- Lawan is in charge of sales in a major fabric company. He was
sent a email asking him to click a link and fill out a survey. He
suspects the email is a fraud, but there is a mention of other
companies that deal in fabric in the email, so he thinks it might not
be a fraud after all. Which of these options describes the attack
best?
A. Phishing
B. Smishing
C. Spear phishing
D. Vishing
C. The correct answer is Spear phishing. Spear phishing is an
email or electronic communications scam targeted towards a
specific individual, organization or business. Although often
intended to steal data for malicious purposes, cybercriminals may
also intend to install malware on a targeted user’s computer.
- The network administrator in your company tells you some of the
staff have been unable to connect to the office wireless network.
When you check, you see that the WI-FI signal has been blocked
due to an attack on the WAPs. What would be the best way to label
such an attack?
A. Near-field communication
B. Domain hijacking
C. Rogue access point
D. Jamming
D. The correct answer is Jamming. Jamming Attack is a kind of
Denial of Service attack, which prevents other nodes from using the
channel to communicate by occupying the channel that they are
communicating on.
- An uncommon way to prevent brute-force attack on your office
password file is?
A. Encrypting plain text using symmetric encryption
B. Encrypting plain text using hashing
C. Encrypting plain text using salting
D. Encrypting plain text using tokenization
A. The correct answer is Encrypting plain text using symmetric
encryption. A symmetric encryption is a type of encryption where
only one key (a secret key) is used to both encrypt and decrypt
electronic information. The entities communicating via symmetric
encryption must exchange the key so that it can be used in the
decryption process. This encryption method differs from asymmetric
encryption where a pair of keys, one public and one private, is used
to encrypt and decrypt messages.
- You have been invited to work on an application developed by another programmer. While checking the source code, you see a pointer de-reference so you return NULL. The software developed a segmentation fault because it tried to read from the NULL pointer.
How can this affect the application?
A. Memory leak
B. Denial-of-service environment
C. Resources exhaustion
D. Application programming interface (API) attacks
B. The correct answer is Denial-of-service environment. This type of error impacts the availability of the service so the denial of
service condition is the correct answer which can stop the program
of running
- How can you describe spamming in social media messengers?
A. Eliciting information
B. SPIM
C. Influence campaigns
D. Tailgating
B. The correct answer is SPIM. Just about all internet users have a
firsthand account of how annoying Spam is. If you use IM (Instant
Messaging) you just might have been SPIM’ed (Spam over Instant
Messaging). It may be more harmful than email Spam. The user is
more likely to click on the link because it is real-time. This sneaky
intrusion can be very annoying, and to make things worse, it by
basses the Anti-Virus and firewalls.
- You suspect there is an insider threat in your office making use
of the office security information and event management (SIEM)
system. Which of these best identify the threat?
A. Log collectors
B. User behavior analysis
C. Packet capture
D. Data inputs
B. The correct answer is User behavior analysis. User behavior
analytics, sometimes called user entity behavior analytics (UEBA),
is a category of software that helps security teams identify and
respond to insider threats that might otherwise be overlooked.
Using machine learning and analytics, UBA identifies and follows
the behaviors of threat actors as they traverse enterprise
environments, running data through a series of algorithms to detect
actions that deviate from user norms.
- A telecommunications company with over five hundred
computers placed in different areas wants a better way to handle
how much data is being created by the computers. What two
technologies will you suggest to them?
A. Common Vulnerabilities and Exposures
B. Advisories and bulletins
C. Provisioning and deprovisioning
D. Log collectors and Log aggregation
D. The correct answer is Log collectors and Log aggregation. Log
aggregation is part of the overall log management process that
helps IT organizations convert their log files into actionable insights
in real-time or near real-time. The process can be described in five
basic steps:
Instrument & Collect - The first step of log management is to start
collecting logs. IT organizations must implement log collector
software tools that collect data from various parts of the software
stack. Many devices across platforms generate logs using the
Syslog message logging standard or with other applications that
can write logs directly into the log aggregation tool platform.
Centralize & Index - Log data needs to be normalized and
indexed, making it easier to analyze and fully searchable for
developers and security analysts.
Search & Analyze - Now that the log data is organized properly in
the log aggregation tool, it can be searched and analyzed to
discover patterns and identify any issues that require attention from
IT operators. Human or machine learning analysis can be used to
identify patterns and anomalies.
Monitor & Alert - Effective log monitoring is a critical aspect of the
log management process. An effective log management tool should
integrate with message applications to deliver timely alerts when
events occur that require a prompt response.
Report & Dashboard - The final component of log management,
reporting and dashboarding ensure that team members across
departments have the necessary levels of access and visibility into
application performance data.
- You work in a company that provides an Application
Programming Interface (API) for customers. The director asks you
to recommend a practice that will protect the API from attacks and
ensure it is only available to customers who subscribe. What will
you recommend?
A. Install NGFW
B. Configure ACLs
C. Require authentication
D. Install HIDS
C. The correct answer is Require authentication. One of the
methods that protect the API from attacks and ensures that API
calls are only used by legitimate users is to require the use of
authentication. API keys are one of the most frequently used
methods for this.
- While browsing on your local computer, you receive a message
prompting you to move fast and download a particular software
because after 3 hours, the software will no longer be available for
free. What social engineering principle is used here?
A. Familiarity
B. Trust
C. Authority
D. Scarcity
D. The correct answer is Scarcity. Social Engineers may use
scarcity to create a feeling of urgency in a decision making context.
This urgency can often lead to the manipulation of the decision
making process, allowing the social engineer to control the
information provided to the victim.
- Your colleague, Marie, asks you to suggest uncommon
prevention methods she can use to prevent credential harvesting
attacks on a company’s commercial website. What would you
suggest to her?
A. Utilize complex usernames/passwords
B. Utilize MFA
C. Utilize ACLs
D. Utilize NGFW
A. The correct answer is Utilize complex usernames/passwords. It’s
very important to use mix of special characters, numbers, upper &
lower case letters, non-words and require longer length. Don’t use
standard usernames such as administrator, user, user1, test,
admin, etc. Don’t use usernames that are first names only such as
dan, john, tom, etc.
Avoid creating passwords that include your name, dictionary words
or reusing passwords from other accounts. You may want to
increase the default minimum length beyond 6 characters. Using
simple passwords is the easiest way for someone to compromise
your server – do NOT use simple passwords that are vulnerable to
brute-force and dictionary attacks.
- You advise your wife to buy a new gadget from an online store,
but she tells you that whenever she visits the site, it appears to be
fake. You call the company hotline to complain, but they tell you
they can access the site without any problem. A few minutes later,
they call you back to inform you there is no record of your wife ever
connecting to their network. Which of these can explain the
situation?
A. Watering hole attack
B. Impersonation
C. Pretexting
D. Typosquatting
D. The correct answer is Typosquatting. Typosquatting is a type
of social engineering attack which targets internet users who
incorrectly type a URL into their web browser rather than using a
search engine. Typically, it involves tricking users into visiting
malicious websites with URLs that are common misspellings of
legitimate websites.
- You work as the security manager in a bank. You receive a call from someone telling you that each time he tries to access the bank’s site, he is being directed to another bank’s website. When you check, you see that a change has occurred in domain information and domain’s contact details. Since the domain is still active, what could have happened?
A. Uniform Resource Locator (URL) redirection
B. Domain reputation
C. DNS poisoning
D. Domain hijacking
D. The correct answer is Domain hijacking. Domain hijacking is the
act of changing the registration of a domain name without the
permission of the original owner, or by abuse of privileges on
domain hosting and domain registrar systems.
Domain name hijacking is devastating to the original domain name
owner’s business with wide ranging effects including:
Financial damages: Companies who rely on their website for
business, such as ecommerce companies and SaaS companies,
can lose millions of dollars when they lose control of the domain,
their domain is one of their most valuable assets. Domain hijacking
is one of the largest cybersecurity risks online businesses have.
Reputational damages: Domain hijackers can take control of a
hijacked domain’s email accounts and use the domain name to
facilitate additional cyber attacks such as
installing malware or social engineering attacks.
Regulatory damages: By gaining access to a domain name,
hijackers can replace the real web page with an identical web page
designed to capture sensitive data or personally identifiable
information (PII), this is known as phishing.
- As an enterprise software vendor, during your procurement request-for-proposal process you see a question included, asking how long you have been in the business and how many clients you have. What security issue are they planning to prevent with this question?
A. Lack of company vision
B. Quality of code development
C. Best practice code development
D. Lack of vendor support
D. The correct answer is Lack of vendor support. The question is
intended to assess the viability of the company in the long term,
and consequently if they will provide support, updates and fix
patches.
- Which of these is not an effective way to prevent Server-Side
Request Forgery attacks?
A. Using an alternative IP representation of 127.0.0.1
B. Registering your own domain name that resolves
to 127.0.0.1
C. Removing all SQL code from Ajax Requests
D. Embedding credentials in a URL before the hostname, using
the @ character
C. The correct answer is Removing all SQL code from Ajax
Requests. Server-side request forgery (also known as SSRF) is a
web security vulnerability that allows an attacker to induce the
server-side application to make HTTP requests to an arbitrary
domain of the attacker’s choosing.
In a typical SSRF attack, the attacker might cause the server to
make a connection to internal-only services within the
organization’s infrastructure. In other cases, they may be able to
force the server to connect to arbitrary external systems, potentially
leaking sensitive data such as authorization credentials.
Ways to prevent this are:
1. Use an alternative IP representation of 127.0.0.1
2. Register your own domain name that resolves to 127.0.0.1
3. Embed credentials in a URL before the hostname, using
the @ character
- One of the following is not a capability of Security, orchestration, automation, and response (SOAR) tool. Which is it?
A. Threat and vulnerability management
B. Reaction to security incidents
C. Automation of security operations
D. Automation of malware removal
D. The correct answer is Automation of malware removal. SOAR
(Security Orchestration, Automation and Response) is a combination of compatible programs that enables a company to collect data on security threats from a wide variety of sources. In addition, SOAR enables an automatic reaction to certain security events without human intervention.
These are the three most important capabilities of SOAR solutions:
Threat and vulnerability management: The solutions support IT teams in eliminating vulnerabilities. In addition, they offer
standardized workflow, reporting and collaboration functions.
Reaction to security incidents: These technologies support IT
departments in planning, process organization, tracking and
coordinating the respective reaction to a security incident.
Automation of security operations: These technologies support the automation and orchestration of procedures, processes, policy
implementation and reporting.
- While discussing with a client, Mrs. Les, you mention an email
your company sent two days ago, but Mrs. Les insists she never saw the email. When you check, you discover that your company’s emails are being blocked because a compromised account sent some spam. What lookup will you use to detect what classification site like trusted source has given your domain?
A. IP & Domain reputation lookup
B. MX record lookup
C. SMTP server lookup
D. IMAP protocol lookup
A. The correct answer is IP & Domain reputation lookup. IPs use
sender reputation to decide whether (or not) they will deliver your
email messages to your subscribers. This sending reputation is
based on your IP address. But what if an ISP could make filtering
decisions based on your domain – rather than separate IPs? That is
the nature of domain reputation.
Domain reputation would essentially allow you to maintain your
reputation without worrying about individual IPs. That means you
could change IPs, send email from different providers and add new
IPs or use shared IPs without worrying about losing your good
reputation in the process and in connection with your brand.
- You go for an interview in a cybersecurity company; you are
asked to perform penetration testing on the e-commerce site of a
client company called Acme Corporation. You realize that when the
web server is compromised, it can be used to launch another attack
into the company’s internal network. Which of the following can
describe this?
A. Pivoting
B. Bug bounty
C. Cleanup
D. Privilege escalation
A. The correct answer is Pivoting. Often during a penetration test or
security assessment, everything starts with an external network —
with research and pentesting of machines and services available
from the global network. Attempts are being made to find a security
hole and, if it succeeds, then a penetration into the local network is
performed in order to capture as many systems as possible.
Local network traffic is non-routable, that is, other computers that
are physically connected to this network can access the resources
of the local network, and the attacker cannot access them.
So, pivoting is a set of techniques that allow an attacker to gain
access to local resources, in essence, making traffic routable that is
normally non-routable. Pivoting helps an attacker to configure the
working environment to use the tools in such a way as if he were in
the organization’s local network.
- Your company invites a penetration tester to conduct a test.
These are the pieces of information the manager sends the tester: company name, website domain name, gateway router IP address with no internal knowledge of the target system. What kind of test is the manager expecting the tester to perform?
A. Unknown environment test
B. Known environment test
C. Partially known environment test
D. Half known environment test
A. The correct answer is Unknown environment test. In an unknown
environment or black-box testing assignment, the penetration tester
is placed in the role of the average hacker, with no internal
knowledge of the target system. Testers are not provided with any
architecture diagrams or source code that is not publicly available.
A black-box penetration test determines the vulnerabilities in a
system that are exploitable from outside the network.
- You have just received a call from your colleague, Dan, that while he was trying to investigate a malware outbreak in a network, he found a file with the same name and API interface as Windows system DLL, but the file handles inputs in a manner that compromises the system. Dan believes applications have been attaching to the fake file instead of the original system DLL. How can you describe this?
A. Dynamic-link library
B. Shimming
C. Directory traversal
D. Evil twin
B. The correct answer is Shimming. A shimming is a library that transparently intercepts API calls and changes the arguments passed, handles the operation itself or redirects the operation elsewhere. Shims can be used to support an old API in a newer environment, or a new API in an older environment. Shims can also be used for running programs on different software
platforms than they were developed for.
- If you use an on-path attack to make a system send you HTTPS traffic and then you forward it to another server which the traffic is meant for. What kind of password attack can you conduct with the data gathered if all the traffic was captured in a login form.
A. Watering hole attack
B. A plain-text password attack
C. Influence campaigns attack
D. XSS attack
B. The correct answer is A plain-text password attack. Since you
capture the data you can conduct a plaintext attack. With a
known plaintext attack, the attacker has knowledge of the plaintext
and the corresponding ciphertext. This information is used to
decrypt the rest of the ciphertext.
- How would you describe a phenomenon whereby one receives
so many unwanted messages when in a crowded area, but these
messages stop when you are no longer in the area?
A. Jamming
B. Rogue access point
C. Disassociation
D. Bluejacking
D. The correct answer is Bluejacking. Bluejacking is a hacking
method that lets a person send unsolicited messages (typically
flirtatious but can also be malicious) to any Bluetooth-enabled
device within his own device’s range. Also known as “bluehacking,”
the process begins by scanning one’s surroundings for
discoverable Bluetooth-capable devices.
Bluejacking is much like doorbell ditching, wherein a person rings
someone’s doorbell and disappears before the homeowner can
answer the door.
- An attacker breached the wireless network in your office and exposed data that had been encrypted wirelessly by modifying some data that had been used with the stream cipher. What name is given to this kind of attack?
A. Initialization vector
B. Rogue access point
C. Disassociation
D. Bluejacking
A. The correct answer is Initialization vector. An initialization vector (IV) attack is an attack on wireless networks. It modifies the IV of an
encrypted wireless packet during transmission. IVs are blocks of
bits that are used to differentiate users on the wireless network. IVs
eliminate the need for users to constantly reauthenticate with an
access point and are therefore sent frequently.
- A common means of attacking RFID systems are? (Select TWO)
A. Reverse Engineering
B. Jamming
C. Domain hijacking
D. Man-in-the-Middle Attack
E. DNS poisoning
A,D. The correct answers are Reverse Engineering and Man-in-theMiddle Attack. RFID systems, like most electronics and networks, are susceptible to both physical and electronic attacks. As the technology matures and becomes more widespread, so do hackers who aim to gain private information, entrance to secure areas, or take a system down for personal gain. Below are 7 known security attacks hackers can perform on an RFID system.
1. Reverse Engineering
2. Power Analysis
3. Eavesdropping & Replay
4. Man-in-the-Middle Attack or Sniffing
5. Denial of Service
6. Cloning & Spoofing
7. Viruses
