Threats, Attacks, and Vulnerabilities (4)

Question 1

Farès is the CISO of a bank. He has received an email that is encouraging him to click on a link and fill out a survey. Being security conscious, he normally does not click on links. However, this email calls him by name and claims to be a follow-up to a recent conference he attended. Which of the following best describes this attack?

Clickjacking

Spear phishing

Whaling

Answer 1

Whaling

This is a classic example of whaling, phishing that targets a specific individual

Question 2

You are responsible for technical support at your company. Users are all complaining of very slow Internet connectivity. When you examine the firewall, you find a large number of incoming connections that are not completed, all packets coming from a single IP address. What best describes this attack?

DDoS

SYN flood

Buffer overflow

Answer 2

SYN flood

Large, half-open connections are the hallmark of a SYN flood

Question 3

An attacker is trying to get malformed queries sent to the backend database to circumvent the web page’s security. What type of attack depends on the attacker entering text into text boxes on a web page that is not normal text, but rather odd-looking commands that are designed to be inserted into database queries?

SQL injection

Clickjacking

Cross-site scripting

Answer 3

SQL injection

SQL injection places malformed SQL into text boxes

Question 4

Tyrell is responsible for selecting cryptographic products for his company. The company wants to encrypt the drives of all laptops. The product they have selected uses 128-bit AES encryption for full disk encryption, and users select a password to decrypt the drive. What, if any, would be the major weakness in this system?

None; this is a good system.

The 128-bit AES key is too short.

The passwords users select are the weak link.

Answer 4

The passwords users select are the weak link.

The user-selected password is always a weak link in hard drive encryption

Question 5

Valerie is responsible for security testing applications in her company. She has discovered that a web application, under certain conditions, can generate a memory leak. What, type of attack would this leave the application vulnerable to?

DoS

Backdoor

SQL injection

Answer 5

DoS

If an attacker can induce the web application to generate the memory leak, then eventually the web application will consume all memory on the web server and the web server will freeze up

Question 6

When a multithreaded application does not properly handle various threads accessing a common value, what flaw is this?

Memory leak

Integer overflow

Race condition

Answer 6

Race condition

This is the definition of a race condition

Question 7

Acme Company is using smart cards that use near-field communication (NFC) rather than needing to be swiped. This is meant to make physical access to secure areas more secure. What vulnerability might this also create?

Tailgating

Eavesdropping

IP spoofing

Answer 7

Eavesdropping

Near-field communication (NFC) is susceptible to an attacker eavesdropping on the signal

Question 8

John is responsible for physical security at a large manufacturing plant. Employees all use a smart card in order to open the front door and enter the facility. Which of the following is a common way attackers would circumvent this system?

Phishing

Tailgating

Spoofing the smart card

Answer 8

Tailgating

Tailgating involves simply following a legitimate user through the door once he or she has opened it

Question 9

Which of the following is the term for an attack wherein malware inserts itself as a library, such as a DLL, between an application and the real system library the application is attempting to communicate with?

Jamming

Evil twin

Shimming

Answer 9

Shimming

This is the definition of shimming

Question 10

You are responsible for incident response at Acme Corporation. You have discovered that someone has been able to circumvent the Windows authentication process for a specific network application. It appears that the attacker took the stored hash of the password and sent it directly to the backend authentication service, bypassing the application. What type of attack is this?

Hash spoofing

Shimming

Pass the hash

Answer 10

Pass the hash

This scenario is the definition of passing the hash

Question 11

A user in your company reports that she received a call from someone claiming to be from the company technical support team. The caller stated that there was a virus spreading through the company and he needed immediate access to the employee’s computer to stop it from being infected. What social-engineering principles did the caller use to try to trick the employee?

Urgency and intimidation

Urgency and authority

Authority and trust

Answer 11

Urgency and authority

Claiming to be from tech support is claiming authority, and the story the caller gave indicates urgency

Question 12

Ahmed has discovered that someone has manipulated tables in one of the company’s switches. The manipulation has changed the tables so that data destined for one specific MAC address will now be routed elsewhere. What type of attack is this?

ARP poisoning

DNS poisoning

Man-in-the-middle

Answer 12

ARP poisoning

This is the definition of ARP poisoning

Question 13

You are investigating incidents at Acme Corporation and have discovered malware on several machines. It appears that this malware infects system files in the Windows/System32/ directory and also affects the boot sector. What type of malware is this?

Multipartite

Boot sector

Macro virus

Answer 13

Multipartite

This is a classic multipartite virus. It infects the boot sector, as well as an operating system file

Question 14

What type of attack uses Bluetooth to access the data from a cell phone when in range?

Phonejacking

Bluejacking

Bluesnarfing

Answer 14

Bluesnarfing

Bluesnarfing accesses data on the cell phone

Question 15

An attacker is using a table of precomputed hashes in order to try to get a Windows password. What type of technique is being used?

Dictionary

Brute force

Rainbow table

Answer 15

Rainbow table

A rainbow table is a table of precomputed hashes

Question 16

Carlos works in incident response for a mid-sized bank. Users inform him that internal network connections are fine, but connecting to the outside world is very slow. Carlos reviews logs on the external firewall and discovers tens of thousands of ICMP packets coming from a wide range of different IP addresses. What type of attack is occurring?

Smurf

DoS

DDoS

Answer 16

DDoS

The fact that the attack is coming from multiple sources makes this a distributed denial of service

Question 17

What type of attack is it when the attacker attempts to get the victim’s communication to abandon a high-quality/secure mode in favor of a lower-quality/less secure mode?

Downgrade

Brute force

Rainbow table

Answer 17

Downgrade

A downgrade attack is often used against secure communications such as TLS in an attempt to get the user to shift to less secure modes

Question 18

What type of penetration test is being done when the tester is given extensive knowledge of the target network?

White-box

Full disclosure

Black-box

Answer 18

White-box

In a white-box test, the tester is given extensive knowledge of the target network

Question 19

Your company is instituting a new security awareness program. You are responsible for educating end users on a variety of threats, including social engineering. Which of the following best defines social engineering?

Illegal copying of software

Gathering information from discarded manuals and printouts

Using people skills to obtain proprietary information

Answer 19

Using people skills to obtain proprietary information

Social engineering is about using people skills to get information you would not otherwise have access to

Question 20

Which of the following attacks can be caused by a user being unaware of their physical surroundings?

ARP poisoning

Phishing

Shoulder surfing

Answer 20

Shoulder surfing

Shoulder surfing involves literally looking over someone’s shoulder in a public place and gathering information, perhaps login passwords

Question 21

Francine is a network administrator for Acme Corporation. She has noticed that one of the servers is now unreachable. After carefully reviewing various logs, she discovers that a large number of broadcast packets were sent to the network router, spoofing the server’s IP address. What type of attack is this?

SYN flood

Buffer overflow

Smurf attack

Answer 21

Smurf attack

The sending of spoofed broadcast messages to the target network router is a Smurf attack

Question 22

An attacker enters code into a text box on a website. That text box is used for product reviews. The attacker wants his code to execute the next time a visitor visits that page. What is this attack called?

SQL injection

Logic bomb

Cross-site scripting

Answer 22

Cross-site scripting

Cross-site scripting involves entering code (script) into a text field that will be displayed to other users

Question 23

A user is redirected to a different website when the user requests the DNS record www.xyz.com. Which of the following is this an example of?

DNS poisoning

DoS

DNS caching

Answer 23

DNS poisoning

Putting false entries into the DNS records of a DNS server is DNS poisoning

Question 24

Tom is the network administrator for a small accounting firm. As soon as he comes in to work, users report to him that they cannot connect to the network. After investigating, Tom discovers that none of the workstations can connect to the network and all have an IP address in the form of 169.254.x.x. What has occurred?

Man-in-the-middle attack

DDoS

DHCP starvation

Answer 24

DHCP starvation

IP addresses in the range of 169.254 are automatic private IP addresses (APIPA) and indicate the system could not get a dynamic IP address from the DHCP server. This is a typical symptom of DHCP starvation

Question 25

Which of the following would most likely use a group of bots to stop a web server from accepting new requests?

DoS

DDoS

Buffer overflow

Answer 25

DDoS

Distributed denial-of-service (DDoS) attacks often use bots in a botnet to perform the attack

Question 26

Which of the following would a former employee most likely plant on a server before leaving to cause disruption to the network?

Worm

Logic bomb

Trojan

Answer 26

Logic bomb

A logic bomb will perform its malicious activity when some condition is met, often a date or time. This is commonly done by disgruntled exiting employees

Question 27

A SYN flood is a DoS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature of a SYN flood attack is:

The source and destination port numbers having the same value

A large number of SYN packets appearing on a network without the corresponding ACK packets

A large number of SYN packets appearing on a network with the corresponding reply RST

Answer 27

A large number of SYN packets appearing on a network without the corresponding ACK packets

A correct three-way handshake involves the client sending a SYN packet, the server responding with SYN and ACK, and the client completing the handshake with an ACK. If you see a large number SYN packets without the corresponding ACK, that is likely to be a SYN flood

Question 28

What does white-box testing mean?

The tester has full knowledge of the environment.

The tester has no knowledge of the environment.

The tester has permission to access the system.

Answer 28

The tester has full knowledge of the environment.

In a white-box test, the tester has full or very nearly full knowledge of the system

Question 29

Ahmed has been hired to perform a penetration test of Acme Corporation. He begins by looking at IP address ranges owned by the company and details of domain name registration. He also visits social media and newsgroups to see if they contain any sensitive information or have any technical details online. Within the context of penetration-examining methodology, what phase is Ahmed conducting?

Passive information gathering

Active information gathering

Initial exploitation

Answer 29

Passive information gathering

Passive information gathering involves using methods other than directly accessing the network to gather information. Social media and newsgroups are commonly used

Question 30

Mary works for a large insurance company, on their cybersecurity team. She is investigating a recent incident and discovers that a server was breached using an authorized user’s account. After investigating the incident further, Mary believes that the authorized user logged on, and then someone else took over their session. What best describes this attack?

Man-in-the-middle

Session hijacking

Backdoor

Answer 30

Session hijacking

This is the definition of session hijacking