CHAPTER 21 Questions

Question 1

Dylan is reviewing the security controls currently used by his organization and realizes that he lacks a tool that might identify abnormal actions taken by an end user. What type of tool would best meet this need?

A. EDR
B. Integrity monitoring
C. Signature detection
D. UEBA

Answer 1

D. UEBA

User and entity behavior analytics (UEBA) tools develop profiles of individual behavior and then monitor users for deviations from those profiles that may indicate malicious activity and/or compromised accounts. This type of tool would meet Dylan’s requirements. Endpoint detection and response (EDR) tools watch for unusual endpoint behavior but do not analyze user activity. Integrity monitoring is used to identify unauthorized system/file changes. Signature detection is a malware detection technique.

Question 2

Tim is working to improve his organization’s antimalware defenses and would also like to reduce the operational burden on his security team. Which one of the following solutions would best meet his needs?

A. UEBA
B. MDR
C. EDR
D. NGEP

Answer 2

B. MDR

All of these technologies are able to play important roles in defending against malware and other endpoint threats. User and entity behavior analysis (UEBA) looks for behavioral anomalies. Endpoint detection and response (EDR) and next-generation endpoint protection (NGEP) identify and respond to malware infections. However, only managed detection and response (MDR) combines antimalware capabilities with a managed service that reduces the burden on the IT team.

Question 3

Carl works for a government agency that has suffered a ransomware attack and has lost access to critical data but does have access to backups. Which one of the following actions would best restore this access while minimizing the risk facing the organization?

A. Pay the ransom
B. Rebuild systems from scratch
C. Restore backups
D. Install antivirus software

Answer 3

C. Restore backups

If Carl has backups available, that would be his best option to recover operations. He could also pay the ransom, but this would expose his organization to legal risks and incur unnecessary costs. Rebuilding the systems from scratch would not restore his data. Installing antivirus software would be helpful in preventing future compromises, but these packages would not likely be able to decrypt the missing data.

Question 4

What attack technique is often leveraged by advanced persistent threat groups but not commonly available to other attackers, such as script kiddies and hacktivists?

A. Zero-day exploit
B. Social engineering
C. Trojan horse
D. SQL injection

Answer 4

A. Zero-day exploit

Although an advanced persistent threat (APT) may leverage any of these attacks, they are most closely associated with zero-day attacks due to the cost and complexity of the research required to discover or purchase them. Social engineering, Trojans (and other malware), and SQL injection attacks are often attempted by many different types of attackers.

Question 5

John found a vulnerability in his code where an attacker can enter too much input and then force the system running the code to execute targeted commands. What type of vulnerability has John discovered?

A. TOCTTOU
B. Buffer overflow
C. XSS
D. XSRF

Answer 5

B. Buffer overflow

Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size. Input that is too large can “overflow” a data structure to affect other data stored in the computer’s memory. Time-of-check to time-of-use (TOCTTOU) attacks exploit timing differences that lead to race conditions. Cross-site scripting (XSS) attacks force the execution of malicious scripts in the user’s browser. Cross-site request forgery (XSRF) attacks exploit authentication trust between browser tabs.

Question 6

Mary identified a vulnerability in her code where it fails to check during a session to determine whether a user’s permission has been revoked. What type of vulnerability is this?

A. Backdoor
B. TOC/TOU
C. Buffer overflow
D. SQL injection

Answer 6

B. TOC/TOU

TOC/TOU is a type of timing vulnerability that occurs when a program checks access permissions too far in advance of a resource request. Backdoors are code that allows those with knowledge of the backdoor to bypass authentication mechanisms. Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size. Input that is too large can “overflow” a data structure to affect other data stored in the computer’s memory. SQL injection attacks include SQL code in user input in the hopes that it will be passed to and executed by the backend database.

Question 7

What programming language construct is commonly used to perform error handling?

A. If…then
B. Case…when
C. Do…while
D. Try…catch

Answer 7

D. Try…catch

The try…catch clause is used to attempt to evaluate code contained in the try clause and then handle errors with the code located in the catch clause. The other constructs listed here (if…then, case…when, and do…while) are all used for control flow.

Question 8

Fred is reviewing the logs from his web server for malicious activity and finds this request: http://www.mycompany.com/../../../etc/passwd. What type of attack was most likely attempted?

A. SQL injection
B. Session hijacking
C. Directory traversal
D. File upload

Answer 8

C. Directory traversal

In this case, the .. operators are the telltale giveaway that the attacker was attempting to conduct a directory traversal attack. This particular attack sought to break out of the web server’s root directory and access the /etc/passwd file on the server. SQL injection attacks would contain SQL code. File upload attacks seek to upload a file to the server. Session hijacking attacks require the theft of authentication tokens or other credentials.

Question 9

A developer added a subroutine to a web application that checks to see whether the date is April 1 and, if it is, randomly changes user account balances. What type of malicious code is this?

A. Logic bomb
B. Worm
C. Trojan horse
D. Virus

Answer 9

A. Logic bomb

Logic bombs wait until certain conditions are met before delivering their malicious payloads. Worms are malicious code objects that move between systems under their own power, whereas viruses require some type of human intervention. Trojan horses masquerade as useful software but then carry out malicious functions after installation.

Question 10

Francis is reviewing the source code for a database-driven web application that his company is planning to deploy. He is paying particular attention to the use of input validation within that application. Of the characters listed here, which is most commonly used in SQL injection attacks?

A. !
B. &
C. *
D. ‘

Answer 10

D. ‘

The single quote character (‘) is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks.

Question 11

Katie is concerned about the potential for SQL injection attacks against her organization. She has already put a web application firewall in place and conducted a review of the organization’s web application source code. She would like to add an additional control at the database level. What database technology could further limit the potential for SQL injection attacks?

A. Triggers
B. Parameterized queries
C. Column encryption
D. Concurrency control

Answer 11

B. Parameterized queries

Developers of web applications should leverage parameterized queries to limit the application’s ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database server and may only be modified by database developers or administrators. With parameterized queries, the SQL statement is defined within the application and variables are bound to that statement in a safe manner.

Question 12

What type of malicious software is specifically used to leverage stolen computing power for the attacker’s financial gain?

A. RAT
B. PUP
C. Cryptomalware
D. Worm

Answer 12

C. Cryptomalware

Although any malware may be leveraged for financial gain, depending on its payload, cryptomalware is specifically designed for this purpose. It steals computing power and uses it to mine cryptocurrency. Remote access Trojans (RATs) are designed to grant attackers remote administrative access to systems. Potentially unwanted programs (PUPs) are any type of software that is initially approved by the user but then performs undesirable actions. Worms are malicious code objects that move between systems under their own power.

Question 13

David is responsible for reviewing a series of web applications for vulnerabilities to cross-site scripting attacks. What characteristic should he watch out for that would indicate a high susceptibility to this type of attack?

A. Reflected input
B. Database-driven content
C. .NET technology
D. CGI scripts

Answer 13

A. Reflected input

Cross-site scripting attacks are often successful against web applications that include reflected input. This is one of the two main categories of XSS attack. In a reflected attack, the attacker can embed the attack within the URL so that it is reflected to users who follow a link.

Question 14

You are the IT security manager for a retail merchant organization that is just going online with an ecommerce website. You hired several programmers to craft the code that is the backbone of your new web sales system. However, you are concerned that although the new code functions well, it might not be secure. You begin to review the code to track down issues and concerns. Which of the following do you hope to find in order to prevent or protect against XSS? (Choose all that apply.)

A. Input validation
B. Defensive coding
C. Allowing script input
D. Escaping metacharacters

Answer 14

A. Input validation
B. Defensive coding
D. Escaping metacharacters

A programmer can implement the most effective way to prevent XSS by validating input, coding defensively, escaping metacharacters, and rejecting all script-like input.

Question 15

Sharon believes that a web application developed by her organization contains a cross-site scripting vulnerability, and she would like to correct the issue. Which of the following is the most effective defense that Sharon can use against cross-site scripting attacks?

A. Limiting account privileges
B. Input validation
C. User authentication
D. Encryption

Answer 15

B. Input validation

Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML

 tag in the input.

Question 16

Beth is looking through web server logs and finds form input that looks like this:

<script>
alert('Enter your password')
</script>

What type of attack has she likely discovered?

A. XSS
B. SQL injection
C. XSRF
D. TOCTTOU

Answer 16

A. XSS

The use of the

 tag is a telltale sign of a cross-site scripting (XSS) attack.

Question 17

Ben’s system was infected by malicious code that modified the operating system to allow the malicious code author to gain access to his files. What type of exploit did this attacker engage in?

A. Privilege escalation
B. Backdoor
C. Rootkit
D. Buffer overflow

Answer 17

B. Backdoor

Backdoors are undocumented command sequences that allow individuals with knowledge of the backdoor to bypass normal access restrictions. Privilege escalation attacks, such as those carried out by rootkits, seek to upgrade normal user accounts to administrative access rights. Buffer overflows place excess input in a field in an attempt to execute attacker-supplied code.

Question 18

Karen would like to configure a new application so that it automatically adds and releases resources as demand rises and falls. What term best describes her goal?

A. Scalability
B. Load balancing
C. Fault tolerance
D. Elasticity

Answer 18

D. Elasticity

Elasticity provides for automatic provisioning and deprovisioning of resources to meet demand. Scalability only requires the ability to increase (but not decrease) available resources. Load balancing is the ability to share application load across multiple servers, and fault tolerance is the resilience of a system in the face of failures.

Question 19

What HTML tag is often used as part of a cross-site scripting (XSS) attack?

A. <H1>
B. <HEAD>
C. <XSS>
D.

</XSS>

Answer 19

D.

The

 tag is used to indicate the beginning of an executable client-side script and is used in reflected input to create a cross-site scripting attack.

Question 20

Recently, a piece of malicious code was distributed over the internet in the form of software claiming to allow users to play Xbox games on their PCs. The software actually launched the malicious code on the machines of use implemented by one party who attempted to execute it. What type of malicious code does this describe?

A. Logic bomb
B. Virus
C. Trojan horse
D. Worm

Answer 20

C. Trojan horse

Trojan horses masquerade as useful programs (such as a game) but really contain malicious code that runs in the background. Logic bombs contain malicious code that is executed if certain specified conditions are met. Worms are malicious code objects that spread under their own power, while viruses spread through some human intervention.