Topic 2: Attack types

Question 1

How does Eavesdropping/Sniffing attacks impact on the confidentiality, integrity and availability of security?

Confidentiality

Integrity

Availability

Answer 1

Confidentiality

Question 2

How does Data modification attacks impact on the confidentiality, integrity and availability of security?

Confidentiality

Availability

Integrity

Answer 2

Integrity

Question 3

How does Spoofing attacks impact on the confidentiality, integrity and availability of security?

Availability

Confidentiality

Integrity

Answer 3

Availability and Confidentiality and Integrity

Question 4

How does DoS/DDoS attacks impact on the confidentiality, integrity and availability of security?

Availability

Integrity

Confidentiality

Answer 4

Availability

Question 5

How does MiTM/Replay attacks impact on the confidentiality, integrity and availability of security?

Confidentiality

Integrity

Availability

Answer 5

Confidentiality and Integrity

Question 6

How does DNS Poisoning attacks impact on the confidentiality, integrity and availability of security?

Integrity

Confidentiality

Availability

Answer 6

Availability

Question 7

How does Reconnaissance attacks impact on the confidentiality, integrity and availability of security?

Availability

Integrity

Confidentiality

Answer 7

Availability and Integrity and Confidentiality

Question 8

How does ARP attacks impact on the confidentiality, integrity and availability of security?

Availability

Confidentiality

Integrity

Answer 8

Availability

Question 9

Which type of phishing targets high value employees?

smishing

spear

vishing

whaling

Answer 9

whaling

Question 10

You walk back into your office through a secure door after being out to a meeting. Someone you don’t know follows behind you but they have no ID tag and you don’t remember them being in the office before. What type of attack are they attempting?

piggybacking

shoulder surfing

access attack

DoS

Answer 10

piggybacking

Question 11

Identify the component of security the example attacks MOST impact Availability or Confidentiality?

Denial of Service attack = ?

Brute-force password attack = ?

DNS cache poisoning attack = ?

ARP attack = ?

Answer 11

Denial of Service attack = Availability

Brute-force password attack = Confidentiality

DNS cache poisoning attack = Availability

ARP attack = Availability

Question 12

You receive an e-mail stating that you have been chosen as a winner in a competition to win a box of free donuts. Inside the e-mail there is a link that, when you click on it, doesn’t seem to do anything however shortly afterwards some users report that the company web portal is down. This is a possible example of a cross-site scripting attack.

True or False

Answer 12

True

Question 13

Social engineering attempts to exploit what?

the good nature of people

the human tendency to want to help

human targets

all of the above

Answer 13

all of the above

Question 14

Which of the following is an example of a nonessential protocol?

A. DNS

B. ARP

C. TCP

D. TFTP

Answer 14

D. TFTP (Trivial File Transfer Protocol) is a simpler version of FTP that uses a small amount of memory. It is generally considered to be a nonessential protocol. The Domain Name System service (or DNS service) is required for Internet access and on Microsoft domains. The Address Resolution Protocol (ARP) is necessary in Ethernet networks that use TCP/IP. TCP stands for Transmission Control Protocol, an essential part of most network communications.

Question 15

A person attempts to access a server during a zone transfer to get access to a zone file. What type of server is that person trying to manipulate?

A. Proxy server

B. DNS server

C. File server

D. Web server

Answer 15

B. DNS servers are the only types of servers listed that do zone transfers. The purpose of accessing the zone file is to find out what hosts are on the network.

Question 16

Which one of the following can monitor and protect a DNS server?

A. Ping the DNS server.

B. Block port 53 on the firewall.

C. Purge PTR records daily.

D. Check DNS records regularly.

Answer 16

D. By checking a DNS server’s records regularly, a security admin can monitor and protect it. Blocking port 53 on a firewall might protect it (it also might make it inaccessible depending on the network configuration) but won’t enable you to monitor it. Pinging the server can simply tell you whether the server is alive. Purging pointer records (PTR) cannot help to secure or monitor the server.

Question 17

Which TCP port does LDAP use?

A. 389

B. 80

C. 443

D. 143

Answer 17

A. The Lightweight Directory Access Protocol (LDAP) uses port TCP 389. Note: If you are working with secure LDAP, then you will be using port 636. Port 80 is used by HTTP. Port 443 is used by HTTPS. Port 143 is used by IMAP.

Question 18

From the list of ports, select two that are used for e-mail. (Select the two best answers.)

A. 110

B. 3389

C. 143

D. 389

Answer 18

A and C. POP3 uses port 110; IMAP uses port 143; 3389 is used by the Remote Desktop Protocol; and 389 is used by LDAP.

Question 19

Which port number does the Domain Name System use?

A. 53

B. 80

C. 110

D. 88

Answer 19

A. The Domain Name System (DNS) uses port 53. Port 80 is used by HTTP; port 110 is used by POP3; and port 88 is used by Kerberos.

Question 20

John needs to install a web server that can offer SSL-based encryption. Which of the following ports is required for SSL transactions?

A. Port 80 inbound

B. Port 80 outbound

C. Port 443 inbound

D. Port 443 outbound

Answer 20

C. For clients to connect to the server via SSL, the server must have inbound port 443 open. The outbound ports on the server are of little consequence for this concept, and inbound port 80 is used by HTTP.

Question 21

If a person takes control of a session between a server and a client, it is known as what type of attack?

A. DDoS

B. Smurf

C. Session hijacking

D. Malicious software

Answer 21

C. Session hijacking (or TCP/IP hijacking) is when an unwanted mediator takes control of the session between a client and a server (for example, an FTP or HTTP session).

Question 22

Making data appear as if it is coming from somewhere other than its original source is known as what?

A. Hacking

B. Phishing

C. Cracking

D. Spoofing

Answer 22

D. Spoofing is when a malicious user makes data or e-mail appear to be coming from somewhere else.

Question 23

Which of the following enables an attacker to float a domain registration for a maximum of five days?

A. Kiting

B. DNS poisoning

C. Domain hijacking

D. Spoofing

Answer 23

A. Kiting is the practice of monopolizing domain names without paying for them. Newly registered domain names can be canceled with a full refund during an initial five-day window known as an AGP, or add grace period. Domain hijacking is another type of hijacking attack where the attacker changes the registration of a domain name without the permission of the original owner/registrant.

Question 24

What is the best definition for ARP?

A. Resolves IP addresses to DNS names

B. Resolves IP addresses to hostnames

C. Resolves IP addresses to MAC addresses

D. Resolves IP addresses to DNS addresses

Answer 24

C. The Address Resolution Protocol, or ARP, resolves IP addresses to MAC addresses. DNS resolves from IP addresses to hostnames, and vice versa. RARP is Reverse ARP; it resolves MAC addresses to IP addresses.

Question 25

You have three e-mail servers. What is it called when one server forwards e-mail to another? A. SMTP relay B. Buffer overflows C. POP3 D. Cookies

Answer 25

**A.** The SMTP relay is when one server forwards e-mail to other e-mail servers. Buffer overflows are attacks that can be perpetuated on web pages. POP3 is another type of e-mail protocol, and cookies are small text files stored on the client computer that remember information about that computer’s session with a website.

Question 26

A coworker goes to a website but notices that the browser brings her to a different website and that the URL has changed. What type of attack is this? A. DNS poisoning B. Denial of service C. Buffer overflow D. ARP poisoning

Answer 26

**A.** DNS poisoning can occur at a DNS server and can affect all clients on the network. It can also occur at an individual computer. Another possibility is that spyware has compromised the browser. A denial-of-service is a single attack that attempts to stop a server from functioning. A buffer overflow is an attack that, for example, could be perpetuated on a web page. ARP poisoning is the poisoning of an ARP table, creating confusion when it comes to IP address-to-MAC address resolutions.

Question 27

Which of the following misuses the Transmission Control Protocol handshake process? A. Man-in-the-middle attack B. SYN attack C. WPA attack D. Replay attack

Answer 27

**B.** A synchronize (SYN) attack misuses the TCP three-way handshake process. The idea behind this is to overload servers and deny access to users. A man-in-the-middle (MITM) attack is when an attacker is situated between the legitimate sender and receiver and captures and (potentially) modifies packets in transit. Though not a common term, an example of a WPA attack would be the cracking of an access point’s password. A replay attack is when data is maliciously repeated or delayed.

Question 28

For a remote tech to log in to a user’s computer in another state, what inbound port must be open on the user’s computer? A. 21 B. 389 C. 3389 D. 8080

Answer 28

**C.** Port 3389 must be open on the inbound side of the user’s computer to enable a remote tech to log in remotely and take control of that computer. Port 21 is the port used by FTP, and 389 is used by LDAP. 8080 is another port used by web browsers that takes the place of port 80.

Question 29

A DDoS attack can be best defined as what? A. Privilege escalation B. Multiple computers attacking a single server C. A computer placed between a sender and receiver to capture data D. Overhearing parts of a conversation

Answer 29

**B.** When multiple computers attack a single server, it is known as a distributed denial-of-service attack, or DDoS. Privilege escalation is when a person who is not normally authorized to a server manages to get administrative permissions to resources. If a computer is placed between a sender and receiver, it is known as a man-in-the-middle attack. Overhearing parts of a conversation is known as eavesdropping.

Question 30

When users in your company attempt to access a particular website, the attempts are redirected to a spoofed website. What are two possible reasons for this? A. DoS B. DNS poisoning C. Modified hosts file D. Domain name kiting

Answer 30

**B and C.** DNS poisoning and a DNS server’s modified hosts files are possible causes for why a person would be redirected to a spoofed website. DoS, or denial-of-service, is when a computer attempts to attack a server to stop it from functioning. Domain name kiting is when a person renews and cancels domains within five-day periods.

Question 31

What kind of attack is it when the packets sent do not require a synchronization process and are not connection-oriented? A. Man-in-the-middle B. TCP/IP hijacking C. UDP attack D. ICMP flood

Answer 31

**C.** User Datagram Protocol (UDP) attacks, or UDP flood attacks, are DoS attacks that use a computer to send a large number of UDP packets to a remote host. The remote host will reply to each of these with an ICMP Destination Unreachable packet, which ultimately makes it inaccessible to clients. The man-in-the-middle (MITM) attack is when an attacker secretly relays and possibly alters information between two parties. TCP/IP hijacking is an attack that spoofs a server into thinking it is talking with a valid client when in reality it is not. An ICMP flood (or ping flood) is a basic DoS where many ICMP packets are sent out without waiting for replies.

Question 32

Which of the following attacks is a type of DoS attack that sends large amounts of UDP echoes to ports 7 and 19? A. Teardrop B. IP spoofing C. Fraggle D. Replay

Answer 32

**C.** A Fraggle attack is a type of DoS attack that sends large amounts of UDP echoes to ports 7 and 19. This is similar to the Smurf attack. Teardrop DoS attacks send many IP fragments with oversized payloads to a target. IP spoofing is when an attacker sends IP packets with a forged source IP address. The replay attack is when valid data transmissions are maliciously repeated or delayed.

Question 33

Don must configure his firewall to support TACACS+. Which port(s) should he open on the firewall? A. Port 53 B. Port 49 C. Port 161 D. Port 22

Answer 33

**B.** Port 49 is used by TACACS+. Port 53 is used by DNS, port 161 is used by SNMP, and port 22 is used by SSH.

Question 34

Which of the following ports is used by Kerberos by default? A. 21 B. 80 C. 88 D. 443

Answer 34

**C.** Port 88 is used by Kerberos by default. Port 21 is used by FTP, port 80 is used by HTTP, and port 443 is used by HTTPS (TLS/SSL).

Question 35

Which of the following is the best option if you are trying to monitor network devices? A. SNMP B. Telnet C. FTPS D. IPsec

Answer 35

**A.** SNMP (Simple Network Management Protocol) is the best protocol to use to monitor network devices. Telnet is a deprecated protocol that is used to remotely administer network devices. FTPS provides for the secure transmission of files from one computer to another. IPsec is used to secure VPN connections and other IP connections.

Question 36

What is a secure way to remotely administer Linux systems? A. SCP B. SSH C. SNMP D. SFTP

Answer 36

**B.** SSH (Secure Shell) is used to remotely administer Unix/Linux systems and network devices. SCP (Secure Copy) is a way of transferring files securely between two hosts—it utilizes SSH. SNMP is used to remotely monitor network equipment. SFTP is used to securely transfer files from host to host—it also uses SSH.

Question 37

Your web server that conducts online transactions crashed, so you examine the HTTP logs and see that a search string was executed by a single user masquerading as a customer. The crash happened immediately afterward. What type of network attack occurred? A. DDoS B. DoS C. MAC spoofing D. MITM E. DNS amplification attack

Answer 37

**B.** A denial-of-service (DoS) attack probably occurred. The attacker most likely used code to cause an infinite loop or repeating search, which caused the server to crash. It couldn’t have been a DDoS (distributed denial-of-service) because only one attacker was involved. MAC spoofing is when an attacker disguises the MAC address of his network adapter with another number. MITM stands for the man-in-the-middle attack, which wasn’t necessary since the attacker had direct access to the search fields on the web server. A DNS amplification attack is when an attacker spoofs DNS requests to flood a target website.

Question 38

Which port number is ultimately used by SCP? A. 22 B. 23 C. 25 D. 443

Answer 38

**A.** SCP (Secure Copy) uses SSH, which runs on port 22 by default. Port 23 is Telnet, port 25 is SMTP, and port 443 is HTTPS (SSL/TLS).

Question 39

A malicious insider is accused of stealing confidential data from your organization. What is the best way to identify the insider’s computer? A. IP address B. MAC address C. Computer name D. NetBIOS name

Answer 39

**B.** The MAC address is the best way because it is unique and is the hardest to modify or spoof. IP addresses are often dynamically assigned on networks and are easily modified. Computer names (which are effectively NetBIOS names) can easily be changed as well.

Question 40

What is the best way to utilize FTP sessions securely? A. FTPS B. FTP passive C. FTP active D. TFTP

Answer 40

**A.** FTPS (FTP Secure) uses encryption in the form of SSL or TLS to secure file transfers. The other three options are basically variations on FTP; they do not use encryption, making them less secure.

Question 41

Which of the following is the most secure protocol for transferring files? A. FTP B. SSH C. FTPS D. Telnet

Answer 41

**C.** FTPS (FTP Secure) is the most secure protocol (listed) for transferring files. It uses SSL or TLS to secure FTP transmissions utilizing ports 989 and 990. FTP by itself is inherently insecure and uses port 21 by default. The truly distracting answer here, SSH, allows a person to remotely access another computer securely, but it’s the Secure FTP (SFTP) protocol that works on top of SSH that is considered a secure way of transferring files. Telnet is outdated and insecure. Because of this it is not found on most of today’s operating systems, but if it is, it should be removed, or at least stopped and disabled.

Question 42

Which of the following protocols allow for the secure transfer of files? (Select the two best answers.) A. SNMP B. SFTP C. TFTP D. SCP E. ICMP

Answer 42

**B and D.** The Secure FTP (SFTP) and Secure Copy (SCP) protocols provide for the secure transfer of files. The Simple Network Management Protocol (SNMP) is used to monitor various parts of the network. Trivial FTP (TFTP) is not secure by default. The Internet Control Message Protocol (ICMP) is the protocol initiated by ping to invoke responses from other computers.

Question 43

Your organization wants to implement a secure e-mail system using the POP3 and SMTP mail protocols. All mail connections need to be secured with SSL. Which of the following ports should you be using? (Select the two best answers.) A. 25 B. 110 C. 143 D. 465 E. 993 F. 995

Answer 43

**D and F.** To implement SSL encrypted e-mail communications you would use port 465 for SMTP (or perhaps 587) and port 995 for POP3. Other ports can be assigned by the admin, but they would have to be configured properly at the server side and the client side, and must not conflict with any other well-known ports or other ports currently in use within the organization’s network. Port 25 is the default port for regular SMTP. Port 110 is the default for POP3. Port 143 is the default for IMAP. Port 993 is used by IMAP encrypted with SSL/TLS.