Chapters 7-11 Flashcards
Attackers have launched an attack using multiple systems against a single target. Which type of attack is this?
A. DoS
B. DDoS
C. SYN flood
D. Buffer overflow
B. A distributed denial-of-service (DDoS) attack includes attacks from multiple systems with the goal of depleting the target’s resources.
- A DoS attack comes from a single system and
- a SYN flood is an example of a DoS attack.
- A buffer overflow is a type of DoS attack that attempts to write data into an application’s memory.
An attacker has captured a database filled with hashes of randomly generated passwords. Which of the following attacks is MOST likely to crack the largest number of passwords in this database?
A. Dictionary attack
B. Birthday attack
C. Brute force attack
D. Rainbow tables
D. A rainbow table attack attempts to discover the password from the hash. However, they use rainbow tables, which are huge databases of precomputed hashes.
-A dictionary attack compares passwords against
words in a dictionary of words, but a dictionary of words wouldn’t include randomly generated passwords.
-A birthday attack relies on hash
collisions. However, it wouldn’t necessarily be effective depending on what hashing algorithm is used.
-A brute force attack attempts to guess
all possible character combinations but is very time-consuming for each
password.
An application stores user passwords in a hashed format. Which of the following can decrease the likelihood that attackers can discover these passwords?
A. Rainbow tables
B. MD5
C. Salt
D. Input validation
C. A password salt is additional random characters added to a password before hashing the password, and it decreases the success of password attacks.
-Rainbow tables are used by attackers and contain
precomputed hashes.
-Message Digest 5 (MD5) is a hashing algorithm
that creates hashes, but the scenario already states that passwords are hashed.
-Input validation techniques verify data is valid before using it and they are unrelated to protecting hashed passwords.
An attacker has been analyzing encrypted data that he intercepted. He knows that the end of the data includes a template sent with all similar messages. He uses this knowledge to decrypt the message. Which of the following types of attacks BEST describes this attack?
A. Known ciphertext
B. Known plaintext
C. Brute force
D. Rainbow table
B. This describes a known plaintext attack because the attacker knows some of the plaintext data used to create the encrypted data. More specifically, this is a chosen plaintext attack (but that wasn’t
available as an answer) because the attacker knew a portion of the plaintext.
- In a known ciphertext attack, the attacker doesn’t have any information on the plaintext.
- A brute force attack attempts to guess a password.
- A rainbow table attack uses a table of hashes to identify a password from a matched hash.
An attacker is attempting to write more data into a web application’s memory than it can handle. Which type of attack is this?
A. XSRF
B. DLL injection
C. Pass the hash
D. Buffer overflow
D. One type of buffer overflow attack attempts to write more data into an application’s memory than it can handle. None of the other answers are directly related to overloading the application’s memory.
-A cross-site request forgery (XSRF) attack attempts to launch attacks with HTML code.
-A Dynamic Link Library (DLL) injection attack injects a
DLL into memory and causes it to run.
-A pass the hash attack attempts to discover a password.
Management at your organization is planning to hire a development firm to create a sophisticated web application. One of their primary goals is to ensure that personnel involved with the project frequently
collaborate with each other throughout the project. Which of the following is an appropriate model for this project?
A. Waterfall
B. SDLC
C. Agile
D. Secure DevOps
C. The agile software development model is flexible, ensures that personnel interact with each other throughout a project, and is the best of the available choices.
-The waterfall model isn’t as flexible and
focuses instead on completing the project in stages.
-Both agile and waterfall are software development life cycle (SDLC) models, which is a generic concept designed to provide structure for software development projects.
-Secure DevOps is an agile-aligned development methodology
A web developer is adding input validation techniques to a web site application. Which of the following should the developer implement during this process?
A. Perform the validation on the server side.
B. Perform the validation on the client side.
C. Prevent boundary checks.
D. Implement pointer dereference techniques.
A. Input validation should be performed on the server side.
- Clientside validation can be combined with server-side validation, but it can be bypassed, so it should not be used alone.
- Boundary or limit checks are an important part of input validation.
- Pointer dereference techniques use references to point to values and are unrelated to input validation techniques.
Developers have created an application that users can download and install on their computers. Management wants to provide users with a reliable method of verifying that the application has not been modified.
Which of the following methods provides the BEST solution?
A. Code signing
B. Input validation
C. Code obfuscation
D. Stored procedures
A. Code signing provides a digital signature for the code and verifies the publisher of the code and verifies that it hasn’t been modified since the publisher released it. None of the other answers verify the application hasn’t been modified.
-Input validation verifies data is valid before using it.
-Code obfuscation makes the code more difficult to read.
-Stored procedures are used with SQL databases and can be used for input
validation.
Your organization is preparing to deploy a web-based application, which will accept user input. Which of the following will BEST test the reliability of this application to maintain availability and data integrity?
A. Model verification
B. Input validation
C. Error handling
D. Dynamic analysis
D. Dynamic analysis techniques (such as fuzzing) can test the application’s ability to maintain availability and data integrity for some scenarios. Fuzzing sends random data to an application to verify the random data doesn’t crash the application or expose the system to a data breach.
-Model verification ensures that the software meets specifications and fulfills its intended purpose, but it doesn’t focus on reliability or integrity.
-Input validation and error-handling techniques protect
applications, but do not test them.
You are overseeing a large software development project. Ideally, developers will not add any unauthorized changes to the code. If they do, you want to ensure that it is easy to identify the developer who made the change. Which of the following provides the BEST solution for this need?
A. Agile SDLC
B. Version control
C. Secure DevOps
D. Static code analysis
B. A version control system will track all changes to a system, including who made the change and when. Change management processes (not available as a possible answer) typically provide the same
solution.
- An agile software development life cycle (SDLC) model focuses on interaction from all players in a project, but doesn’t necessarily include a version control system.
- Secure DevOps is an agile-aligned software development methodology that focuses on security throughout the process.
- Static code analysis examines the code without executing it as a method of code testing.
Database administrators have created a database used by a web application. However, testing shows that the application is taking a significant amount of time accessing data within the database. Which of
the following actions is MOST likely to improve the overall performance of a database?
A. Normalization
B. Client-side input validation
C. Server-side input validation
D. Obfuscation
A. Normalization techniques organize tables and columns in a database and improve overall database performance. None of the other answers improve the database performance.
- Input validation techniques help prevent many types of attacks, and
- server-side input validation techniques are preferred over client-side techniques.
- Obfuscation techniques make the code more difficult to read.
Looking at logs for an online web application, you see that someone has entered the following phrase into several queries:
‘ or ‘1’=’1’ –
Which of the following is the MOST likely explanation for this?
A. A buffer overflow attack
B. An XSS attack
C. A SQL injection attack
D. A DLL injection attack
C. Attackers use the phrase (‘ or‘1’=’1’–) in SQL injection attacks to query or modify databases.
- A buffer overflow attack sends more data or unexpected data to an application with the goal of accessing system memory.
- A cross-site scripting (XSS) attack attempts to insert HTML or JavaScript code into a web site or email.
- A Dynamic Link Library (DLL) injection attack attempts to inject DLLs into memory, causing DLL commands to run.
While creating a web application, a developer adds code to limit data provided by users. The code prevents users from entering special characters.
Which of the following attacks will this code MOST likely prevent?
A. Man-in-the-browser
B. Amplification
C. XSS
D. Domain hijacking
C. A cross-site scripting (XSS) attack can be blocked by using input validation techniques to filter special characters such as the < and > characters used in HTML code. None of the other listed attacks require the use of special characters.
-A man-in-the-browser attack exploits vulnerabilities in browsers to capture user data entries.
-An amplification attack increases the amount of data sent to a victim to overwhelm it.
-A domain hijacking attack changes the domain
registration of a domain name without permission of the owner.
Homer recently received an email thanking him for a purchase that he did not make. He asked an administrator about it and the administrator noticed a pop-up window, which included the following code:
Which of the following is the MOST likely explanation?
A. XSRF
B. Buffer overflow
C. SQL injection
D. Dead code
A. A cross-site request forgery (XSRF) attack causes users to perform actions without their knowledge. This scenario indicates the
user visited a web site, most likely through a malicious link, and the link initiated a purchase. None of the other attacks cause unsuspecting
users to make purchases.
- A buffer overflow attacks a web site and attempts to access system memory.
- A SQL injection attack attempts to access data on a database server.
- Dead code is code that never executes and is unrelated to this scenario.
Your organization recently purchased a new hardware-based firewall. Administrators need to install it as part of a DMZ within the network. Which of the following references will provide them with the MOST appropriate instructions to install the firewall?
A. A regulatory framework
B. A non-regulatory framework
C. A general-purpose firewall guide
D. A vendor-specific guide
D. A vendor-specific guide for the new hardware-based firewall will have the most appropriate instructions for installing it.
-Frameworks (regulatory or non-regulatory) provide structures that can be followed for different purposes, but they wouldn’t be available for a specific firewall.
-A general-purpose guide will provide general
instructions, but not instructions for a specific vendor’s firewall.
A security expert is performing a risk assessment. She is seeking information to identify the number of times a specific type of incident occurs per year. Which of the following BEST identifies this?
A. ALE
B. ARO
C. SLE
D. WORM
B. The annual rate of occurrence (ARO) is the best choice to identify how many times a specific type of incident occurs in a year.
- Annual loss expectancy (ALE) identifies the expected monetary loss for a year and
- single loss expectancy (SLE) identifies the expected monetary loss for a single incident. ALE = SLE × ARO and if you know any two of these values, you can identify the third value. For example, ARO = ALE / SLE.
- Write once read many (WORM) is a term sometimes used with archived logs indicating they cannot be modified.
Lisa needs to calculate the ALE for a group of servers used in the network. During the past two years, five of the servers failed. The hardware cost to repair or replace each server was $3,500 and the downtime resulted in $2,500 of additional losses for each outage. What is the ALE?
A. $7,000
B. $8,000
C. $15,000
D. $30,000
C. The annual loss expectancy (ALE) is $15,000.
You calculate the ALE as SLE × ARO ($6,000 × 2.5).
- The single loss expectancy (SLE) is $6,000 ($3,500 to repair or replace each server plus $2,500 in additional losses for each outage).
- The annual rate of occurrence (ARO) is 2.5 (five failures in two years or 5 / 2).
Martin is performing a risk assessment on an e-commerce web server. While doing so, he created a document showing all the known risks to this server, along with the risk score for each risk. What is the
name of this document?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Residual risk
D. Risk register
D. A risk register lists all known risks for an asset, such as a web server, and it typically includes a risk score (the combination of the likelihood of occurrence and the impact of the risk).
- Risk assessments (including quantitative and qualitative risk assessments) might use a risk register, but they aren’t risk registers.
- Residual risk refers to the remaining risk after applying security controls to mitigate risk.
Your organization includes an e-commerce web site used to sell digital products. You are tasked with evaluating all the elements used to support this web site. What are you performing?
A. Quantitative assessment
B. Qualitative assessment
C. Threat assessment
D. Supply chain assessment
D. A supply chain assessment evaluates all the elements used to create, sell, and distribute a product.
- Risk assessments (including both quantitative and qualitative risk assessments) evaluate risks, but don’t evaluate the supply chain required to support an e-commerce web site.
- A threat assessment evaluates threats.
A penetration tester is running several tests on a server within your organization’s DMZ. The tester wants to identify the operating system of the remote host. Which of the following tools or methods are MOST
likely to provide this information?
A. Banner grabbing
B. Vulnerability scan
C. Password cracker
D. Protocol analyzer
A. Banner grabbing is a technique used to gain information about a remote server and it will identify the operating system of the system in the demilitarized zone (DMZ).
- A vulnerability scanner checks for vulnerabilities.
- A password cracker attempts to discover passwords.
- A protocol analyzer collects packets sent across a network and can be used to analyze the packets.
You need to perform tests on your network to identify missing security controls. However, you want to have the least impact on systems that users are accessing. Which of the following tools is the BEST to meet
this need?
A. A syn stealth scan
B. Vulnerability scan
C. Ping scan
D. Penetration test
B. A vulnerability scanner is passive and has the least impact on systems, and it can detect systems that are lacking specific security controls.
- Network scanners use methods such as a syn stealth scan and a ping scan to discover devices on a network, but they don’t identify missing security controls.
- A penetration test is invasive and does not have the least impact on systems.
You periodically run vulnerability scans on your network, but have been receiving many false positives. Which of the following actions can help reduce the false positives?
A. Run the scans as credentialed scans.
B. Run the scans as non-credentialed scans.
C. Run the scans using passive reconnaissance.
D. Run the scans using active reconnaissance.
A. Running the scans as credentialed scans (within the context of a valid account) allows the scan to see more information and typically results in fewer false positives.
- Non-credentialed scans run without any user credentials and can be less accurate.
- Passive reconnaissance collects information on a target using open-source intelligence.
- All vulnerability scans use active reconnaissance techniques.
Your organization has a legacy server running within the DMZ. It is running older software that is not compatible with current patches, so management has decided to let it remain unpatched. Management wants to know if attackers can access the internal network if they successfully compromise this server. Which of the following is the MOST appropriate action?
A. Perform a vulnerability scan.
B. Perform a port scan.
C. Perform a black box test.
D. Perform a penetration test.
D. A penetration test attempts to exploit a vulnerability and can determine if a successful attack will allow attackers into the internal network.
- A vulnerability scan is passive. It does not attempt to compromise a system, so it cannot verify if an attacker can access the internal network.
- A port scan only identifies open ports.
- A black box test only refers to the knowledge of the testers and indicates they have zero knowledge prior to starting a test.
A penetration tester has successfully attacked a single computer within the network. The tester is now attempting to access other systems within the network via this computer. Which of the following BEST
describes the tester’s current actions?
A. Performing reconnaissance
B. Performing the initial exploitation
C. Pivoting
D. Escalating privileges
C. Pivoting is the process of accessing other systems through a single compromised system.
- Reconnaissance techniques are done before attacking a system.
- A successful attack on a single computer is the initial exploitation.
- Escalating privileges attempts to gain higher privileges on a target.
You are troubleshooting issues between two servers on your network and need to analyze the network traffic. Of the following choices, what is the BEST tool to capture and analyze this traffic?
A. Network mapper
B. Protocol analyzer
C. Network scanner
D. SIEM
B. A protocol analyzer (also called a sniffer) is the best choice to capture and analyze network traffic.
-A network mapper can detect all the devices on a network, and
-a network scanner can detect more
information about these devices, but neither of these tools is the best choice to capture and analyze traffic for troubleshooting purposes.
-A security information and event management (SIEM) system aggregates and correlates logs from multiple sources, but does not capture network traffic.
A penetration tester is tasked with gaining information on one of your internal servers and he enters the following command:
echo “” | nc -vv -n -w1 72.52.206.134 80
What is the purpose of this command?
A. Identify if a server is running a service using port 80 and is reachable.
B. Launch an attack on a server sending 80 separate packets in a short period of time.
C. Use Netcat to remotely administer the server.
D. Use Netcat to start an RDP session on the server.
A. This command sends a query to the server over port 80 and if the server is running a service on port 80, it will connect. This is a common beginning command for a banner grabbing attempt.
- It does not send 80 separate packets.
- Netcat is often used to remotely administer servers, but not using port 80.
- Remote Desktop Protocol (RDP) uses port 3389 and is not relevant in this scenario.
You suspect that an attacker has been sending specially crafted TCP packets to a server trying to exploit a vulnerability. You decide to capture TCP packets being sent to this server for later analysis and you want to use a command-line tool to do so. Which of the following tools will BEST meet your need?
A. Wiredump
B. Tcpdump
C. Netcat
D. Nmap
B. The tcpdump command-line tool is the best choice of the given answers. It is a command- line packet analyzer (or protocol analyzer) and its primary purpose is to capture packets.
- Wiredump isn’t a valid tool name.
- Wireshark (not included as an answer choice) is a graphic-based packet analyzer that can be started from the command line, but tcpdump includes more command-line options than Wireshark.
- Netcat is useful for remotely accessing systems and can be used for banner grabbing, but it doesn’t capture packets.
- Nmap analyzes packets during a scan. It can also use Npcap, the Nmap Project’s packet sniffing library, but Nmap isn’t the best choice to capture packets.
You suspect someone has been trying a brute force password attack on a Linux system. Which of the following logs should you check to view failed authentication attempts by users?
A. /var/log/btmp
B. /var/log/fail
C. var/log/httpd
D. /var/log/kern
A. The /var/log/btmp log contains information on user failed login attempts. While not available as an answer, /var/log/auth also includes information on failed login attempts.
- While the /var/log/faillog log includes information on failed logins, /var/log/fail isn’t a valid log name in Linux.
- The /var/log/httpd directory includes logs from the Apache web server, when it’s installed.
- The /var/log/kern log contains information logged by the system kernel.
An organization has a large network with dozens of servers. Administrators are finding it difficult to review and analyze the logs from all the network devices. They are looking for a solution to aggregate and
correlate the logs. Which of the following choices BEST meets this need?
A. Nmap
B. Netcat
C. Wireshark
D. SIEM
D. A security information and event management (SIEM) system provides a centralized solution for collecting, analyzing, and managing data from multiple sources and can aggregate and correlate logs. None
of the other choices aggregate and correlate logs.
- Nmap is a network scanner that can discover and map devices on a network.
- Netcat is a command-line tool that can be used to connect to servers.
- Wireshark is a graphical-based protocol analyzer.
Lisa has recently transferred from the HR department to payroll. While browsing file shares, Lisa notices she can access the HR files related to her new coworkers. Which of the following could prevent this scenario from occurring?
A. Permission auditing and review
B. Continuous monitoring
C. Vulnerability scan
D. Penetration testing
A. A permission auditing and review process verifies that the principle of least privilege is followed. This includes ensuring users can access only the resources they need to perform their job.
- Continuous monitoring includes monitoring all relevant security controls, but isn’t the best choice for this specific scenario.
- A vulnerability scan will discover vulnerabilities on a system or network and
- a penetration test will scan a system or network and attempt to exploit vulnerabilities.
- However, vulnerability scans and penetration tests cannot verify a user has the appropriate privileges.
