- An attack was launched against your company; the attack
played upon some deficiencies in GeoTrust SSL and forcefully
moved some connections to a weaker version of SSL/TLS which
made it easier for the attacker to exploit. What would you call such
an attack?
A. Downgrade attack
B. Collision attack
C. Birthday attack
D. Secure socket shell attack
A. The correct answer is Downgrade attack. A downgrade attack is
a form of cyber attack in which an attacker forces a network
channel to switch to an unprotected or less secure data transmission standard.
Downgrading the protocol version is one element of man-in-themiddle type attacks, and is used to intercept encrypted traffic. An example of a downgrade attack might be redirecting a visitor from
an HTTPS version of a resource to an HTTP copy.
- You are in charge of networks at SWIFT, a telecommunications
company. Recently, many customers have been complaining that
they are constantly losing the connection from the wireless network.
While checking the logs, you find that the customers’ IP addresses
have been sending a deauthentication packet to the WAP. What
could be happening?
A. Bluesnarfing
B. Jamming
C. Disassociation attack
D. Rogue access point
C. The correct answer is Disassociation attack. A disassociation
attack is a type of Denial Of Services Attack, which is used to
disconnect an access point (mobile device in this case) from a
router by sending disassociation packets to the device. It is a
common way hackers try to gain access to people’s personal
information.
- A birthday attack can be categorized as what kind of attack?
A. Cryptographic attack
B. On-path attack
C. Password attack
D. Cloud-based attack
A. The correct answer is Cryptographic attack. A birthday attack is a
type of cryptographic attack, which exploits the mathematics behind
the birthday problem in probability theory. Birthday attack can be
used in communication abusage between two or more parties.
The attack depends on a fixed degree of permutations
(pigeonholes) and the higher likelihood of collisions found between
random attack attempts, as described in the birthday paradox/
problem.
- Common Vulnerabilities and Exposures (CVE) can be
categorized as?
A. A vulnerability feed
B. A critical feed
C. A virtual feed
D. An exploit feed
A. The correct answer is A vulnerability feed. Common
Vulnerabilities and Exposures (CVE) is a database of publicly
disclosed information security issues. A CVE number uniquely
identifies one vulnerability from the list. Enterprises typically use
CVE for planning and prioritization in their vulnerability
management programs.
- You are the network manager at Wells Fargo bank. The bank
uses an IDS on their network, sometimes marks legitimate traffic as a network attack. How can you describe this?
A. False alarm
B. False notification
C. False negative
D. False positive
D. The correct answer is False positive. A false positive is an error
in binary classification in which a test result incorrectly indicates the
presence of a condition such as an attack when the attack is not
present, while a false negative is the opposite error where the test
result incorrectly fails to indicate the presence of a condition when it
is actually present.
- While you are working in a software development company you notice that when multiple threads access the same variable, the application does not handle them in the right manner. You believe that if this vulnerability is discovered by an attacker, it could be used to crash the server. Which of the following best describes the issue have you just discovered?
A. Race conditions
B. Error handling
C. Integer overflow
D. Request forgeries
A. The correct answer is Race conditions. A race condition occurs
when two or more threads can access shared data and they try to
change it at the same time. Because the thread scheduling
algorithm can swap between threads at any time, you don’t know
the order in which the threads will attempt to access the shared
data. Therefore, the result of the change in data is dependent on
the thread scheduling algorithm, i.e. both threads are “racing” to
access/change the data.
Problems often occur when one thread does a “check-thenact” (e.g. “check” if the value is X, then “act” to do something that
depends on the value being X) and another thread does something
to the value in between the “check” and the “act”. E.g:
if (x == 5) // The “Check”
{
y = x * 2; // The “Act”
// If another thread changed x in between “if (x == 5)” and “y = x * 2”
above,
// y will not be equal to 10.
}
The point being, y could be 10, or it could be anything, depending
on whether another thread changed x in between the check and
act. You have no real way of knowing.
In order to prevent race conditions from occurring, you would
typically put a lock around the shared data to ensure only one
thread can access the data at a time. This would mean something
like this:
// Obtain lock for x
if (x == 5)
{
y = x * 2; // Now, nothing can change x until the lock is released.
// Therefore y = 10
}
// release lock for x
- During a penetration test for a company network, you scan for all the systems on the network and discover one particular system on that network which has the same accounts and user type with the system you’re working from; if you access the discovered system using the fact that you are already have a valid account on one system, what would we call this?
A. Known environment
B. Rules of engagement
C. Lateral movement
D. Persistence
C. The correct answer is Lateral movement. Lateral movement
refers to the techniques that a cyberattacker uses, after gaining
initial access, to move deeper into a network in search of sensitive
data and other high-value assets. After entering the network, the
attacker maintains ongoing access by moving through the compromised environment and obtaining increased privileges using various tools.
After gaining initial access to an endpoint, such as through
a phishing attack or malware infection, the attacker impersonates a legitimate user and moves through multiple systems in the network until the end goal is reached. Attaining that objective involves gathering information about multiple systems and accounts, obtaining credentials, escalating privileges and ultimately gaining access to the identified payload.
- After scanning a Windows server, you realize that the IIS version which is on the server had been flagged some months ago as being vulnerable to attacks. You also see that there are no missing patches. Which of the following best describes this?
A. False positive
B. Windows server error
C. ISS error
D. False negative
A. The correct answer is False positive. A false positive is an error
in binary classification in which a test result incorrectly indicates the
presence of a condition such as an attack when the attack is not
present.
- Which of these categories do FTP and Telnet fall into?
A. Transfer protocols
B. File protocols
C. Secure protocols
D. Unsecure protocols
D. The correct answer is Unsecure protocols. FTP (File Transfer
Protocol) and TELNET were designed for networks of the 1960s,
1970s and 1980s. During those periods, the computer networks
were considered safe. FTP is considered an insecure protocol
because it transfers user authentication data (username and
password) and file data as plain-text (not encrypted) over the
network. Because of this, FTP (File Transfer Protocol) is vulnerable
to password sniffing, data spoofing, and other network attacks.
- What testing techniques would you use to determine the range
of the wireless network in your company so you can know where it can be accessed?
A. War driving
B. Footprinting
C. Cleanup
D. Bug bounty
A. The correct answer is War driving. Wardriving is the practice of
physically searching for unsecured wireless networks or networks
that can easily be compromised.
- A vulnerability scan in which you are provided with logins for different systems like the application, database and web server can be described as?
A. Credentialed scan
B. Application scan
C. Web application scan
D. Network scan
A. The correct answer is Credentialed scan. Credentialed scans are scans in which the scanning computer has an account on the computer being scanned that allows the scanner to do a more thorough check looking for problems that can not be seen from the network.
- What is the function of the following code and in what
programming language is it written?
import socket as socket
for p in range (1,1024):
try:
sockets=socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
sockets.connect((‘127.0.0.1, p))
print ‘%d: IS OPEN’ % (p)
sockets.close
except: continue
A. Programming language: Python,
Function: port scanning
B. Programming language: PHP,
Function: port scanning
C. Programming language: Perl,
Function: port scanning
D. Programming language: Javascript,
Function: port scanning
A. The correct answer is Programming language: Python -
Function: port scanning.
- An attacker breaches the Wi-Fi and accesses the wireless access point (WAP) admin console of the National Bank by using the login details that ship with the WAP. What caused this sort of vulnerability?
A. Default settings
B. Non-updated software
C. WAP misconfiguration
D. Lack of documentation
A. The correct answer is Default settings. Using default settings
makes systems vulnerable to scanners and tools that attackers
use: these tools often have a way of getting to the default settings
- How would you describe an attack in which the attacker tries to play on the victim’s psychology by using words like “Secure”, “Trusted”, “Safe” in the mail he sends?
A. Prepending
B. Impersonation
C. Typosquatting
D. Reconnaissance
A. The correct answer is Prepending. Prepending is when social
engineers insert some expressions into a conversation to get
targets to think about things the attacker wants them to.
- You are in charge of networks at the State Tax Corporation. You
realize that some entries in your network’s domain name server
have been modified; you realized this because each time you are
trying to access the network, you are directed to an IP address that
may be dangerous. How would you describe this?
A. Domain hijacking
B. DNS poisoning
C. Domain reputation
D. Disassociation
B. The correct answer is DNS poisoning. DNS cache poisoning is
the act of entering false information into a DNS cache, so that DNS
queries return an incorrect response and users are directed to the
wrong websites.
DNS cache poisoning is also known as ‘DNS spoofing.’ IP
addresses are the ‘room numbers’ of the Internet, enabling web
traffic to arrive in the right places. DNS resolver caches are the
‘campus directory,’ and when they store faulty information, traffic
goes to the wrong places until the cached information is corrected
- You work for a telecommunications company; a customer-care representative reports to you that customers have been complaining that whenever they install your company’s app, they find something else attached. After checking, you realize some malware has been secretly attached to your company’s app. How would you describe this?
A. DNS poisoning
B. Cryptomalware
C. Logic bombs
D. Trojan horse
D. The correct answer is Trojan horse. A Trojan horse is a type of
malware that downloads onto a computer disguised as a legitimate
program. A Trojan horse is so-called due to its delivery method,
which typically sees an attacker use social engineering to hide
malicious code within legitimate software.
- The network administrator from your company notices that the
network performance has been degraded due to a broadcast storm.
Which of the following techniques will you recommend to the
network administrator in order to reduce broadcast storms?
(Choose all that apply)
A. Split up your broadcast domain
B. Check for loops in switches
C. Check how often ARP tables are emptied
D. Split up your collision domain
E. Check the routing tables
A, B, C. The correct answers are Split up your broadcast domain,
Check for loops in switches, Check how often ARP tables are
emptied. A broadcast storm is an abnormally high number of
broadcast packets within a short period of time. A broadcast storm
can overwhelm switches and endpoints as they struggle to keep up
with processing the flood of packets. When this happens, network
performance degrades.
How to reduce broadcast storms:
Storm control and equivalent protocols allow you to rate-limit
broadcast packets. If your switch has such a mechanism, turn it on.
Ensure IP-directed broadcasts are disabled on your Layer 3
devices. There’s little to no reason why you’d want broadcast
packets coming in from the internet going to a private address
space. If a storm is originating from the WAN, disabling IP-directed
broadcasts will shut it down.
Split up your broadcast domain. Creating a new VLAN and
migrating hosts into it will load balance the broadcast traffic to a
more acceptable level. Broadcast traffic is necessary and useful,
but too much of it eventually leads to a poor network experience.
Check how often ARP tables are emptied. The more frequently
they’re emptied, the more often ARP broadcast requests occur.
Sometimes, when switches have a hardware failure, their
switchports begin to spew out broadcast traffic onto the network. If
you have a spare switch of the same or similar model, clone the
config of the active switch onto the spare and swap the hardware
and cables during a maintenance window. Does the storm subside?
If it does, it was a hardware issue. If not, then you’ve gotta keep
digging.
Check for loops in switches. Say there was an unmanaged Layer
2 switch connected upstream to an unmanaged switch, and
someone’s connected a cable between two ports on the same
unmanaged switch (let’s say ports 1 and 2). The unmanaged switch
will respond to all broadcasts multiple times and flood the broadcast
domain with packets, causing a denial of service attack on the
network.
