the detection of the virus becomes very difficult. For example, it can change the read system call such that whenever the user asks to read a code modified by a virus, the original form of code is shown rather than infected code. Polymorphic virus https://en.wikipedia.org/wiki/Polymorphic_code Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using “signatures“. Antivirus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. Macro virus https://en.wikipedia.org/wiki/Macro_virus A macro virus is a computer virus written in the same macro language used for software programs, including Microsoft Excel or word processors such as Microsoft Word. When a macro virus infects a software application, it causes a sequence of actions to begin automatically when the application is opened. Since a macro virus centers on an application and not an operating system, it typically can infect any computer running any operating system. Macro viruses work by embedding malicious code in the macros associated with documents, spreadsheets, and other data files, causing the malicious programs to run as soon as the documents are opened. Typically, macro malware is transmitted through phishing emails containing malicious attachments. The macro virus spreads quickly as users share infected documents. Once an infected macro is executed, it will typically infect every other document on a user‘s computer. Some macro viruses cause irregularities in text documents, such as inserting or deleting words. Other macro malware accesses email accounts and sends out copies of infected files to all of the users‘ contacts, who then open and access these files because they come from trusted sources.
Question 44 of 65
44. Question
Which of the following is a logical collection of Internet-connected devices such as computers, smartphones or Internet of things (IoT) devices whose security has been breached and control ceded to a third party?
Correct
https://en.wikipedia.org/wiki/Botnet Botnets are networks of hijacked computer devices used to carry out various scams and cyberattacks. The term botnet is formed from the words robot and network. The Assembly of a botnet is usually the infiltration stage of a multi-layer scheme. The bots serve as a tool to automate mass attacks, such as data theft, server crashing, and malware distribution. Botnets use your devices to scam other people or cause disruptions all without your consent. Incorrect answers: Spear Phishing https://en.wikipedia.org/wiki/Phishing#Spear_phishing Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons. This is achieved by acquiring personal details on the victim such as their friends, hometown, employer, locations they frequent, and recently bought online. The attackers then disguise themselves as trustworthy friends or entities to acquire sensitive information, typically through email or other online messaging. This is the most successful form of acquiring confidential information on the internet, accounting for 91% of attacks. Advanced Persistent Threats https://en.wikipedia.org/wiki/Advanced_persistent_threat An advanced persistent threat (APT) is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time. APT attacks are initiated to steal data rather than cause damage to the target organization‘s network. APT attacks are typically aimed at organizations in national defense, manufacturing,, and the financial industry, as those companies deal with high-value information, including intellectual property, military plans, and other data from governments and enterprise organizations. Most APT attacks aim to achieve and maintain ongoing access to the targeted network rather than to get in and out as quickly as possible. Because a great deal of effort and resources usually go into carrying out APT attacks, hackers typically target high-value targets, such as nation-states and large corporations, with the ultimate goal of stealing information over a long time. Rootkit https://en.wikipedia.org/wiki/Rootkit Originally, a rootkit was a collection of tools that enabled administrative access to a computer or network. Today, rootkits are associated with malicious software that provides root-level, privileged access to a computer while hiding its existence and actions. Hackers use rootkits to conceal themselves until they decide to execute their malicious malware. Besides, rootkits can deactivate anti-malware and antivirus software and badly damage user-mode applications. Attackers can also use rootkits to spy on user behavior, launch DDoS attacks, escalate privileges, and steal sensitive data. The list below explores some of the possible consequences of a rootkit attack: · Sensitive data stolen Rootkits enable hackers to install additional malicious software that steals sensitive information, like credit card numbers, social security numbers, and user passwords, without being detected. · Malware infection Attackers use rootkits to install malware on computers and systems without being detected. Rootkits conceal the malicious software from any existing anti-malware or antivirus, often de-activating security software without user knowledge. As a result of deactivated anti-malware and antivirus software, rootkits enable attackers to execute harmful files on infected computers. · File removal Rootkits grant access to all operating system files and commands. Attackers using rootkits can easily delete Linux or Windows directories, registry keys, and files. · Eavesdropping Cybercriminals leverage rootkits to exploit unsecured networks and intercept personal user information and communications, such as emails and messages exchanged via chat. · Remote control Hackers use rootkits to remotely access and change system configurations. Then hackers can change the open TCP ports inside firewalls or change system startup scripts. Spambot https://en.wikipedia.org/wiki/Spambot A spambot is a computer program designed to assist in the sending of spam. Spambots usually create accounts and send spam messages with them. Web hosts and website operators have responded by banning spammers, leading to an ongoing struggle between them and spammers in which spammers find new ways to evade the bans and anti-spam programs, and hosts counteract these methods.
Incorrect
https://en.wikipedia.org/wiki/Botnet Botnets are networks of hijacked computer devices used to carry out various scams and cyberattacks. The term botnet is formed from the words robot and network. The Assembly of a botnet is usually the infiltration stage of a multi-layer scheme. The bots serve as a tool to automate mass attacks, such as data theft, server crashing, and malware distribution. Botnets use your devices to scam other people or cause disruptions all without your consent. Incorrect answers: Spear Phishing https://en.wikipedia.org/wiki/Phishing#Spear_phishing Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons. This is achieved by acquiring personal details on the victim such as their friends, hometown, employer, locations they frequent, and recently bought online. The attackers then disguise themselves as trustworthy friends or entities to acquire sensitive information, typically through email or other online messaging. This is the most successful form of acquiring confidential information on the internet, accounting for 91% of attacks. Advanced Persistent Threats https://en.wikipedia.org/wiki/Advanced_persistent_threat An advanced persistent threat (APT) is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time. APT attacks are initiated to steal data rather than cause damage to the target organization‘s network. APT attacks are typically aimed at organizations in national defense, manufacturing,, and the financial industry, as those companies deal with high-value information, including intellectual property, military plans, and other data from governments and enterprise organizations. Most APT attacks aim to achieve and maintain ongoing access to the targeted network rather than to get in and out as quickly as possible. Because a great deal of effort and resources usually go into carrying out APT attacks, hackers typically target high-value targets, such as nation-states and large corporations, with the ultimate goal of stealing information over a long time. Rootkit https://en.wikipedia.org/wiki/Rootkit Originally, a rootkit was a collection of tools that enabled administrative access to a computer or network. Today, rootkits are associated with malicious software that provides root-level, privileged access to a computer while hiding its existence and actions. Hackers use rootkits to conceal themselves until they decide to execute their malicious malware. Besides, rootkits can deactivate anti-malware and antivirus software and badly damage user-mode applications. Attackers can also use rootkits to spy on user behavior, launch DDoS attacks, escalate privileges, and steal sensitive data. The list below explores some of the possible consequences of a rootkit attack: · Sensitive data stolen Rootkits enable hackers to install additional malicious software that steals sensitive information, like credit card numbers, social security numbers, and user passwords, without being detected. · Malware infection Attackers use rootkits to install malware on computers and systems without being detected. Rootkits conceal the malicious software from any existing anti-malware or antivirus, often de-activating security software without user knowledge. As a result of deactivated anti-malware and antivirus software, rootkits enable attackers to execute harmful files on infected computers. · File removal Rootkits grant access to all operating system files and commands. Attackers using rootkits can easily delete Linux or Windows directories, registry keys, and files. · Eavesdropping Cybercriminals leverage rootkits to exploit unsecured networks and intercept personal user information and communications, such as emails and messages exchanged via chat. · Remote control Hackers use rootkits to remotely access and change system configurations. Then hackers can change the open TCP ports inside firewalls or change system startup scripts. Spambot https://en.wikipedia.org/wiki/Spambot A spambot is a computer program designed to assist in the sending of spam. Spambots usually create accounts and send spam messages with them. Web hosts and website operators have responded by banning spammers, leading to an ongoing struggle between them and spammers in which spammers find new ways to evade the bans and anti-spam programs, and hosts counteract these methods.
Unattempted
https://en.wikipedia.org/wiki/Botnet Botnets are networks of hijacked computer devices used to carry out various scams and cyberattacks. The term botnet is formed from the words robot and network. The Assembly of a botnet is usually the infiltration stage of a multi-layer scheme. The bots serve as a tool to automate mass attacks, such as data theft, server crashing, and malware distribution. Botnets use your devices to scam other people or cause disruptions all without your consent. Incorrect answers: Spear Phishing https://en.wikipedia.org/wiki/Phishing#Spear_phishing Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons. This is achieved by acquiring personal details on the victim such as their friends, hometown, employer, locations they frequent, and recently bought online. The attackers then disguise themselves as trustworthy friends or entities to acquire sensitive information, typically through email or other online messaging. This is the most successful form of acquiring confidential information on the internet, accounting for 91% of attacks. Advanced Persistent Threats https://en.wikipedia.org/wiki/Advanced_persistent_threat An advanced persistent threat (APT) is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time. APT attacks are initiated to steal data rather than cause damage to the target organization‘s network. APT attacks are typically aimed at organizations in national defense, manufacturing,, and the financial industry, as those companies deal with high-value information, including intellectual property, military plans, and other data from governments and enterprise organizations. Most APT attacks aim to achieve and maintain ongoing access to the targeted network rather than to get in and out as quickly as possible. Because a great deal of effort and resources usually go into carrying out APT attacks, hackers typically target high-value targets, such as nation-states and large corporations, with the ultimate goal of stealing information over a long time. Rootkit https://en.wikipedia.org/wiki/Rootkit Originally, a rootkit was a collection of tools that enabled administrative access to a computer or network. Today, rootkits are associated with malicious software that provides root-level, privileged access to a computer while hiding its existence and actions. Hackers use rootkits to conceal themselves until they decide to execute their malicious malware. Besides, rootkits can deactivate anti-malware and antivirus software and badly damage user-mode applications. Attackers can also use rootkits to spy on user behavior, launch DDoS attacks, escalate privileges, and steal sensitive data. The list below explores some of the possible consequences of a rootkit attack: · Sensitive data stolen Rootkits enable hackers to install additional malicious software that steals sensitive information, like credit card numbers, social security numbers, and user passwords, without being detected. · Malware infection Attackers use rootkits to install malware on computers and systems without being detected. Rootkits conceal the malicious software from any existing anti-malware or antivirus, often de-activating security software without user knowledge. As a result of deactivated anti-malware and antivirus software, rootkits enable attackers to execute harmful files on infected computers. · File removal Rootkits grant access to all operating system files and commands. Attackers using rootkits can easily delete Linux or Windows directories, registry keys, and files. · Eavesdropping Cybercriminals leverage rootkits to exploit unsecured networks and intercept personal user information and communications, such as emails and messages exchanged via chat. · Remote control Hackers use rootkits to remotely access and change system configurations. Then hackers can change the open TCP ports inside firewalls or change system startup scripts. Spambot https://en.wikipedia.org/wiki/Spambot A spambot is a computer program designed to assist in the sending of spam. Spambots usually create accounts and send spam messages with them. Web hosts and website operators have responded by banning spammers, leading to an ongoing struggle between them and spammers in which spammers find new ways to evade the bans and anti-spam programs, and hosts counteract these methods.
Question 45 of 65
45. Question
Which type of viruses tries to hide from antivirus programs by actively changing and corrupting the chosen service call interruptions when they are being run?
Correct
Tunneling Virus: This virus attempts to bypass detection by antivirus scanner by installing itself in the interrupt handler chain. Interception programs, which remain in the background of an operating system and catch viruses, become disabled during the course of a tunneling virus. Similar viruses install themselves in device drivers. Stealth Virus: It is a very tricky virus as it changes the code that can be used to detect it. Hence, the detection of the virus becomes very difficult. For example, it can change the read system call such that whenever the user asks to read a code modified by a virus, the original form of code is shown rather than infected code. NOTE: I don‘t know why EC-Council decided to combine 2 types of viruses into one. Nevertheless, on their exam, the Stealth/ tunneling virus (as in the book) is encountered on the exam, but I think the Tunneling virus is fine too. Incorrect answers: Cavity virus To avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the DOS platform, make sure that the “last modified“ date of a host file stays the same when the file is infected by the virus. This approach does not fool antivirus software, however, especially those which maintain and date cyclic redundancy checks on file changes. Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. Polymorphic virus https://en.wikipedia.org/wiki/Polymorphic_code Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using “signatures“. Antivirus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body.
Incorrect
Tunneling Virus: This virus attempts to bypass detection by antivirus scanner by installing itself in the interrupt handler chain. Interception programs, which remain in the background of an operating system and catch viruses, become disabled during the course of a tunneling virus. Similar viruses install themselves in device drivers. Stealth Virus: It is a very tricky virus as it changes the code that can be used to detect it. Hence, the detection of the virus becomes very difficult. For example, it can change the read system call such that whenever the user asks to read a code modified by a virus, the original form of code is shown rather than infected code. NOTE: I don‘t know why EC-Council decided to combine 2 types of viruses into one. Nevertheless, on their exam, the Stealth/ tunneling virus (as in the book) is encountered on the exam, but I think the Tunneling virus is fine too. Incorrect answers: Cavity virus To avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the DOS platform, make sure that the “last modified“ date of a host file stays the same when the file is infected by the virus. This approach does not fool antivirus software, however, especially those which maintain and date cyclic redundancy checks on file changes. Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. Polymorphic virus https://en.wikipedia.org/wiki/Polymorphic_code Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using “signatures“. Antivirus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body.
Unattempted
Tunneling Virus: This virus attempts to bypass detection by antivirus scanner by installing itself in the interrupt handler chain. Interception programs, which remain in the background of an operating system and catch viruses, become disabled during the course of a tunneling virus. Similar viruses install themselves in device drivers. Stealth Virus: It is a very tricky virus as it changes the code that can be used to detect it. Hence, the detection of the virus becomes very difficult. For example, it can change the read system call such that whenever the user asks to read a code modified by a virus, the original form of code is shown rather than infected code. NOTE: I don‘t know why EC-Council decided to combine 2 types of viruses into one. Nevertheless, on their exam, the Stealth/ tunneling virus (as in the book) is encountered on the exam, but I think the Tunneling virus is fine too. Incorrect answers: Cavity virus To avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the DOS platform, make sure that the “last modified“ date of a host file stays the same when the file is infected by the virus. This approach does not fool antivirus software, however, especially those which maintain and date cyclic redundancy checks on file changes. Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. Polymorphic virus https://en.wikipedia.org/wiki/Polymorphic_code Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using “signatures“. Antivirus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body.
Question 46 of 65
46. Question
Which of the following incident handling process phases is responsible for defining rules, employees training, creating a back-up, and preparing software and hardware resources before an incident occurs?
Correct
1. Preparation Among the most important of all the steps in an incident response plan is the preparation stage. During the preparation phase, organizations should establish policies and procedures for incident response management and enable efficient communication methods both before and after the incident. Employees should be properly trained to address security incidents and their respective roles. Companies need to develop incident response drill scenarios that are practiced regularly and modified as needed based on changes in the environment. All aspects of an incident response plan, including training, software and hardware resources, and execution, should be fully approved and funded before an incident occurs. 2. Identification The identification phase of an incident response plan involves determining whether or not an organization has been breached. It is not always clear at first whether a breach or other security incident has occurred. Besides, breaches can originate from a wide range of sources, so it is important to gather details. When determining whether a security incident has occurred, organizations should look at when the event happened, how it was discovered, and who discovered the breach. Companies should also consider how the incident will impact operations if other areas have been impacted and the compromise‘s scope. 3. Containment If it is discovered that a breach has occurred, organizations should work fast to contain the event. However, this should be done appropriately and does not require all sensitive data to be deleted from the system. Instead, strategies should be developed to contain the breach and prevent it from spreading further. This may involve disconnecting the impacted device from the internet or having a back-up system that can be used to restore normal business operations. Having remote access protocols in place can help ensure that a company never loses access to its system. 4. Neutralization Neutralization is one of the most crucial phases of the incident response process and requires the intelligence gathered throughout the previous stages. Once all systems and devices that have been impacted by the breach have been identified, an organization should perform a coordinated shutdown. To ensure that all employees are aware of the shutdown, employers should send out notifications to all other IT team members. Next, the infected systems and devices should be wiped clean and rebuilt. Passwords on all accounts should also be changed. If a business discovers that there are domains or IP addresses that have been affected, it is essential to block all communication that could pose a risk. 5. Recovery The recovery phase of an incident response plan involves restoring all affected systems and devices to allow for normal operations to continue. However, before getting systems back up and running, it is vital to ensure that the breach‘s cause has been identified to prevent another breach from occurring again. During this phase, consider how long it will take to return systems to normal, whether systems have been patched and tested, whether a system can be safely restored using a backup, and how long the system will need to be monitored. 6. Review The final step in an incident response plan occurs after the incident has been solved. Throughout the incident, all details should have been properly documented so that the information can be used to prevent similar breaches in the future. Businesses should complete a detailed incident report that suggests tips on how to improve the existing incident plan. Companies should also closely monitor any post-incident activities to look for threats. It is important to coordinate across all departments of an organization so that all employees are involved and can do their part to help prevent future security incidents.
Incorrect
1. Preparation Among the most important of all the steps in an incident response plan is the preparation stage. During the preparation phase, organizations should establish policies and procedures for incident response management and enable efficient communication methods both before and after the incident. Employees should be properly trained to address security incidents and their respective roles. Companies need to develop incident response drill scenarios that are practiced regularly and modified as needed based on changes in the environment. All aspects of an incident response plan, including training, software and hardware resources, and execution, should be fully approved and funded before an incident occurs. 2. Identification The identification phase of an incident response plan involves determining whether or not an organization has been breached. It is not always clear at first whether a breach or other security incident has occurred. Besides, breaches can originate from a wide range of sources, so it is important to gather details. When determining whether a security incident has occurred, organizations should look at when the event happened, how it was discovered, and who discovered the breach. Companies should also consider how the incident will impact operations if other areas have been impacted and the compromise‘s scope. 3. Containment If it is discovered that a breach has occurred, organizations should work fast to contain the event. However, this should be done appropriately and does not require all sensitive data to be deleted from the system. Instead, strategies should be developed to contain the breach and prevent it from spreading further. This may involve disconnecting the impacted device from the internet or having a back-up system that can be used to restore normal business operations. Having remote access protocols in place can help ensure that a company never loses access to its system. 4. Neutralization Neutralization is one of the most crucial phases of the incident response process and requires the intelligence gathered throughout the previous stages. Once all systems and devices that have been impacted by the breach have been identified, an organization should perform a coordinated shutdown. To ensure that all employees are aware of the shutdown, employers should send out notifications to all other IT team members. Next, the infected systems and devices should be wiped clean and rebuilt. Passwords on all accounts should also be changed. If a business discovers that there are domains or IP addresses that have been affected, it is essential to block all communication that could pose a risk. 5. Recovery The recovery phase of an incident response plan involves restoring all affected systems and devices to allow for normal operations to continue. However, before getting systems back up and running, it is vital to ensure that the breach‘s cause has been identified to prevent another breach from occurring again. During this phase, consider how long it will take to return systems to normal, whether systems have been patched and tested, whether a system can be safely restored using a backup, and how long the system will need to be monitored. 6. Review The final step in an incident response plan occurs after the incident has been solved. Throughout the incident, all details should have been properly documented so that the information can be used to prevent similar breaches in the future. Businesses should complete a detailed incident report that suggests tips on how to improve the existing incident plan. Companies should also closely monitor any post-incident activities to look for threats. It is important to coordinate across all departments of an organization so that all employees are involved and can do their part to help prevent future security incidents.
Unattempted
1. Preparation Among the most important of all the steps in an incident response plan is the preparation stage. During the preparation phase, organizations should establish policies and procedures for incident response management and enable efficient communication methods both before and after the incident. Employees should be properly trained to address security incidents and their respective roles. Companies need to develop incident response drill scenarios that are practiced regularly and modified as needed based on changes in the environment. All aspects of an incident response plan, including training, software and hardware resources, and execution, should be fully approved and funded before an incident occurs. 2. Identification The identification phase of an incident response plan involves determining whether or not an organization has been breached. It is not always clear at first whether a breach or other security incident has occurred. Besides, breaches can originate from a wide range of sources, so it is important to gather details. When determining whether a security incident has occurred, organizations should look at when the event happened, how it was discovered, and who discovered the breach. Companies should also consider how the incident will impact operations if other areas have been impacted and the compromise‘s scope. 3. Containment If it is discovered that a breach has occurred, organizations should work fast to contain the event. However, this should be done appropriately and does not require all sensitive data to be deleted from the system. Instead, strategies should be developed to contain the breach and prevent it from spreading further. This may involve disconnecting the impacted device from the internet or having a back-up system that can be used to restore normal business operations. Having remote access protocols in place can help ensure that a company never loses access to its system. 4. Neutralization Neutralization is one of the most crucial phases of the incident response process and requires the intelligence gathered throughout the previous stages. Once all systems and devices that have been impacted by the breach have been identified, an organization should perform a coordinated shutdown. To ensure that all employees are aware of the shutdown, employers should send out notifications to all other IT team members. Next, the infected systems and devices should be wiped clean and rebuilt. Passwords on all accounts should also be changed. If a business discovers that there are domains or IP addresses that have been affected, it is essential to block all communication that could pose a risk. 5. Recovery The recovery phase of an incident response plan involves restoring all affected systems and devices to allow for normal operations to continue. However, before getting systems back up and running, it is vital to ensure that the breach‘s cause has been identified to prevent another breach from occurring again. During this phase, consider how long it will take to return systems to normal, whether systems have been patched and tested, whether a system can be safely restored using a backup, and how long the system will need to be monitored. 6. Review The final step in an incident response plan occurs after the incident has been solved. Throughout the incident, all details should have been properly documented so that the information can be used to prevent similar breaches in the future. Businesses should complete a detailed incident report that suggests tips on how to improve the existing incident plan. Companies should also closely monitor any post-incident activities to look for threats. It is important to coordinate across all departments of an organization so that all employees are involved and can do their part to help prevent future security incidents.
Question 47 of 65
47. Question
What actions should be performed before using a Vulnerability Scanner for scanning a network?
Correct
Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps: 1. Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques. 2. Performing service and OS discovery on them: After detecting the live hosts in the target network, the next step is to enumerate the open ports and services and the operating system on the target systems. 3. Testing those services and OS for known vulnerabilities: Finally, after identifying the open services and the operating system running on the target nodes, they are tested for known vulnerabilities.
Incorrect
Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps: 1. Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques. 2. Performing service and OS discovery on them: After detecting the live hosts in the target network, the next step is to enumerate the open ports and services and the operating system on the target systems. 3. Testing those services and OS for known vulnerabilities: Finally, after identifying the open services and the operating system running on the target nodes, they are tested for known vulnerabilities.
Unattempted
Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps: 1. Locating nodes: The first step in vulnerability scanning is to locate live hosts in the target network using various scanning techniques. 2. Performing service and OS discovery on them: After detecting the live hosts in the target network, the next step is to enumerate the open ports and services and the operating system on the target systems. 3. Testing those services and OS for known vulnerabilities: Finally, after identifying the open services and the operating system running on the target nodes, they are tested for known vulnerabilities.
Question 48 of 65
48. Question
Victor, a white hacker, received an order to perform a penetration test from the company “Test us“. He starts collecting information and finds the email of an employee of this company in free access. Victor decides to send a letter to this email, changing the original email address to the email of the boss of this employee, “[email protected]“. He asks the employee to immediately open the “link with the report“ and check it. An employee of the company “Test us“ opens this link and infects his computer. Thanks to these manipulations, Viktor gained access to the corporate network and successfully conducted a pentest. What type of attack did Victor use?
Correct
https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises. Incorrect answers: Tailgating and Piggybacking are the same thing Tailgating, sometimes referred to as piggybacking, is a physical security breach in which an unauthorized person follows an authorized individual to enter a secured premise. Tailgating provides a simple social engineering-based way around many security mechanisms one would think of as secure. Even retina scanners don‘t help if an employee holds the door for an unknown person behind them out of misguided courtesy. People who might tailgate include disgruntled former employees, thieves, vandals, mischief-makers, and issues with employees or the company. Any of these can disrupt business, cause damage, create unexpected costs, and lead to further safety issues. Eavesdropping https://en.wikipedia.org/wiki/Eavesdropping Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information. Since the beginning of the digital age, the term has also come to hold great significance in the world of cybersecurity. The question does not specify at what level and how this attack is used. An attacker can eavesdrop on a conversation or use special software and obtain information on the network. There are many options, but this is not important because the correct answer is clearly not related to information interception.
Incorrect
https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises. Incorrect answers: Tailgating and Piggybacking are the same thing Tailgating, sometimes referred to as piggybacking, is a physical security breach in which an unauthorized person follows an authorized individual to enter a secured premise. Tailgating provides a simple social engineering-based way around many security mechanisms one would think of as secure. Even retina scanners don‘t help if an employee holds the door for an unknown person behind them out of misguided courtesy. People who might tailgate include disgruntled former employees, thieves, vandals, mischief-makers, and issues with employees or the company. Any of these can disrupt business, cause damage, create unexpected costs, and lead to further safety issues. Eavesdropping https://en.wikipedia.org/wiki/Eavesdropping Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information. Since the beginning of the digital age, the term has also come to hold great significance in the world of cybersecurity. The question does not specify at what level and how this attack is used. An attacker can eavesdrop on a conversation or use special software and obtain information on the network. There are many options, but this is not important because the correct answer is clearly not related to information interception.
Unattempted
https://en.wikipedia.org/wiki/Social_engineering_(security) Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. Social engineering attacks typically involve some form of psychological manipulation, fooling otherwise unsuspecting users or employees into handing over confidential or sensitive data. Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file. Because social engineering involves a human element, preventing these attacks can be tricky for enterprises. Incorrect answers: Tailgating and Piggybacking are the same thing Tailgating, sometimes referred to as piggybacking, is a physical security breach in which an unauthorized person follows an authorized individual to enter a secured premise. Tailgating provides a simple social engineering-based way around many security mechanisms one would think of as secure. Even retina scanners don‘t help if an employee holds the door for an unknown person behind them out of misguided courtesy. People who might tailgate include disgruntled former employees, thieves, vandals, mischief-makers, and issues with employees or the company. Any of these can disrupt business, cause damage, create unexpected costs, and lead to further safety issues. Eavesdropping https://en.wikipedia.org/wiki/Eavesdropping Eavesdropping is the act of secretly or stealthily listening to the private conversation or communications of others without their consent in order to gather information. Since the beginning of the digital age, the term has also come to hold great significance in the world of cybersecurity. The question does not specify at what level and how this attack is used. An attacker can eavesdrop on a conversation or use special software and obtain information on the network. There are many options, but this is not important because the correct answer is clearly not related to information interception.
Question 49 of 65
49. Question
Which of the following is the risk that remains after the amount of risk left over after natural or inherent risks have been reduced?
Correct
https://en.wikipedia.org/wiki/Residual_risk The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures); in other words, the amount of risk left over after natural or inherent risks have been reduced by risk controls. · Residual risk = (Inherent risk) (impact of risk controls)
Incorrect
https://en.wikipedia.org/wiki/Residual_risk The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures); in other words, the amount of risk left over after natural or inherent risks have been reduced by risk controls. · Residual risk = (Inherent risk) (impact of risk controls)
Unattempted
https://en.wikipedia.org/wiki/Residual_risk The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures); in other words, the amount of risk left over after natural or inherent risks have been reduced by risk controls. · Residual risk = (Inherent risk) (impact of risk controls)
Question 50 of 65
50. Question
Which of the following is an encryption technique where data is encrypted by a sequence of photons that have a spinning trait while travelling from one end to another?
Correct
https://en.wikipedia.org/wiki/Quantum_cryptography Quantum cryptography is the science of exploiting quantum mechanical properties to perform cryptographic tasks. The best-known example of quantum cryptography is a quantum key distribution which offers an information-theoretically secure solution to the key exchange problem. The advantage of quantum cryptography lies in the fact that it allows the completion of various cryptographic tasks that are proven or conjectured to be impossible using only classical (i.e. non-quantum) communication. For example, it is impossible to copy data encoded in a quantum state. If one attempts to read the encoded data, the quantum state will be changed (no-cloning theorem). This could be used to detect eavesdropping in quantum key distribution. Quantum key distribution The best-known and developed application of quantum cryptography is a quantum key distribution (QKD), which is the process of using quantum communication to establish a shared key between two parties (Alice and Bob, for example) without a third party (Eve) learning anything about that key, even if Eve can eavesdrop on all communication between Alice and Bob. If Eve tries to learn information about the key being established, discrepancies will arise causing Alice and Bob to notice. Once the key is established, it is then typically used for encrypted communication using classical techniques. For instance, the exchanged key could be used for symmetric cryptography. The security of quantum key distribution can be proven mathematically without imposing any restrictions on the abilities of an eavesdropper, something not possible with the classical key distribution. This is usually described as “unconditional security“, although there are some minimal assumptions required, including that the laws of quantum mechanics apply and that Alice and Bob are able to authenticate each other, i.e. Eve should not be able to impersonate Alice or Bob as otherwise, a man-in-the-middle attack would be possible. While QKD is seemingly secure, its applications face the challenge of practicality. This is due to transmission distance and key generation rate limitations. Ongoing studies and growing technology has allowed further advancements in such limitations. In 2018 Lucamarini et al. proposed a twin-field QKD scheme that can possibly overcome the point-to-point repeater-less bounds of a lossy communication channel. The rate of the twin field protocol was shown to overcome the repeater-less PLOB bound at 340 km of an optical fibre; its ideal rate surpasses this bound already at 200 km and follows the rate-loss scaling of the higher single-repeater bound. The protocol suggests that optimal key rates are achievable on “550 kilometres of standard optical fibre“, which is already commonly used in communications today. The theoretical result was confirmed in the first experimental demonstration of QKD beyond the rate-loss limit by Minder et al. in 2019, which has been characterised as the first effective quantum repeater. Quantum coin flipping Unlike quantum key distribution, quantum coin flipping is a protocol that is used between two participants who do not trust each other. The participants communicate via a quantum channel and exchange information through the transmission of qubits. But because Alice and Bob do not trust each other, each expects the other to cheat. Therefore, more effort must be spent on ensuring that neither Alice nor Bob can gain a significant advantage over the other to produce the desired outcome. An ability to influence a particular outcome is referred to as a bias, and there is a significant focus on developing protocols to reduce the bias of a dishonest player, otherwise known as cheating. Quantum communication protocols, including quantum coin flipping, have been shown to provide significant security advantages over classical communication, though they are difficult to realize in the practical world. A coin flip protocol generally occurs like this: · Alice chooses a basis (either rectilinear or diagonal) and generates a string of photons to send to Bob in that basis. · Bob randomly chooses to measure each photon in a rectilinear or diagonal basis, noting which basis he used and the measured value. · Bob publicly guesses which basis Alice used to send her qubits. · Alice announces the basis she used and sends her original string to Bob. · Bob confirms by comparing Alice‘s string to his table. It should be perfectly correlated with the values Bob measured using Alice‘s basis and completely uncorrelated with the opposite. Cheating occurs when one player attempts to influence, or increase the probability of a particular outcome. The protocol discourages some forms of cheating; for example, Alice could cheat at step 4 by claiming that Bob incorrectly guessed her initial basis when he guessed correctly, but Alice would then need to generate a new string of qubits that perfectly correlates with what Bob measured in the opposite table.Her chance of generating a matching string of qubits will decrease exponentially with the number of qubits sent, and if Bob notes a mismatch, he will know she was lying. Alice could also generate a string of photons using a mixture of states, but Bob would easily see that her string will correlate partially (but not fully) with both sides of the table, and know she cheated in the process. There is also an inherent flaw that comes with current quantum devices. Errors and lost qubits will affect Bob‘s measurements, resulting in holes in Bob‘s measurement table. Significant losses in measurement will affect Bob‘s ability to verify Alice‘s qubit sequence in step 5. One theoretically surefire way for Alice to cheat is to utilize the Einstein-Podolsky-Rosen (EPR) paradox. Two photons in an EPR pair are anticorrelated; that is, they will always be found to have opposite polarizations, provided that they are measured on the same basis. Alice could generate a string of EPR pairs, sending one photon per pair to Bob and storing the other herself. When Bob states his guess, she could measure her EPR pair photons in the opposite basis and obtain a perfect correlation to Bob‘s opposite table. Bob would never know she cheated. However, this requires capabilities that quantum technology currently does not possess, making it impossible to do in practice. To successfully execute this, Alice would need to be able to store all the photons for a significant amount of time as well as to measure them with near-perfect efficiency. This is because any photon lost in storage or in measurement would result in a hole in her string that she would have to fill by guessing. The more guesses she has to make, the more she risks detection by Bob for cheating.
Incorrect
https://en.wikipedia.org/wiki/Quantum_cryptography Quantum cryptography is the science of exploiting quantum mechanical properties to perform cryptographic tasks. The best-known example of quantum cryptography is a quantum key distribution which offers an information-theoretically secure solution to the key exchange problem. The advantage of quantum cryptography lies in the fact that it allows the completion of various cryptographic tasks that are proven or conjectured to be impossible using only classical (i.e. non-quantum) communication. For example, it is impossible to copy data encoded in a quantum state. If one attempts to read the encoded data, the quantum state will be changed (no-cloning theorem). This could be used to detect eavesdropping in quantum key distribution. Quantum key distribution The best-known and developed application of quantum cryptography is a quantum key distribution (QKD), which is the process of using quantum communication to establish a shared key between two parties (Alice and Bob, for example) without a third party (Eve) learning anything about that key, even if Eve can eavesdrop on all communication between Alice and Bob. If Eve tries to learn information about the key being established, discrepancies will arise causing Alice and Bob to notice. Once the key is established, it is then typically used for encrypted communication using classical techniques. For instance, the exchanged key could be used for symmetric cryptography. The security of quantum key distribution can be proven mathematically without imposing any restrictions on the abilities of an eavesdropper, something not possible with the classical key distribution. This is usually described as “unconditional security“, although there are some minimal assumptions required, including that the laws of quantum mechanics apply and that Alice and Bob are able to authenticate each other, i.e. Eve should not be able to impersonate Alice or Bob as otherwise, a man-in-the-middle attack would be possible. While QKD is seemingly secure, its applications face the challenge of practicality. This is due to transmission distance and key generation rate limitations. Ongoing studies and growing technology has allowed further advancements in such limitations. In 2018 Lucamarini et al. proposed a twin-field QKD scheme that can possibly overcome the point-to-point repeater-less bounds of a lossy communication channel. The rate of the twin field protocol was shown to overcome the repeater-less PLOB bound at 340 km of an optical fibre; its ideal rate surpasses this bound already at 200 km and follows the rate-loss scaling of the higher single-repeater bound. The protocol suggests that optimal key rates are achievable on “550 kilometres of standard optical fibre“, which is already commonly used in communications today. The theoretical result was confirmed in the first experimental demonstration of QKD beyond the rate-loss limit by Minder et al. in 2019, which has been characterised as the first effective quantum repeater. Quantum coin flipping Unlike quantum key distribution, quantum coin flipping is a protocol that is used between two participants who do not trust each other. The participants communicate via a quantum channel and exchange information through the transmission of qubits. But because Alice and Bob do not trust each other, each expects the other to cheat. Therefore, more effort must be spent on ensuring that neither Alice nor Bob can gain a significant advantage over the other to produce the desired outcome. An ability to influence a particular outcome is referred to as a bias, and there is a significant focus on developing protocols to reduce the bias of a dishonest player, otherwise known as cheating. Quantum communication protocols, including quantum coin flipping, have been shown to provide significant security advantages over classical communication, though they are difficult to realize in the practical world. A coin flip protocol generally occurs like this: · Alice chooses a basis (either rectilinear or diagonal) and generates a string of photons to send to Bob in that basis. · Bob randomly chooses to measure each photon in a rectilinear or diagonal basis, noting which basis he used and the measured value. · Bob publicly guesses which basis Alice used to send her qubits. · Alice announces the basis she used and sends her original string to Bob. · Bob confirms by comparing Alice‘s string to his table. It should be perfectly correlated with the values Bob measured using Alice‘s basis and completely uncorrelated with the opposite. Cheating occurs when one player attempts to influence, or increase the probability of a particular outcome. The protocol discourages some forms of cheating; for example, Alice could cheat at step 4 by claiming that Bob incorrectly guessed her initial basis when he guessed correctly, but Alice would then need to generate a new string of qubits that perfectly correlates with what Bob measured in the opposite table.Her chance of generating a matching string of qubits will decrease exponentially with the number of qubits sent, and if Bob notes a mismatch, he will know she was lying. Alice could also generate a string of photons using a mixture of states, but Bob would easily see that her string will correlate partially (but not fully) with both sides of the table, and know she cheated in the process. There is also an inherent flaw that comes with current quantum devices. Errors and lost qubits will affect Bob‘s measurements, resulting in holes in Bob‘s measurement table. Significant losses in measurement will affect Bob‘s ability to verify Alice‘s qubit sequence in step 5. One theoretically surefire way for Alice to cheat is to utilize the Einstein-Podolsky-Rosen (EPR) paradox. Two photons in an EPR pair are anticorrelated; that is, they will always be found to have opposite polarizations, provided that they are measured on the same basis. Alice could generate a string of EPR pairs, sending one photon per pair to Bob and storing the other herself. When Bob states his guess, she could measure her EPR pair photons in the opposite basis and obtain a perfect correlation to Bob‘s opposite table. Bob would never know she cheated. However, this requires capabilities that quantum technology currently does not possess, making it impossible to do in practice. To successfully execute this, Alice would need to be able to store all the photons for a significant amount of time as well as to measure them with near-perfect efficiency. This is because any photon lost in storage or in measurement would result in a hole in her string that she would have to fill by guessing. The more guesses she has to make, the more she risks detection by Bob for cheating.
Unattempted
https://en.wikipedia.org/wiki/Quantum_cryptography Quantum cryptography is the science of exploiting quantum mechanical properties to perform cryptographic tasks. The best-known example of quantum cryptography is a quantum key distribution which offers an information-theoretically secure solution to the key exchange problem. The advantage of quantum cryptography lies in the fact that it allows the completion of various cryptographic tasks that are proven or conjectured to be impossible using only classical (i.e. non-quantum) communication. For example, it is impossible to copy data encoded in a quantum state. If one attempts to read the encoded data, the quantum state will be changed (no-cloning theorem). This could be used to detect eavesdropping in quantum key distribution. Quantum key distribution The best-known and developed application of quantum cryptography is a quantum key distribution (QKD), which is the process of using quantum communication to establish a shared key between two parties (Alice and Bob, for example) without a third party (Eve) learning anything about that key, even if Eve can eavesdrop on all communication between Alice and Bob. If Eve tries to learn information about the key being established, discrepancies will arise causing Alice and Bob to notice. Once the key is established, it is then typically used for encrypted communication using classical techniques. For instance, the exchanged key could be used for symmetric cryptography. The security of quantum key distribution can be proven mathematically without imposing any restrictions on the abilities of an eavesdropper, something not possible with the classical key distribution. This is usually described as “unconditional security“, although there are some minimal assumptions required, including that the laws of quantum mechanics apply and that Alice and Bob are able to authenticate each other, i.e. Eve should not be able to impersonate Alice or Bob as otherwise, a man-in-the-middle attack would be possible. While QKD is seemingly secure, its applications face the challenge of practicality. This is due to transmission distance and key generation rate limitations. Ongoing studies and growing technology has allowed further advancements in such limitations. In 2018 Lucamarini et al. proposed a twin-field QKD scheme that can possibly overcome the point-to-point repeater-less bounds of a lossy communication channel. The rate of the twin field protocol was shown to overcome the repeater-less PLOB bound at 340 km of an optical fibre; its ideal rate surpasses this bound already at 200 km and follows the rate-loss scaling of the higher single-repeater bound. The protocol suggests that optimal key rates are achievable on “550 kilometres of standard optical fibre“, which is already commonly used in communications today. The theoretical result was confirmed in the first experimental demonstration of QKD beyond the rate-loss limit by Minder et al. in 2019, which has been characterised as the first effective quantum repeater. Quantum coin flipping Unlike quantum key distribution, quantum coin flipping is a protocol that is used between two participants who do not trust each other. The participants communicate via a quantum channel and exchange information through the transmission of qubits. But because Alice and Bob do not trust each other, each expects the other to cheat. Therefore, more effort must be spent on ensuring that neither Alice nor Bob can gain a significant advantage over the other to produce the desired outcome. An ability to influence a particular outcome is referred to as a bias, and there is a significant focus on developing protocols to reduce the bias of a dishonest player, otherwise known as cheating. Quantum communication protocols, including quantum coin flipping, have been shown to provide significant security advantages over classical communication, though they are difficult to realize in the practical world. A coin flip protocol generally occurs like this: · Alice chooses a basis (either rectilinear or diagonal) and generates a string of photons to send to Bob in that basis. · Bob randomly chooses to measure each photon in a rectilinear or diagonal basis, noting which basis he used and the measured value. · Bob publicly guesses which basis Alice used to send her qubits. · Alice announces the basis she used and sends her original string to Bob. · Bob confirms by comparing Alice‘s string to his table. It should be perfectly correlated with the values Bob measured using Alice‘s basis and completely uncorrelated with the opposite. Cheating occurs when one player attempts to influence, or increase the probability of a particular outcome. The protocol discourages some forms of cheating; for example, Alice could cheat at step 4 by claiming that Bob incorrectly guessed her initial basis when he guessed correctly, but Alice would then need to generate a new string of qubits that perfectly correlates with what Bob measured in the opposite table.Her chance of generating a matching string of qubits will decrease exponentially with the number of qubits sent, and if Bob notes a mismatch, he will know she was lying. Alice could also generate a string of photons using a mixture of states, but Bob would easily see that her string will correlate partially (but not fully) with both sides of the table, and know she cheated in the process. There is also an inherent flaw that comes with current quantum devices. Errors and lost qubits will affect Bob‘s measurements, resulting in holes in Bob‘s measurement table. Significant losses in measurement will affect Bob‘s ability to verify Alice‘s qubit sequence in step 5. One theoretically surefire way for Alice to cheat is to utilize the Einstein-Podolsky-Rosen (EPR) paradox. Two photons in an EPR pair are anticorrelated; that is, they will always be found to have opposite polarizations, provided that they are measured on the same basis. Alice could generate a string of EPR pairs, sending one photon per pair to Bob and storing the other herself. When Bob states his guess, she could measure her EPR pair photons in the opposite basis and obtain a perfect correlation to Bob‘s opposite table. Bob would never know she cheated. However, this requires capabilities that quantum technology currently does not possess, making it impossible to do in practice. To successfully execute this, Alice would need to be able to store all the photons for a significant amount of time as well as to measure them with near-perfect efficiency. This is because any photon lost in storage or in measurement would result in a hole in her string that she would have to fill by guessing. The more guesses she has to make, the more she risks detection by Bob for cheating.
Question 51 of 65
51. Question
Which of the following tools is packet sniffer, network detector and IDS for 802.11(a, b, g, n) wireless LANs?
Correct
https://en.wikipedia.org/wiki/Kismet_(software) Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. Incorrect answers: Nessus https://en.wikipedia.org/wiki/Nessus_(software) Nessus is a remote security scanning tool that scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to access any computer you have connected to a network. Nmap https://en.wikipedia.org/wiki/Nmap Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including latency and congestion during a scan. Abel https://en.wikipedia.org/wiki/Cain_and_Abel_(software) Cain and Abel (often abbreviated to Cain) was a password recovery tool for Microsoft Windows. It could recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the winrtgen.exe program provided with Cain and Abel.
Incorrect
https://en.wikipedia.org/wiki/Kismet_(software) Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. Incorrect answers: Nessus https://en.wikipedia.org/wiki/Nessus_(software) Nessus is a remote security scanning tool that scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to access any computer you have connected to a network. Nmap https://en.wikipedia.org/wiki/Nmap Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including latency and congestion during a scan. Abel https://en.wikipedia.org/wiki/Cain_and_Abel_(software) Cain and Abel (often abbreviated to Cain) was a password recovery tool for Microsoft Windows. It could recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the winrtgen.exe program provided with Cain and Abel.
Unattempted
https://en.wikipedia.org/wiki/Kismet_(software) Kismet is a network detector, packet sniffer, and intrusion detection system for 802.11 wireless LANs. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. Incorrect answers: Nessus https://en.wikipedia.org/wiki/Nessus_(software) Nessus is a remote security scanning tool that scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to access any computer you have connected to a network. Nmap https://en.wikipedia.org/wiki/Nmap Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including latency and congestion during a scan. Abel https://en.wikipedia.org/wiki/Cain_and_Abel_(software) Cain and Abel (often abbreviated to Cain) was a password recovery tool for Microsoft Windows. It could recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the winrtgen.exe program provided with Cain and Abel.
Question 52 of 65
52. Question
Which of the following requires establishing national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers?
Correct
https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the KennedyKassebaum Act[1][2]) is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It was created primarily to modernize the flow of healthcare information, stipulate how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. The act consists of five titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts. Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies. Incorrect answers: SOX https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act The SarbanesOxley Act of 2002, also known as the “Public Company Accounting Reform and Investor Protection Act“ (in the Senate) and “Corporate and Auditing Accountability, Responsibility, and Transparency Act“ (in the House) and more commonly called SarbanesOxley, Sarbox or SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation. DMCA https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act The Digital Millennium Copyright Act (DMCA) is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO). It criminalizes the production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works (commonly known as digital rights management or DRM). It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself. In addition, the DMCA heightens the penalties for copyright infringement on the Internet. Passed on October 12, 1998, by a unanimous vote in the United States Senate and signed into law by President Bill Clinton on October 28, 1998, the DMCA amended Title 17 of the United States Code to extend the reach of copyright, while limiting the liability of the providers of online services for copyright infringement by their users. PCI-DSS https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.
Incorrect
https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the KennedyKassebaum Act[1][2]) is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It was created primarily to modernize the flow of healthcare information, stipulate how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. The act consists of five titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts. Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies. Incorrect answers: SOX https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act The SarbanesOxley Act of 2002, also known as the “Public Company Accounting Reform and Investor Protection Act“ (in the Senate) and “Corporate and Auditing Accountability, Responsibility, and Transparency Act“ (in the House) and more commonly called SarbanesOxley, Sarbox or SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation. DMCA https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act The Digital Millennium Copyright Act (DMCA) is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO). It criminalizes the production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works (commonly known as digital rights management or DRM). It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself. In addition, the DMCA heightens the penalties for copyright infringement on the Internet. Passed on October 12, 1998, by a unanimous vote in the United States Senate and signed into law by President Bill Clinton on October 28, 1998, the DMCA amended Title 17 of the United States Code to extend the reach of copyright, while limiting the liability of the providers of online services for copyright infringement by their users. PCI-DSS https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.
Unattempted
https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the KennedyKassebaum Act[1][2]) is a United States federal statute enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It was created primarily to modernize the flow of healthcare information, stipulate how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. The act consists of five titles. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Title III sets guidelines for pre-tax medical spending accounts. Title IV sets guidelines for group health plans, and Title V governs company-owned life insurance policies. Incorrect answers: SOX https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act The SarbanesOxley Act of 2002, also known as the “Public Company Accounting Reform and Investor Protection Act“ (in the Senate) and “Corporate and Auditing Accountability, Responsibility, and Transparency Act“ (in the House) and more commonly called SarbanesOxley, Sarbox or SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation. DMCA https://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act The Digital Millennium Copyright Act (DMCA) is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO). It criminalizes the production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works (commonly known as digital rights management or DRM). It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself. In addition, the DMCA heightens the penalties for copyright infringement on the Internet. Passed on October 12, 1998, by a unanimous vote in the United States Senate and signed into law by President Bill Clinton on October 28, 1998, the DMCA amended Title 17 of the United States Code to extend the reach of copyright, while limiting the liability of the providers of online services for copyright infringement by their users. PCI-DSS https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.
Question 53 of 65
53. Question
What means the flag “-oX“ in a Nmap scan?
Correct
https://nmap.org/book/man-output.html -oX – Requests that XML output be directed to the given filename. Incorrect answers: Run an express scan https://nmap.org/book/man-port-specification.html There is no express scan in Nmap, but there is a fast scan. -F (Fast (limited port) scan) Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100. Or we can influence the intensity (and speed) of the scan with the -T flag. https://nmap.org/book/man-performance.html -T paranoid|sneaky|polite|normal|aggressive|insane Output the results in truncated format to the screen https://nmap.org/book/man-output.html -oG (grepable output) It is a simple format that lists each host on one line and can be trivially searched and parsed with standard Unix tools such as grep, awk, cut, sed, diff, and Perl. Run a Xmas scan https://nmap.org/book/man-port-scanning-techniques.html Xmas scan (-sX) Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
Incorrect
https://nmap.org/book/man-output.html -oX – Requests that XML output be directed to the given filename. Incorrect answers: Run an express scan https://nmap.org/book/man-port-specification.html There is no express scan in Nmap, but there is a fast scan. -F (Fast (limited port) scan) Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100. Or we can influence the intensity (and speed) of the scan with the -T flag. https://nmap.org/book/man-performance.html -T paranoid|sneaky|polite|normal|aggressive|insane Output the results in truncated format to the screen https://nmap.org/book/man-output.html -oG (grepable output) It is a simple format that lists each host on one line and can be trivially searched and parsed with standard Unix tools such as grep, awk, cut, sed, diff, and Perl. Run a Xmas scan https://nmap.org/book/man-port-scanning-techniques.html Xmas scan (-sX) Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
Unattempted
https://nmap.org/book/man-output.html -oX – Requests that XML output be directed to the given filename. Incorrect answers: Run an express scan https://nmap.org/book/man-port-specification.html There is no express scan in Nmap, but there is a fast scan. -F (Fast (limited port) scan) Specifies that you wish to scan fewer ports than the default. Normally Nmap scans the most common 1,000 ports for each scanned protocol. With -F, this is reduced to 100. Or we can influence the intensity (and speed) of the scan with the -T flag. https://nmap.org/book/man-performance.html -T paranoid|sneaky|polite|normal|aggressive|insane Output the results in truncated format to the screen https://nmap.org/book/man-output.html -oG (grepable output) It is a simple format that lists each host on one line and can be trivially searched and parsed with standard Unix tools such as grep, awk, cut, sed, diff, and Perl. Run a Xmas scan https://nmap.org/book/man-port-scanning-techniques.html Xmas scan (-sX) Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
Question 54 of 65
54. Question
Which of the following wireless standard has bandwidth up to 54 Mbit/s and signals in a regulated frequency spectrum around 5 GHz?
Correct
https://en.wikipedia.org/wiki/IEEE_802.11#802.11a_(OFDM_waveform) 802.11a, published in 1999, uses the same data link layer protocol and frame format as the original standard, but an OFDM based air interface (physical layer). It operates in the 5 GHz band with a maximum net data rate of 54 Mbit/s, plus error correction code, which yields realistic net achievable throughput in the mid-20 Mbit/s. It has seen widespread worldwide implementation, particularly within the corporate workspace. Incorrect answers: 802.11n 802.11n is an amendment that improves upon the previous 802.11 standards; its first draft of certification was published in 2006. The 802.11n standard was retroactively labelled as Wi-Fi 4 by the Wi-Fi Alliance. The standard added support for multiple-input multiple-output antennas (MIMO). 802.11n operates on both the 2.4 GHz and the 5 GHz bands. Support for 5 GHz bands is optional. Its net data rate ranges from 54 Mbit/s to 600 Mbit/s. The IEEE has approved the amendment, and it was published in October 2009. Prior to the final ratification, enterprises were already migrating to 802.11n networks based on the Wi-Fi Alliance‘s certification of products conforming to a 2007 draft of the 802.11n proposal. 802.11g In June 2003, a third modulation standard was ratified: 802.11g. This works in the 2.4 GHz band (like 802.11b), but uses the same OFDM based transmission scheme as 802.11a. It operates at a maximum physical layer bit rate of 54 Mbit/s exclusive of forward error correction codes, or about 22 Mbit/s average throughput. 802.11g hardware is fully backward compatible with 802.11b hardware, and therefore is encumbered with legacy issues that reduce throughput by ~21% when compared to 802.11a 802.11i https://en.wikipedia.org/wiki/IEEE_802.11i-2004 IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.
Incorrect
https://en.wikipedia.org/wiki/IEEE_802.11#802.11a_(OFDM_waveform) 802.11a, published in 1999, uses the same data link layer protocol and frame format as the original standard, but an OFDM based air interface (physical layer). It operates in the 5 GHz band with a maximum net data rate of 54 Mbit/s, plus error correction code, which yields realistic net achievable throughput in the mid-20 Mbit/s. It has seen widespread worldwide implementation, particularly within the corporate workspace. Incorrect answers: 802.11n 802.11n is an amendment that improves upon the previous 802.11 standards; its first draft of certification was published in 2006. The 802.11n standard was retroactively labelled as Wi-Fi 4 by the Wi-Fi Alliance. The standard added support for multiple-input multiple-output antennas (MIMO). 802.11n operates on both the 2.4 GHz and the 5 GHz bands. Support for 5 GHz bands is optional. Its net data rate ranges from 54 Mbit/s to 600 Mbit/s. The IEEE has approved the amendment, and it was published in October 2009. Prior to the final ratification, enterprises were already migrating to 802.11n networks based on the Wi-Fi Alliance‘s certification of products conforming to a 2007 draft of the 802.11n proposal. 802.11g In June 2003, a third modulation standard was ratified: 802.11g. This works in the 2.4 GHz band (like 802.11b), but uses the same OFDM based transmission scheme as 802.11a. It operates at a maximum physical layer bit rate of 54 Mbit/s exclusive of forward error correction codes, or about 22 Mbit/s average throughput. 802.11g hardware is fully backward compatible with 802.11b hardware, and therefore is encumbered with legacy issues that reduce throughput by ~21% when compared to 802.11a 802.11i https://en.wikipedia.org/wiki/IEEE_802.11i-2004 IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.
Unattempted
https://en.wikipedia.org/wiki/IEEE_802.11#802.11a_(OFDM_waveform) 802.11a, published in 1999, uses the same data link layer protocol and frame format as the original standard, but an OFDM based air interface (physical layer). It operates in the 5 GHz band with a maximum net data rate of 54 Mbit/s, plus error correction code, which yields realistic net achievable throughput in the mid-20 Mbit/s. It has seen widespread worldwide implementation, particularly within the corporate workspace. Incorrect answers: 802.11n 802.11n is an amendment that improves upon the previous 802.11 standards; its first draft of certification was published in 2006. The 802.11n standard was retroactively labelled as Wi-Fi 4 by the Wi-Fi Alliance. The standard added support for multiple-input multiple-output antennas (MIMO). 802.11n operates on both the 2.4 GHz and the 5 GHz bands. Support for 5 GHz bands is optional. Its net data rate ranges from 54 Mbit/s to 600 Mbit/s. The IEEE has approved the amendment, and it was published in October 2009. Prior to the final ratification, enterprises were already migrating to 802.11n networks based on the Wi-Fi Alliance‘s certification of products conforming to a 2007 draft of the 802.11n proposal. 802.11g In June 2003, a third modulation standard was ratified: 802.11g. This works in the 2.4 GHz band (like 802.11b), but uses the same OFDM based transmission scheme as 802.11a. It operates at a maximum physical layer bit rate of 54 Mbit/s exclusive of forward error correction codes, or about 22 Mbit/s average throughput. 802.11g hardware is fully backward compatible with 802.11b hardware, and therefore is encumbered with legacy issues that reduce throughput by ~21% when compared to 802.11a 802.11i https://en.wikipedia.org/wiki/IEEE_802.11i-2004 IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.
Question 55 of 65
55. Question
Michael, a technical specialist, discovered that the laptop of one of the employees connecting to a wireless point couldn‘t access the Internet, but at the same time, it can transfer files locally. He checked the IP address and the default gateway. They are both on 192.168.1.0/24. Which of the following caused the problem?
Correct
https://en.wikipedia.org/wiki/Private_network In IP networking, a private network is a computer network that uses private IP address space. Both the IPv4 and the IPv6 specifications define private IP address ranges. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Private network addresses are not allocated to any specific organization. Anyone may use these addresses without approval from regional or local Internet registries. Private IP address spaces were originally defined to assist in delaying IPv4 address exhaustion. IP packets originating from or addressed to a private IP address cannot be routed through the public Internet. The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to reserve the following IPv4 address ranges for private networks: · 10.0.0.0 10.255.255.255 · 172.16.0.0 172.31.255.255 · 192.168.0.0 192.168.255.255 Backbone routers do not allow packets from or to internal IP addresses. That is, intranet machines, if no measures are taken, are isolated from the Internet. However, several technologies allow such machines to connect to the Internet. · Mediation servers like IRC, Usenet, SMTP and Proxy server · Network address translation (NAT) · Tunneling protocol NOTE: So, the problem is just one of these technologies.
Incorrect
https://en.wikipedia.org/wiki/Private_network In IP networking, a private network is a computer network that uses private IP address space. Both the IPv4 and the IPv6 specifications define private IP address ranges. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Private network addresses are not allocated to any specific organization. Anyone may use these addresses without approval from regional or local Internet registries. Private IP address spaces were originally defined to assist in delaying IPv4 address exhaustion. IP packets originating from or addressed to a private IP address cannot be routed through the public Internet. The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to reserve the following IPv4 address ranges for private networks: · 10.0.0.0 10.255.255.255 · 172.16.0.0 172.31.255.255 · 192.168.0.0 192.168.255.255 Backbone routers do not allow packets from or to internal IP addresses. That is, intranet machines, if no measures are taken, are isolated from the Internet. However, several technologies allow such machines to connect to the Internet. · Mediation servers like IRC, Usenet, SMTP and Proxy server · Network address translation (NAT) · Tunneling protocol NOTE: So, the problem is just one of these technologies.
Unattempted
https://en.wikipedia.org/wiki/Private_network In IP networking, a private network is a computer network that uses private IP address space. Both the IPv4 and the IPv6 specifications define private IP address ranges. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Private network addresses are not allocated to any specific organization. Anyone may use these addresses without approval from regional or local Internet registries. Private IP address spaces were originally defined to assist in delaying IPv4 address exhaustion. IP packets originating from or addressed to a private IP address cannot be routed through the public Internet. The Internet Engineering Task Force (IETF) has directed the Internet Assigned Numbers Authority (IANA) to reserve the following IPv4 address ranges for private networks: · 10.0.0.0 10.255.255.255 · 172.16.0.0 172.31.255.255 · 192.168.0.0 192.168.255.255 Backbone routers do not allow packets from or to internal IP addresses. That is, intranet machines, if no measures are taken, are isolated from the Internet. However, several technologies allow such machines to connect to the Internet. · Mediation servers like IRC, Usenet, SMTP and Proxy server · Network address translation (NAT) · Tunneling protocol NOTE: So, the problem is just one of these technologies.
Question 56 of 65
56. Question
Which of the following tools is a command-line vulnerability scanner that scans web servers for dangerous files/CGIs?
Correct
https://en.wikipedia.org/wiki/Nikto_(vulnerability_scanner) Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs, outdated server software, and other problems. It performs generic and server types specific checks. It also captures and prints any cookies received. The Nikto code itself is free software, but the data files it uses to drive the program are not. Incorrect answers: Snort https://www.snort.org/ Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013. John the Ripper https://www.openwall.com/john/ John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. Kon-Boot https://en.wikipedia.org/wiki/Kon-Boot Kon-Boot is a software utility that allows users to bypass Microsoft Windows passwords and Apple macOS passwords (Linux support has been deprecated) without lasting or persistent changes to system on which it is executed. It is also the first reported tool capable of bypassing Windows 10 online (live) passwords and supporting both Windows and macOS systems.
Incorrect
https://en.wikipedia.org/wiki/Nikto_(vulnerability_scanner) Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs, outdated server software, and other problems. It performs generic and server types specific checks. It also captures and prints any cookies received. The Nikto code itself is free software, but the data files it uses to drive the program are not. Incorrect answers: Snort https://www.snort.org/ Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013. John the Ripper https://www.openwall.com/john/ John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. Kon-Boot https://en.wikipedia.org/wiki/Kon-Boot Kon-Boot is a software utility that allows users to bypass Microsoft Windows passwords and Apple macOS passwords (Linux support has been deprecated) without lasting or persistent changes to system on which it is executed. It is also the first reported tool capable of bypassing Windows 10 online (live) passwords and supporting both Windows and macOS systems.
Unattempted
https://en.wikipedia.org/wiki/Nikto_(vulnerability_scanner) Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs, outdated server software, and other problems. It performs generic and server types specific checks. It also captures and prints any cookies received. The Nikto code itself is free software, but the data files it uses to drive the program are not. Incorrect answers: Snort https://www.snort.org/ Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013. John the Ripper https://www.openwall.com/john/ John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. Kon-Boot https://en.wikipedia.org/wiki/Kon-Boot Kon-Boot is a software utility that allows users to bypass Microsoft Windows passwords and Apple macOS passwords (Linux support has been deprecated) without lasting or persistent changes to system on which it is executed. It is also the first reported tool capable of bypassing Windows 10 online (live) passwords and supporting both Windows and macOS systems.
Question 57 of 65
57. Question
Ivan, an evil hacker, conducts an SQLi attack that is based on True/False questions. What type of SQLi does Ivan use?
Correct
https://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered, and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction. Incorrect answers: Compound SQLi Compound SQLi is attacks that involve using SQLi alongside cross-site scripting, denial of service, DNS hijacking, or insufficient authentication attacks. Pairing SQLi with other methods of attack gives hackers additional ways to avoid detection and circumvent security systems. Classic SQLi Classic SQLi attacks are the most common and simplest form of SQLi. Classic attacks can occur whenever an SQL database allows users to submit an SQL statement. They come in two varieties: · Error-based SQLi, which involves getting a web app to throw an SQL error that gives the attacker either information about the structure of the database or the particular information they‘re seeking. · UNION-based attacks, which use the SQL UNION operator to determine specifics of the database‘s structure in order to extract information. DMS-specific SQLi Out-of-band SQLi (or DMS-specific SQLi) is a much less common approach to attacking an SQL server. It relies on certain features of an SQL database to be enabled; if those features aren‘t, the OOB attack won‘t succeed. OOB attacks involve submitting a DNS or HTTP query to the SQL server that contains an SQL statement. If successful, the OOB attack can escalate user privileges, transmit database contents, and generally do the same things other forms of SQLi attacks do.
Incorrect
https://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered, and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction. Incorrect answers: Compound SQLi Compound SQLi is attacks that involve using SQLi alongside cross-site scripting, denial of service, DNS hijacking, or insufficient authentication attacks. Pairing SQLi with other methods of attack gives hackers additional ways to avoid detection and circumvent security systems. Classic SQLi Classic SQLi attacks are the most common and simplest form of SQLi. Classic attacks can occur whenever an SQL database allows users to submit an SQL statement. They come in two varieties: · Error-based SQLi, which involves getting a web app to throw an SQL error that gives the attacker either information about the structure of the database or the particular information they‘re seeking. · UNION-based attacks, which use the SQL UNION operator to determine specifics of the database‘s structure in order to extract information. DMS-specific SQLi Out-of-band SQLi (or DMS-specific SQLi) is a much less common approach to attacking an SQL server. It relies on certain features of an SQL database to be enabled; if those features aren‘t, the OOB attack won‘t succeed. OOB attacks involve submitting a DNS or HTTP query to the SQL server that contains an SQL statement. If successful, the OOB attack can escalate user privileges, transmit database contents, and generally do the same things other forms of SQLi attacks do.
Unattempted
https://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack has traditionally been considered time-intensive because a new statement needed to be crafted for each bit recovered, and depending on its structure, the attack may consist of many unsuccessful requests. Recent advancements have allowed each request to recover multiple bits, with no unsuccessful requests, allowing for more consistent and efficient extraction. Incorrect answers: Compound SQLi Compound SQLi is attacks that involve using SQLi alongside cross-site scripting, denial of service, DNS hijacking, or insufficient authentication attacks. Pairing SQLi with other methods of attack gives hackers additional ways to avoid detection and circumvent security systems. Classic SQLi Classic SQLi attacks are the most common and simplest form of SQLi. Classic attacks can occur whenever an SQL database allows users to submit an SQL statement. They come in two varieties: · Error-based SQLi, which involves getting a web app to throw an SQL error that gives the attacker either information about the structure of the database or the particular information they‘re seeking. · UNION-based attacks, which use the SQL UNION operator to determine specifics of the database‘s structure in order to extract information. DMS-specific SQLi Out-of-band SQLi (or DMS-specific SQLi) is a much less common approach to attacking an SQL server. It relies on certain features of an SQL database to be enabled; if those features aren‘t, the OOB attack won‘t succeed. OOB attacks involve submitting a DNS or HTTP query to the SQL server that contains an SQL statement. If successful, the OOB attack can escalate user privileges, transmit database contents, and generally do the same things other forms of SQLi attacks do.
Question 58 of 65
58. Question
Alex, a cyber security specialist, should conduct a pentest inside the network, while he received absolutely no information about the attacked network. What type of testing will Alex conduct?
Correct
https://en.wikipedia.org/wiki/Black-box_testing Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied virtually to every level of software testing: unit, integration, system, and acceptance. It is sometimes referred to as specification-based testing. Specific knowledge of the application‘s code, internal structure, and programming knowledge, in general, is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place.
Incorrect
https://en.wikipedia.org/wiki/Black-box_testing Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied virtually to every level of software testing: unit, integration, system, and acceptance. It is sometimes referred to as specification-based testing. Specific knowledge of the application‘s code, internal structure, and programming knowledge, in general, is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place.
Unattempted
https://en.wikipedia.org/wiki/Black-box_testing Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings. This method of test can be applied virtually to every level of software testing: unit, integration, system, and acceptance. It is sometimes referred to as specification-based testing. Specific knowledge of the application‘s code, internal structure, and programming knowledge, in general, is not required. The tester is aware of what the software is supposed to do but is not aware of how it does it. For instance, the tester is aware that a particular input returns a certain, invariable output but is not aware of how the software produces the output in the first place.
Question 59 of 65
59. Question
How works the mechanism of a Boot Sector Virus?
Correct
https://en.wikipedia.org/wiki/Boot_sector#Boot_Sector_Viruses Among all the viruses, boot sector viruses are one of the oldest forms of computer viruses. At the time of your PC startup time, it infects the boot sector of floppy disks or the Master Boot Record(MBR). Some also infect the boot sector of the hard disk instead of the MBR. To start the operating system and other bootable programs, the boot sector contains all the files required. Before starting any security program like your antivirus program, the boot sector virus runs to execute malicious code. When the system is booted from an infected disk, the infected code runs. If the infected code runs then, it will rapidly infect other floppy disks. The boot sector virus uses DOS commands while it infects at a BIOS level. Because this virus is located on the boot sector of your hard drive and runs before the operating system begins, the boot sector virus can cause a lot of damage. Depending on their aim, each boot sector virus works differently. Adware or malware virus creating is the common and general irritating issues. Most commonly, Boot sector computer viruses are spread using physical media. After it enters a computer, it modifies or replaces the existing boot code. After that, when a user tries to boot their pcs, the virus will be loaded and run immediately. By phishing, you can also be affected by the boot sector virus. It is also possible to send you an attachment with boot sector virus code to your pcs.
Incorrect
https://en.wikipedia.org/wiki/Boot_sector#Boot_Sector_Viruses Among all the viruses, boot sector viruses are one of the oldest forms of computer viruses. At the time of your PC startup time, it infects the boot sector of floppy disks or the Master Boot Record(MBR). Some also infect the boot sector of the hard disk instead of the MBR. To start the operating system and other bootable programs, the boot sector contains all the files required. Before starting any security program like your antivirus program, the boot sector virus runs to execute malicious code. When the system is booted from an infected disk, the infected code runs. If the infected code runs then, it will rapidly infect other floppy disks. The boot sector virus uses DOS commands while it infects at a BIOS level. Because this virus is located on the boot sector of your hard drive and runs before the operating system begins, the boot sector virus can cause a lot of damage. Depending on their aim, each boot sector virus works differently. Adware or malware virus creating is the common and general irritating issues. Most commonly, Boot sector computer viruses are spread using physical media. After it enters a computer, it modifies or replaces the existing boot code. After that, when a user tries to boot their pcs, the virus will be loaded and run immediately. By phishing, you can also be affected by the boot sector virus. It is also possible to send you an attachment with boot sector virus code to your pcs.
Unattempted
https://en.wikipedia.org/wiki/Boot_sector#Boot_Sector_Viruses Among all the viruses, boot sector viruses are one of the oldest forms of computer viruses. At the time of your PC startup time, it infects the boot sector of floppy disks or the Master Boot Record(MBR). Some also infect the boot sector of the hard disk instead of the MBR. To start the operating system and other bootable programs, the boot sector contains all the files required. Before starting any security program like your antivirus program, the boot sector virus runs to execute malicious code. When the system is booted from an infected disk, the infected code runs. If the infected code runs then, it will rapidly infect other floppy disks. The boot sector virus uses DOS commands while it infects at a BIOS level. Because this virus is located on the boot sector of your hard drive and runs before the operating system begins, the boot sector virus can cause a lot of damage. Depending on their aim, each boot sector virus works differently. Adware or malware virus creating is the common and general irritating issues. Most commonly, Boot sector computer viruses are spread using physical media. After it enters a computer, it modifies or replaces the existing boot code. After that, when a user tries to boot their pcs, the virus will be loaded and run immediately. By phishing, you can also be affected by the boot sector virus. It is also possible to send you an attachment with boot sector virus code to your pcs.
Question 60 of 65
60. Question
Ivan, an evil hacker, is preparing to attack the network of a financial company. To do this, he wants to collect information about the operating systems used on the company‘s computers. Which of the following techniques will Ivan use to achieve the desired result?
Correct
https://en.wikipedia.org/wiki/Banner_grabbing Banner Grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. However, an intruder can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 respectively. Tools commonly used to perform banner grabbing are Telnet, nmap and Netcat. Incorrect answers: IDLE/IPID Scanning https://en.wikipedia.org/wiki/Idle_scan The idle scan is a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. This is accomplished by impersonating another computer whose network traffic is very slow or nonexistent (that is, not transmitting or receiving information). This could be an idle computer, called a “zombie“. SSDP Scanning https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol The Simple Service Discovery Protocol (SSDP) is a network protocol based on the Internet protocol suite for advertisement and discovery of network services and presence information. It accomplishes this without the assistance of server-based configuration mechanisms, such as Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS), and without special static configuration of a network host. SSDP is the basis of the discovery protocol of Universal Plug and Play (UPnP) and is intended for use in residential or small office environments. It was formally described in an Internet Engineering Task Force (IETF) Internet-Draft by Microsoft and Hewlett-Packard in 1999. Although the IETF proposal has since expired (April, 2000), SSDP was incorporated into the UPnP protocol stack, and a description of the final implementation is included in UPnP standards documents. UDP Scanning UDP scans, like TCP scans, send a UDP packet to various ports on the target host and evaluate the response packets to determine the availability of the service on the host. As with TCP scans, receiving a response packet indicates that the port is open.
Incorrect
https://en.wikipedia.org/wiki/Banner_grabbing Banner Grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. However, an intruder can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 respectively. Tools commonly used to perform banner grabbing are Telnet, nmap and Netcat. Incorrect answers: IDLE/IPID Scanning https://en.wikipedia.org/wiki/Idle_scan The idle scan is a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. This is accomplished by impersonating another computer whose network traffic is very slow or nonexistent (that is, not transmitting or receiving information). This could be an idle computer, called a “zombie“. SSDP Scanning https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol The Simple Service Discovery Protocol (SSDP) is a network protocol based on the Internet protocol suite for advertisement and discovery of network services and presence information. It accomplishes this without the assistance of server-based configuration mechanisms, such as Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS), and without special static configuration of a network host. SSDP is the basis of the discovery protocol of Universal Plug and Play (UPnP) and is intended for use in residential or small office environments. It was formally described in an Internet Engineering Task Force (IETF) Internet-Draft by Microsoft and Hewlett-Packard in 1999. Although the IETF proposal has since expired (April, 2000), SSDP was incorporated into the UPnP protocol stack, and a description of the final implementation is included in UPnP standards documents. UDP Scanning UDP scans, like TCP scans, send a UDP packet to various ports on the target host and evaluate the response packets to determine the availability of the service on the host. As with TCP scans, receiving a response packet indicates that the port is open.
Unattempted
https://en.wikipedia.org/wiki/Banner_grabbing Banner Grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. Administrators can use this to take inventory of the systems and services on their network. However, an intruder can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 respectively. Tools commonly used to perform banner grabbing are Telnet, nmap and Netcat. Incorrect answers: IDLE/IPID Scanning https://en.wikipedia.org/wiki/Idle_scan The idle scan is a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. This is accomplished by impersonating another computer whose network traffic is very slow or nonexistent (that is, not transmitting or receiving information). This could be an idle computer, called a “zombie“. SSDP Scanning https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol The Simple Service Discovery Protocol (SSDP) is a network protocol based on the Internet protocol suite for advertisement and discovery of network services and presence information. It accomplishes this without the assistance of server-based configuration mechanisms, such as Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS), and without special static configuration of a network host. SSDP is the basis of the discovery protocol of Universal Plug and Play (UPnP) and is intended for use in residential or small office environments. It was formally described in an Internet Engineering Task Force (IETF) Internet-Draft by Microsoft and Hewlett-Packard in 1999. Although the IETF proposal has since expired (April, 2000), SSDP was incorporated into the UPnP protocol stack, and a description of the final implementation is included in UPnP standards documents. UDP Scanning UDP scans, like TCP scans, send a UDP packet to various ports on the target host and evaluate the response packets to determine the availability of the service on the host. As with TCP scans, receiving a response packet indicates that the port is open.
Question 61 of 65
61. Question
Which of the following SQL injection attack does an attacker usually bypassing user authentication and extract data by using a conditional OR clause so that the condition of the WHERE clause will always be true?
Correct
In a tautology-based attack, the code is injected using the conditional OR operator such that the query always evaluates to TRUE. Tautology-based SQL injection attacks are usually bypass user authentication and extract data by inserting a tautology in the WHERE clause of a SQL query. The query transform the original condition into a tautology, causes all the rows in the database table are open to an unauthorized user. A typical SQL tautology has the form “or “, where the comparison expression uses one or more relational operators to compare operands and generate an always true condition. If an unauthorized user input user id as abcd and password as anything‘ or ‘x‘=‘x then the resulting query will be: select * from user_details where userid = ‘abcd‘ and password = ‘anything‘ or ‘x‘=‘x‘ Incorrect answers: Error-based SQLi The Error based technique, when an attacker tries to insert malicious query in input fields and get some error which is regarding SQL syntax or database. For example, SQL syntax error should be like this: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near VALUE. The error message gives information about the database used, where the syntax error occurred in the query. Error based technique is the easiest way to find SQL Injection. UNION SQLi When an application is vulnerable to SQL injection and the results of the query are returned within the application‘s responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in an SQL injection UNION attack. The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example: SELECT a, b FROM table1 UNION SELECT c, d FROM table2 This SQL query will return a single result set with two columns, containing values from columns a and b in table1 and columns c and d in table2. For a UNION query to work, two key requirements must be met: · The individual queries must return the same number of columns. · The data types in each column must be compatible between the individual queries. To carry out an SQL injection UNION attack, you need to ensure that your attack meets these two requirements. End-of-Line Comment After injecting code into a particular field, legitimate code that follows if nullified through the usage of end of line comments: SELECT * FROM user WHERE name = ‘x‘ AND userid IS NULL; –‘;
Incorrect
In a tautology-based attack, the code is injected using the conditional OR operator such that the query always evaluates to TRUE. Tautology-based SQL injection attacks are usually bypass user authentication and extract data by inserting a tautology in the WHERE clause of a SQL query. The query transform the original condition into a tautology, causes all the rows in the database table are open to an unauthorized user. A typical SQL tautology has the form “or “, where the comparison expression uses one or more relational operators to compare operands and generate an always true condition. If an unauthorized user input user id as abcd and password as anything‘ or ‘x‘=‘x then the resulting query will be: select * from user_details where userid = ‘abcd‘ and password = ‘anything‘ or ‘x‘=‘x‘ Incorrect answers: Error-based SQLi The Error based technique, when an attacker tries to insert malicious query in input fields and get some error which is regarding SQL syntax or database. For example, SQL syntax error should be like this: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near VALUE. The error message gives information about the database used, where the syntax error occurred in the query. Error based technique is the easiest way to find SQL Injection. UNION SQLi When an application is vulnerable to SQL injection and the results of the query are returned within the application‘s responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in an SQL injection UNION attack. The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example: SELECT a, b FROM table1 UNION SELECT c, d FROM table2 This SQL query will return a single result set with two columns, containing values from columns a and b in table1 and columns c and d in table2. For a UNION query to work, two key requirements must be met: · The individual queries must return the same number of columns. · The data types in each column must be compatible between the individual queries. To carry out an SQL injection UNION attack, you need to ensure that your attack meets these two requirements. End-of-Line Comment After injecting code into a particular field, legitimate code that follows if nullified through the usage of end of line comments: SELECT * FROM user WHERE name = ‘x‘ AND userid IS NULL; –‘;
Unattempted
In a tautology-based attack, the code is injected using the conditional OR operator such that the query always evaluates to TRUE. Tautology-based SQL injection attacks are usually bypass user authentication and extract data by inserting a tautology in the WHERE clause of a SQL query. The query transform the original condition into a tautology, causes all the rows in the database table are open to an unauthorized user. A typical SQL tautology has the form “or “, where the comparison expression uses one or more relational operators to compare operands and generate an always true condition. If an unauthorized user input user id as abcd and password as anything‘ or ‘x‘=‘x then the resulting query will be: select * from user_details where userid = ‘abcd‘ and password = ‘anything‘ or ‘x‘=‘x‘ Incorrect answers: Error-based SQLi The Error based technique, when an attacker tries to insert malicious query in input fields and get some error which is regarding SQL syntax or database. For example, SQL syntax error should be like this: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near VALUE. The error message gives information about the database used, where the syntax error occurred in the query. Error based technique is the easiest way to find SQL Injection. UNION SQLi When an application is vulnerable to SQL injection and the results of the query are returned within the application‘s responses, the UNION keyword can be used to retrieve data from other tables within the database. This results in an SQL injection UNION attack. The UNION keyword lets you execute one or more additional SELECT queries and append the results to the original query. For example: SELECT a, b FROM table1 UNION SELECT c, d FROM table2 This SQL query will return a single result set with two columns, containing values from columns a and b in table1 and columns c and d in table2. For a UNION query to work, two key requirements must be met: · The individual queries must return the same number of columns. · The data types in each column must be compatible between the individual queries. To carry out an SQL injection UNION attack, you need to ensure that your attack meets these two requirements. End-of-Line Comment After injecting code into a particular field, legitimate code that follows if nullified through the usage of end of line comments: SELECT * FROM user WHERE name = ‘x‘ AND userid IS NULL; –‘;
Question 62 of 65
62. Question
Let‘s assume that you decided to use PKI to protect the email you will send. At what layer of the OSI model will this message be encrypted and decrypted?
Correct
https://en.wikipedia.org/wiki/Presentation_layer In the seven-layer OSI model of computer networking, the presentation layer is layer 6 and serves as the data translator for the network. It is sometimes called the syntax layer. The presentation layer is responsible for the formatting and delivery of information to the application layer for further processing or display. Encryption is typically done at this level too, although it can be done on the application, session, transport, or network layers, each having its own advantages and disadvantages. Decryption is also handled at the presentation layer. For example, when logging on to bank account sites the presentation layer will decrypt the data as it is received.
Incorrect
https://en.wikipedia.org/wiki/Presentation_layer In the seven-layer OSI model of computer networking, the presentation layer is layer 6 and serves as the data translator for the network. It is sometimes called the syntax layer. The presentation layer is responsible for the formatting and delivery of information to the application layer for further processing or display. Encryption is typically done at this level too, although it can be done on the application, session, transport, or network layers, each having its own advantages and disadvantages. Decryption is also handled at the presentation layer. For example, when logging on to bank account sites the presentation layer will decrypt the data as it is received.
Unattempted
https://en.wikipedia.org/wiki/Presentation_layer In the seven-layer OSI model of computer networking, the presentation layer is layer 6 and serves as the data translator for the network. It is sometimes called the syntax layer. The presentation layer is responsible for the formatting and delivery of information to the application layer for further processing or display. Encryption is typically done at this level too, although it can be done on the application, session, transport, or network layers, each having its own advantages and disadvantages. Decryption is also handled at the presentation layer. For example, when logging on to bank account sites the presentation layer will decrypt the data as it is received.
Question 63 of 65
63. Question
The firewall prevents packets from entering the organization through certain ports and applications. What does this firewall check?
Correct
https://en.wikipedia.org/wiki/Transport_layer The Transport layer provides data segmentation and the control necessary to reassemble these pieces into the various communication streams. Its primary responsibilities to accomplish this are: · Tracking the individual communication between applications on the source and destination hosts; · Segmenting data and managing each piece; · Reassembling the segments into streams of application data · Identifying the different applications. To pass data streams to the proper applications, the Transport layer must identify the target application. To accomplish this, the Transport layer assigns an application an identifier. The TCP/IP protocols call this identifier a port number. Each software process that needs to access the network is assigned a port number unique in that host. This port number is used in the transport layer header to indicate which application that piece of data is associated with. The Transport layer is the link between the Application layer and the lower layer responsible for network transmission. https://en.wikipedia.org/wiki/Port_(computer_networking) Port is a communication endpoint. At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service. A port is identified for each transport protocol and address combination by a 16-bit unsigned number, known as the port number. The most common transport protocols that use port numbers are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). NOTE: A question on a similar topic may occur in your exam, so I decided to answer this question by eliminating deliberately incorrect options. Although, I was probably should intend to answer by listing what the firewalls check. It‘s just easier and more understandable. The easiest way to filter is to close the port; ports are the essence of the transport layer – the issue is resolved. But there is a problem here – application layer headers. Some application layer protocols have headers, and some dont. The OSI model does not specify that they need headers, and if theres no need to carry control information separate from the payload, they dont have to have headers. Probably the creator of a similar question was mistaken in the way the Application Firewall works.
Incorrect
https://en.wikipedia.org/wiki/Transport_layer The Transport layer provides data segmentation and the control necessary to reassemble these pieces into the various communication streams. Its primary responsibilities to accomplish this are: · Tracking the individual communication between applications on the source and destination hosts; · Segmenting data and managing each piece; · Reassembling the segments into streams of application data · Identifying the different applications. To pass data streams to the proper applications, the Transport layer must identify the target application. To accomplish this, the Transport layer assigns an application an identifier. The TCP/IP protocols call this identifier a port number. Each software process that needs to access the network is assigned a port number unique in that host. This port number is used in the transport layer header to indicate which application that piece of data is associated with. The Transport layer is the link between the Application layer and the lower layer responsible for network transmission. https://en.wikipedia.org/wiki/Port_(computer_networking) Port is a communication endpoint. At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service. A port is identified for each transport protocol and address combination by a 16-bit unsigned number, known as the port number. The most common transport protocols that use port numbers are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). NOTE: A question on a similar topic may occur in your exam, so I decided to answer this question by eliminating deliberately incorrect options. Although, I was probably should intend to answer by listing what the firewalls check. It‘s just easier and more understandable. The easiest way to filter is to close the port; ports are the essence of the transport layer – the issue is resolved. But there is a problem here – application layer headers. Some application layer protocols have headers, and some dont. The OSI model does not specify that they need headers, and if theres no need to carry control information separate from the payload, they dont have to have headers. Probably the creator of a similar question was mistaken in the way the Application Firewall works.
Unattempted
https://en.wikipedia.org/wiki/Transport_layer The Transport layer provides data segmentation and the control necessary to reassemble these pieces into the various communication streams. Its primary responsibilities to accomplish this are: · Tracking the individual communication between applications on the source and destination hosts; · Segmenting data and managing each piece; · Reassembling the segments into streams of application data · Identifying the different applications. To pass data streams to the proper applications, the Transport layer must identify the target application. To accomplish this, the Transport layer assigns an application an identifier. The TCP/IP protocols call this identifier a port number. Each software process that needs to access the network is assigned a port number unique in that host. This port number is used in the transport layer header to indicate which application that piece of data is associated with. The Transport layer is the link between the Application layer and the lower layer responsible for network transmission. https://en.wikipedia.org/wiki/Port_(computer_networking) Port is a communication endpoint. At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service. A port is identified for each transport protocol and address combination by a 16-bit unsigned number, known as the port number. The most common transport protocols that use port numbers are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). NOTE: A question on a similar topic may occur in your exam, so I decided to answer this question by eliminating deliberately incorrect options. Although, I was probably should intend to answer by listing what the firewalls check. It‘s just easier and more understandable. The easiest way to filter is to close the port; ports are the essence of the transport layer – the issue is resolved. But there is a problem here – application layer headers. Some application layer protocols have headers, and some dont. The OSI model does not specify that they need headers, and if theres no need to carry control information separate from the payload, they dont have to have headers. Probably the creator of a similar question was mistaken in the way the Application Firewall works.
Question 64 of 65
64. Question
After several unsuccessful attempts to extract cryptography keys using software methods, Mark is thinking about trying another code-breaking methodology. Which of the following will best suit Mark based on his unsuccessful attempts?
Correct
Trickery and Deceit it involves the use of social engineering techniques to extract cryptography keys Brute-Force cryptography keys are discovered by trying every possible combination One-Time Pad a one-time pad contains many non-repeating groups of letters or number keys, which are chosen randomly Frequency Analysis It is the study of the frequency or letters or groups of letters in a cipher text. It works on the fact that, in any given stretch of written language, certain letters and combination of letters occur with varying frequencies.
Incorrect
Trickery and Deceit it involves the use of social engineering techniques to extract cryptography keys Brute-Force cryptography keys are discovered by trying every possible combination One-Time Pad a one-time pad contains many non-repeating groups of letters or number keys, which are chosen randomly Frequency Analysis It is the study of the frequency or letters or groups of letters in a cipher text. It works on the fact that, in any given stretch of written language, certain letters and combination of letters occur with varying frequencies.
Unattempted
Trickery and Deceit it involves the use of social engineering techniques to extract cryptography keys Brute-Force cryptography keys are discovered by trying every possible combination One-Time Pad a one-time pad contains many non-repeating groups of letters or number keys, which are chosen randomly Frequency Analysis It is the study of the frequency or letters or groups of letters in a cipher text. It works on the fact that, in any given stretch of written language, certain letters and combination of letters occur with varying frequencies.
Question 65 of 65
65. Question
Ferdinand installs a virtual communication tower between the two authentic endpoints to mislead the victim. What attack does Ferdinand perform?
Correct
aLTEr attack was first published at the 2019 IEEE Symposium on Security & Privacy. It is implemented using a fake eNodeB (the 4G cell tower), acting as Man-in-The-Middle (MiTM): the attacked User Equipment (UE) is persuaded to connect to the network through this equipment, acting as a malicious relay. The researchers have named it aLTEr attack. The vulnerability The attacker, having access to the encrypted communication of the target UE, takes advantage of the fact that there is no integrity protection on this channel, and manipulates (or aLTErs..) the transmitted information so that the actual communication which arrives at the destination is actually fabricated by the attacker. Since the manipulation is performed on the encrypted channel, the attacker has to alter the communication is such a way so that desired content is produced after decryption. The process of performing this manipulation on the encrypted channel, without having access to the encryption key, is based on the fact that the attacker knows the clear (unencrypted) part of the communication which he intends to manipulate. The mechanism is as elaborated below. The goal The goal of the attack is to perform what is known as DNS spoofing. Domain Name Servers (DNS) are the Internet network elements that are responsible for resolving the textual internet addresses (URL) to numerical IP addresses. The attackers goal is to alter the IP address of the DNS query issued by the target UE so that the DNS request is routed to a malicious DNS server operated by the attacker. The fake DNS server thus replies maliciously to a request from the target about the IP address of a website to be accessed by the target, ending in the target accessing a malicious site operated by the attacker. The mechanism The actual attack is accomplished by the attacker changing the IP address of the DNS server in the query issued by the target device. As described above the manipulation is performed while the communication is still encrypted. The attacker uses the fact that he or she knows the correct IP address of the legitimate DNS server, so once access is gained to the part in the communication carrying the encrypted true IP address, the attacker knows how to construct a false substitute that will result, once decrypted, in the IP address of the fake DNS server. Such an attack could be very effective, overcoming the basic security capabilities of LTE and 5G, using the fact that no integrity protection was included.
Incorrect
aLTEr attack was first published at the 2019 IEEE Symposium on Security & Privacy. It is implemented using a fake eNodeB (the 4G cell tower), acting as Man-in-The-Middle (MiTM): the attacked User Equipment (UE) is persuaded to connect to the network through this equipment, acting as a malicious relay. The researchers have named it aLTEr attack. The vulnerability The attacker, having access to the encrypted communication of the target UE, takes advantage of the fact that there is no integrity protection on this channel, and manipulates (or aLTErs..) the transmitted information so that the actual communication which arrives at the destination is actually fabricated by the attacker. Since the manipulation is performed on the encrypted channel, the attacker has to alter the communication is such a way so that desired content is produced after decryption. The process of performing this manipulation on the encrypted channel, without having access to the encryption key, is based on the fact that the attacker knows the clear (unencrypted) part of the communication which he intends to manipulate. The mechanism is as elaborated below. The goal The goal of the attack is to perform what is known as DNS spoofing. Domain Name Servers (DNS) are the Internet network elements that are responsible for resolving the textual internet addresses (URL) to numerical IP addresses. The attackers goal is to alter the IP address of the DNS query issued by the target UE so that the DNS request is routed to a malicious DNS server operated by the attacker. The fake DNS server thus replies maliciously to a request from the target about the IP address of a website to be accessed by the target, ending in the target accessing a malicious site operated by the attacker. The mechanism The actual attack is accomplished by the attacker changing the IP address of the DNS server in the query issued by the target device. As described above the manipulation is performed while the communication is still encrypted. The attacker uses the fact that he or she knows the correct IP address of the legitimate DNS server, so once access is gained to the part in the communication carrying the encrypted true IP address, the attacker knows how to construct a false substitute that will result, once decrypted, in the IP address of the fake DNS server. Such an attack could be very effective, overcoming the basic security capabilities of LTE and 5G, using the fact that no integrity protection was included.
Unattempted
aLTEr attack was first published at the 2019 IEEE Symposium on Security & Privacy. It is implemented using a fake eNodeB (the 4G cell tower), acting as Man-in-The-Middle (MiTM): the attacked User Equipment (UE) is persuaded to connect to the network through this equipment, acting as a malicious relay. The researchers have named it aLTEr attack. The vulnerability The attacker, having access to the encrypted communication of the target UE, takes advantage of the fact that there is no integrity protection on this channel, and manipulates (or aLTErs..) the transmitted information so that the actual communication which arrives at the destination is actually fabricated by the attacker. Since the manipulation is performed on the encrypted channel, the attacker has to alter the communication is such a way so that desired content is produced after decryption. The process of performing this manipulation on the encrypted channel, without having access to the encryption key, is based on the fact that the attacker knows the clear (unencrypted) part of the communication which he intends to manipulate. The mechanism is as elaborated below. The goal The goal of the attack is to perform what is known as DNS spoofing. Domain Name Servers (DNS) are the Internet network elements that are responsible for resolving the textual internet addresses (URL) to numerical IP addresses. The attackers goal is to alter the IP address of the DNS query issued by the target UE so that the DNS request is routed to a malicious DNS server operated by the attacker. The fake DNS server thus replies maliciously to a request from the target about the IP address of a website to be accessed by the target, ending in the target accessing a malicious site operated by the attacker. The mechanism The actual attack is accomplished by the attacker changing the IP address of the DNS server in the query issued by the target device. As described above the manipulation is performed while the communication is still encrypted. The attacker uses the fact that he or she knows the correct IP address of the legitimate DNS server, so once access is gained to the part in the communication carrying the encrypted true IP address, the attacker knows how to construct a false substitute that will result, once decrypted, in the IP address of the fake DNS server. Such an attack could be very effective, overcoming the basic security capabilities of LTE and 5G, using the fact that no integrity protection was included.
X
Use Page numbers below to navigate to other practice tests