SY0-401:3 TS Quiz Threats and Vulnerabilities

“Bob manages the sales department. Most of his sales representatives travel among several client sites. He wants to enable these sales representatives to check the shipping status of their orders online. This information currently resides on the company intranet, but it is not accessible to anyone outside the company firewall. Bob has asked you to make the information available to traveling sales representatives. You decide to create an extranet to allow these employees to view their customers’ order status and history.

Which technique could you use to secure communications between network segments sending order-status data via the Internet?
VPN
VLAN
Extranet
Certificate server”

Answer:
VPN

Explanation:
A virtual private network (VPN) is not a physical network. In a VPN, a public network, such as the Internet, is used to allow secure communication between companies that are not located together or between private networks. A VPN transports encrypted data.

A Virtual LAN (VLAN) allows networks to be segmented logically without physically rewiring the network. A VLAN is an excellent way to provide an added layer of security by isolating resources into separate subnets. If a small company purchases an all-in-one wireless router/switch and has two Web servers, and it needs to protect from access by BYOD, you could create a server VLAN and place an ACL on the Web servers.

An extranet enables two or more companies to share information and resources. While an extranet should be configured to provide the shared data, an extranet is only a Web page. It is not actually responsible for data transmission. An extranet has a wider boundary than an intranet.

A certificate server provides certificate services to users. Certificates are used to verify user identity and protect data communication.

VPNs use what is known as a tunneling protocol for the secure transfer of data using the Internet. A common tunneling protocol for this purpose is Point-to-Point Tunneling Protocol (PPTP). The term “”tunnel”” refers to how the information is privately sent. Data being sent is encapsulated into what are called network packets. Packets are encrypted from where they originate before they are sent via the Internet. The information travels in an encrypted, or non-readable, form. Once the information arrives at its destination, it is then decrypted.

By using a VPN, a company avoids the expense of leased lines for secure communication, but instead can use public networks to transfer data in a secure way. Client computers can connect to the VPN by dial-up, DSL, ISDN, or cable modems.

An intranet is a local area network (LAN) add-on that is restricted to certain users, usually a company’s employees. The data contained on it is usually private in nature.”

Match the descriptions on the left with the malware types on the right.
“Explanation:
The malware types should be matched with the descriptions in the following manner:
Backdoor – a developer hook in a system or application that allows developers to circumvent normal authentication
Logic bomb – a program that executes when a certain predefined event occurs
Spyware – a program that monitors and tracks user activities
Trojan horse – a program that infects a system under the guise of another legitimate program
“To which type of attack are password files stored on a server vulnerable?
a dictionary attack
a SYN flood attack
a side channel attack
a Denial of Service (DoS) attack

“Explanation:
A dictionary attack is based on the attacker’s efforts to determine the decryption key to defeat a cipher. This attack uses words from the dictionary and typically succeeds because many users choose passwords from a dictionary that are easy to remember. Therefore, the dictionary attack is a part of cryptanalysis. One-way encryption or one-way hashing protects against reading or modifying the password file, but an intruder can launch a dictionary attack after capturing the password file.

A SYN flood attack is a Denial of Service (DoS) technique. The attacker sends multiple SYN packets to a target machine from a spoofed source IP address. The victim machine responds to the service requests by replying with an acknowledgement (SYN-ACK) and allocating resources to the spoofed source IP address. The target machine runs out of resources, and the requests from legitimate users are denied.

In a side channel attack, the attacker gains information regarding the encryption algorithms running in the cryptosystem that is implemented in the network. The attacker can use information such as power consumption, electromagnetic radiations, and sound to break into a system. The side channel attack can also be based on the time taken to perform a computation.

A DoS attack exploits the limitations of the TCP/IP protocol by flooding the network with a large number of false resource requests or by consuming the complete bandwidth of the network. To fulfill the resource requests that are falsely created by the attacker, the network exhausts its resources. Therefore, legitimate and authorized users are denied services on the basis of a resource crunch in the network.


You have just discovered that an application that your company purchased is intentionally embedded with software code that allows a developer to bypass the regular access and authentication mechanisms. Which software code is being described?
logic bomb
pseudo-flaw
multipart virus
debugging hooks
“Answer:
debugging hooks

Explanation:
A debugging or maintenance hook is software code that is intentionally embedded in the software during its development process to allow the developer to bypass the regular access and authentication mechanisms. These hooks can pose a threat to the security of the software and can be exploited if any maintenance hook is not removed before the software goes into production and an intruder is able to find the maintenance hook.

A logic bomb implies a malicious program that remains dormant and is triggered following a specific action by the user or after a certain time interval. The primary difference between logic bombs, viruses, and worms is that a logic bomb is triggered when specific conditions are met.

A pseudo-flaw refers to vulnerability code embedded intentionally in the software to trap intruders.

A multipart virus can infect both executable files and boot sectors of hard disk drives. The virus first resides in the memory and then infects the boot sector and the executable files of the computer.

“Which spyware technique inserts a dynamic link library into a running process’s memory?
SMTP open relay
DLL injection
buffer overflow
cookies

Answer:
DLL injection

Explanation:
DLL injection is a spyware technique that inserts a dynamic link library (DLL) into a running process’s memory. Windows was designed to use DLL injection to make programming easier for developers. Some of the standard defenses against DLL injection include application and operating system patches, firewalls, and intrusion detection systems.

SMTP open relay is an e-mail feature that allows any Internet user to send e-mail messages through the SMTP server. SMTP relay often results in an increased amount of spam. SMTP relay is designed into many e-mail servers to allow them to forward e-mail to other e-mail servers.

Buffer overflow occurs when the length of the input data is longer than the length processor buffers can handle. Buffer overflow is caused when input data is not verified for appropriate length at the time of the input. Buffer overflow and boundary condition errors are examples of input validation errors. Memory addressing is specific to a buffer overflow attack. If a programmer allocates 16 bytes for a string variable but does not adequately ensure that more than 16 bytes can be copied into, a buffer overflow can occur. If a security analysis discovers JavaScript being used to send random data to another service on the same computer, a buffer overflow attack is occurring. One of the oldest examples of a buffer overflow attack is a no operation performed (NOOP) attack. A NOOP attack is an attack in which an instruction is given in which no operation is executed.

Cookies store information on a Web client for future sessions with a Web server. It is used to provide a persistent, customized Web experience for each visit and to track a user’s browser habits. The information stored in a cookie is not typically encrypted and might be vulnerable to hacker attacks.

“Which type of attack redirects you to a fake Web site?
land attack
hyperlink spoofing
ICMP packet spoofing
network address hijacking
“Answer:
hyperlink spoofing

Explanation:
Hyperlink spoofing, which is also referred to as Web spoofing, is used by an attacker to persuade the Internet browser to connect to a fake server that appears as a valid session. The primary purpose of hyperlink spoofing is to gain access to confidential information, such as PIN numbers, credit card numbers, and bank details of users. This is also referred to as URL spoofing.

Hyperlink spoofing takes advantage of people using hyperlinks instead of DNS addresses. In most scenarios, the DNS addresses are not visible, and the user is redirected to another fake Web site after clicking a hyperlink.

A land attack involves sending a spoofed TCP SYN packet with the target host’s IP address and an open port acting both as a source and a destination to the target host on an open port. The land attack causes the system to either freeze or crash because the machine continuously replies to itself.

“What is the best description of an evil twin?
an unauthorized access point
signals about the wireless network marked on the outside of a building
an access point with the same SSID as the legitimate access point
cracking the WEP secret key using the initialization vector (IV)
“Answer:
an access point with the same SSID as the legitimate access point

Explanation:
An evil twin is an access point with the same SSID as the legitimate access point. It is a special type of unauthorized access point.

A rogue access point is an unauthorized access point that allows access to a secure network. Performing a site survey is the best way to discover rogue access points. Discovering a large number of unauthorized wireless connections in a particular area is a sign of a rogue access point.

War chalking is leaving signals about the wireless network on the outside of a building.

An IV attack is cracking the WEP secret key using the initialization vector (IV). An IV attack involves interception of authentication traffic in an attempt to gain unauthorized access to a wireless network.

Another consideration in wireless networks is interference or jamming. If an organization implements multiple wireless access points, the organization must ensure that the access points do not interfere with each other. This can be accomplished in one of two ways: deploy the access points on different channels within the frequency or decrease the power level of the access point. Also, some electronic devices can cause interference with access points. Often, just moving the wireless access point can fix the issue.

Attackers can deploy devices that cause interference for your wireless network. Performing a site survey can help you to locate the interfering devices.

“You have been asked to reduce the surface area of a Windows Server 2008 computer that acts as a Web server. Which step is NOT included in reducing surface area attacks?
Disable unnecessary services.
Disable unnecessary protocols.
Use least privilege.
Disable auditing.
“Answer:
Disable auditing.

Explanation:
You should not disable auditing. Auditing should be implemented to record events that could possibly compromise security. Without auditing, you have no way of tracking events that occur.

Reducing surface area attacks includes the following steps:
Disable unnecessary services.
Disable unnecessary protocols.
Disable unnecessary ports.
Use least privilege.
Apply defense in depth.
Do not trust user input.
Fail securely.
Secure the weakest link.
Create secure defaults.
Hardening involves the following steps:
Disable unnecessary accounts.
Protect management interfaces and applications.
Implement password protection.
Disable unnecessary accounts.
Unneeded services and protocols can easily allow hackers to access your servers. A port scanner can identify which services and protocols are running so that you can disable the unnecessary services and protocols.

“You have been tasked with designing the audit policy for your company based on your company’s security policy. What is the first step you should take?
Plan the audit strategy.
Conduct the audit.
Evaluate the audit results.
Report the audit results to management.

Answer:
Plan the audit strategy.

Explanation:
When designing an audit policy for your company, the following steps need to be followed:
Develop the company’s security policy.
Plan the audit strategy.
Conduct the audit.
Evaluate the audit results.
Report the audit results to management.
Conduct follow-up.
To configure the audit, you should enable auditing, configure auditing on the objects, and then review event logs.”

“You have been promoted to security administrator for your company. The former security administrator gives you access to all of his tools, which includes Tripwire. Which statement is true of this tool?
It increases the performance of systems.
It is typically used by hackers to perform intrusions.
It monitors the changes in the baseline configuration of a system.
It acts as a centralized access control system for managing user accounts.

Answer:
It monitors the changes in the baseline configuration of a system.

Explanation:
The primary purpose of Tripwire is to monitor the baseline configuration of a system and the changes made to it. Changes or modifications to the operating system and to the application programs are monitored by maintaining a checksum value of the programs and by periodically examining the values.

Tripwire monitors unauthorized alterations to the infrastructure software suite and cannot be used to enhance the performance of the system.

Tripwire is a security enhancement tool and is not used by hackers to perform intrusions. Hackers can use tools such as l0phtrack, John the ripper, and Nessus to decipher passwords stored on Windows NT, crack the passwords for UNIX, and perform a reconnaissance attack.

Tripwire does not act as a centralized access control system to manage user accounts. To manage user accounts, the Authentication, Authorization, and Accounting (AAA) services are deployed.

An additional functionality of Tripwire is the antivirus functionality that ensures data integrity and generates alerts for administrators in the event of change in the operating system and the applications.

“Match the descriptions on the left with the malware type on the right that BEST matches the description.
“Explanation:
The malware types should match with the descriptions in the following manner:
Adware – a software application that displays advertisements while the application is executing
Botnet – a group of computers that are hacked when a malicious program is installed on them and remotely triggered
Rootkit – a collection of programs that grants a hacker administrative access to a computer or network
Worm – a program that spreads itself through network connections
“Which Microsoft application will create security reports?
Microsoft Baseline Security Analyzer
Windows Firewall
Task Manager
Performance Monitor

Answer:
Microsoft Baseline Security Analyzer

Explanation:
Microsoft Baseline Security Analyzer is a Microsoft application that creates security reports.

Windows Firewall is a host-based firewall solution. Task Manager is the Windows application that shows all applications, processes, and services running on a Windows computer. Performance Monitor monitors all hardware components in a computer, including memory, processor, and hard drive.

“What is an example of a brute force attack?
sending multiple ICMP messages to a Web server
searching through a company’s trash
using a program to guess passwords from a SAM file
gathering packets from a network connection

Answer:
using a program to guess passwords from a SAM file

Explanation:
Using a program to guess passwords from a Security Account Manager (SAM) file is an example of a brute force attack. A SAM file, which is used on some Windows networks, contains encrypted passwords. A hacker can initiate a brute force attack in an attempt to decrypt passwords stored in a SAM file. You can defend against a brute force network attack by increasing the complexity and keyspace requirements of the password.

Sending multiple Internet Control Message Protocol (ICMP) messages to a Web server is a type of denial of service (DoS) attack that is referred to as a ping of death. Searching through a company’s trash to find sensitive information is a type of physical attack that is sometimes referred to as dumpster diving. Using a packet analyzer to gather packets from a network connection between two computers is a method that can be used to initiate a man in the middle (MITM) attack.

“Which mechanism is used on a Web page to submit information to a CGI program?
an ActiveX control
a form
the refresh button
Internet Options
“Explanation:
A form is used on a Web page to submit information to a Common Gateway Interface (CGI) program on a Web server. Hackers might be able to retrieve information submitted on a form while the information is in transit to a Web server. The external data provided by the user would typically cause a CGI security issue. When hosting a Web server with CGI scripts, the directories for public view should have Execute permissions. CGI scripts are vulnerable to cross-site scripting (XSS).

ActiveX is a Microsoft technology that is often used to create dynamic Web pages. The Web browser will display ActiveX install messages. Because ActiveX controls are downloaded to the client’s hard drive, they are potential security threats. Digital signatures are used to prove where ActiveX controls originated. On the Internet, a pop-up browser window validates the identity of the ActiveX developer using Authenticode. When an ActiveX control is executed, it runs under the current user’s privileges.

The refresh button is used to update the Web page view in a Web browser. In Internet Explorer, Internet Options… can be used to configure settings.

The best security plan is to set your Internet browser to High security, thereby disabling all features that can pose security threats, such as ActiveX, Java scripts, CGI scripts, and cookies.

“Your organization’s computers all include an antivirus application that is running with old antivirus definitions. Which term is used to describe this situation?
a risk
a threat
an exposure
a vulnerability

Answer:
a vulnerability

Explanation:
An antivirus application without the latest antivirus definitions is an example of vulnerability. A vulnerability is defined as the flaw, loophole, or weakness in the system, software, or hardware. A vulnerability can be exploited by a threat agent and can lead to a risk of loss potential.

Risk is defined as the likelihood of occurrence of threat and the corresponding loss potential. Risk is the probability of a threat agent to exploit vulnerability. In this case, risk is the probability that the system could be infected with a virus due to the fact that the antivirus software was not updated.

The component that exploits vulnerability is referred to as a threat agent. In this scenario, a virus is an example of a threat agent.

An exposure factor refers to the percentage or portion of an asset that is lost or destroyed when exposed to a threat.

A threat and vulnerability analysis involves identifying and quantifying the possible threats and vulnerabilities in the system that can be exploited by a threat agent. Identifying threat and vulnerabilities through vulnerability analysis is an objective of risk analysis and is a part of risk management. Vulnerability analysis provides either a qualitative or a quantitative analysis of the vulnerabilities and threats.

There are several security assessment tools that can be used to identify threats and vulnerabilities, including the following:
Protocol analyzer – analyzes network traffic.
Vulnerability scanner – scans the network and its devices for vulnerabilities.
Honeypots and honeynets – devices used to entice attackers to learn about how the attacker carries out the attack. A honeynet is a network of honeypots.
Port scanner – scans a device to determine the status of all ports.
Banner grabbing – an activity that determines information about services that are being run on a remote computer.

“You are performing user account reviews. You need to determine whether user accounts are being used. Which property should you verify?
when the password was last configured
whether a password is required
whether user accounts are disabled
when the last login occurred

Answer:
when the last login occurred

Explanation:
To determine whether user accounts are being used, you should verify when the last login occurred for every user account. If a user account has not logged in recently, either the user is not logging out properly or the user account is no longer being used.

You should not check when the password was last configured. Doing so will ensure that users are changing their passwords as stipulated in the password expiration policy. Passwords may not be changed if the user is not properly logging out each day.

You should not check whether a password is required. Doing so will ensure that user accounts are required to have a password.

You should not check whether user accounts are disabled. Disabled user accounts are not used. User accounts are often retained in a disabled state for a period of time. Restoring a user account once it is deleted is difficult.

“A user reports that she is unable to access a file server. You discover that there are numerous open connections on the file server from several servers and routers.

Which type of attack has affected the file server?
privilege escalation
back door attack
denial-of-service (DoS) attack
man-in-the-middle attack


Answer:
denial-of-service (DoS) attack

Explanation:
The file server has become the victim of a denial-of-service (DoS) attack. Because multiple routers and servers are involved in the attack, a distributed DoS (DDoS) attack has actually occurred. A DDoS attack usually involves the hijacking of several computers and routers to use as agents of the attack. Multiple servers and routers involved in the attack often overwhelm the bandwidth of the attack victim. For example, if a server has intermittent connection issues, the logs show repeated connection attempts from the same IP addresses, and the attempts are overloading the server to the point it cannot respond to traffic, then the server is experiencing a DDoS attack.

Privilege escalation usually occurs by logging in to a system using your valid user account and then finding a way to access files that you do not have permissions to access. This often involves invoking a program that can change your permissions, such as Set User ID (SUID) or Set Group ID (SGID), or invoking a program that runs in an administrative context. There are several methods of dealing with privilege escalation, including using least privilege accounts, privilege separation, and so on. Privilege escalation can lead to denial-of-service (DoS) attacks. An example of privilege escalation is gaining access to a file you should not access by changing the permissions of your valid account. Privilege escalation is also a concern for users that have administrative-level accounts. If a user needs administrative-level access, the user should be given two user accounts: one administrative-level account and one regular user account. The user should then use the regular user account for most activities. The administrative-level account should only be used when the user needs to perform administrative duties.

Back doors are hidden applications that vendors create to ensure that they are able to access their devices. After installing new devices or operating systems, you need to ensure that all back doors and default passwords are either disabled or reset. Often, hackers first attempt to use such back doors and default passwords to access new devices.

A man-in-the-middle attack occurs when a hacker intercepts messages from a sender, modifies those messages, and sends them to a legitimate receiver.

“A hacker has called a company employee and learned the employee’s user name and password by posing as a member of corporate technical support.

Which type of attack has the company suffered?
buffer overflow
denial of service
brute force
social engineering


Answer:
social engineering

Explanation:
The company has suffered a social engineering attack, in which a hacker poses as a company employee or contractor to gain information about a network from legitimate company employees. A hacker typically uses social engineering to gain user names and passwords or sensitive documents by non-technical means, such as posing as an employee or dumpster diving. A company can help protect itself from a social engineering attack by requiring employees to attend security awareness training, which is one of the most neglected aspects of network security.

A buffer overflow attack occurs when a hacker exploits a bug in a program to force more information into computer memory than the program was designed to handle. A hacker can use a buffer overflow to run malicious programs on a computer system. A denial of service (DoS) attack occurs when a hacker floods a network with requests so that legitimate users cannot gain access to resources on a computer or a network. A brute force attack occurs when a hacker tries all possible values for such variables as user names and passwords. For example, a hacker might use a brute force attack to crack an encryption key and gain access to an encrypted file.

“Which attack sends unsolicited messages over a Bluetooth connection?
bluesnarfing
blue jacking
war driving
spamming
“Answer:
blue jacking

Explanation:
Blue jacking is an attack that sends unsolicited messages over a Bluetooth connection. It can be considered spamming in a Bluetooth environment.

Bluesnarfing is the act of gaining unauthorized access to a device (and the network it is connected to) through its Bluetooth connection. With this type of attack, data can be stolen from a disk-encrypted, screen-lock protected smart phone.

War driving is the act of discovering unprotected wireless network by driving around with a laptop. Proper wireless antenna placement and lowering radio power settings can help reduce war driving attacks.

Spamming is the act of sending unsolicited e-mail messages through a mail server.

There are three other wireless issues that you need to understand:
Near field communication (NFC) – This is a set of standards for smartphones and similar NFC-capable devices to communicate over radio waves through touch or proximity, usually no more than a few inches. You should be concerned with eavesdropping, unauthorized data modification, relay attacks, and lost NFC devices.
Replay attacks – This attack captures 802.11 data, EAP information, or RADIUS messages for later replay.
WPS attacks – Wi-Fi Protected Setup (WPS) is a flawed network security standard that attempts to allow users to easily secure a wireless home network. Some networks using this standard could experience brute-force attacks if one or more of the network’s access points do not guard against the attack.

“Which file stores information on a Web client for future sessions with a Web server?
a cookie
a container
a cluster
a channel
“Answer:
a cookie

Explanation:
A cookie is a file that stores information on a Web client for future sessions with a Web server. It is used to provide a persistent, customized Web experience for each visit and to track a user’s browser habits. The information stored in a cookie is not typically encrypted and might be vulnerable to hacker attacks.

A container is a document or program that holds components. For example, a Web browser is a container for the components of a Web page. A cluster is a group of servers that acts as a single server. A cluster might be established for fault tolerance or for load balancing among the physical servers in a cluster. A channel is a communications path between two devices or among several devices.

“Match the descriptions on the right with the social engineering attacks on the left.
“Explanation:
The social engineering attacks should be matched with the descriptions in the following manner:
Shoulder surfing – watching someone when they enter sensitive data
Tailgating – following someone through a door he just unlocked
Vishing – a special type of phishing that uses VoIP
Whaling – a special type of phishing that targets a single power user
Another type of attack that you need to understand is dumpster diving. This attack occurs when attackers go through the contents of your organization’s dumpster of the hopes of finding confidential information, including personally identifiable information, user account, and passwords.

All of these attacks are considered to be social engineering attacks. Social engineering attacks are usually successful for at least one of the following reasons:
Authority – In this situation, the attacker claims to have certain authority, often by claiming to be an official representative. Personnel should be trained on how to properly identify any organization technicians, administrators, and the like.
Intimidation – In this situation, the attacker intimidates or belittles the personnel so that the information the attacker needs is revealed. Personnel should be trained to contact security personnel if intimidation techniques are used.
Consensus/Social proof – In this situation, the attacker attempts to trick personnel into releasing information by proving that it is fine to release the information. Attackers can plant fake personnel within a group. When the planted person gives up the information easily to the attacker, the other personnel follow suit and release their information.
Urgency – In this situation, the attacker makes the situation seem like an emergency.
Familiarity/Liking – In this situation, the attacker tends to create a false sense of familiarity with personnel by implying that the attacker knows someone the personnel knows or works with.
Trust – In this situation, the attackers gains the trust of the personnel. This method often is used along with authority.

“What is an IM package?
ICQ
ICP
IPP
IPX
“Answer:
ICQ

Explanation:
ICQ, which is pronounced I seek you, is an Instant Messaging (IM) package. ICQ enables users to send and receive instant messages in real time. Additionally, ICQ manages presence information to enable users to determine whether other ICQ users are online and ready to send and receive instant messages. IM packages, such as ICQ, contain few security features because they are not typically designed with security as a concern, and can be used by hackers to implement social engineering attacks.

Internet Caching Protocol (ICP) enables Web caching servers to interoperate for improved performance. Internet Printing Protocol (IPP) supports remote printing on Transmission Control Protocol/Internet Protocol (TCP/IP) networks. Internetwork Packet Exchange (IPX) is a routing and addressing protocol used on Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) networks. IPX/SPX is a network protocol suite developed by Novell for NetWare networks.

Please keep in mind that instant messaging and social networking applications, such as Yahoo Messenger and Facebook, often pose unique security issues for an organization. Improper use of instant messaging or social networking applications can result in information disclosure.

If a security administrator has concerns about new types of media which allow for the mass distribution of personal comments to a select group of people, the employees should receive training on social networking to mitigate the risks involved with this media.

“What is formed when a malicious program is installed on several host computers and is remotely triggered?
trapdoor
virus
worm
botnet

Answer:
botnet

Explanation:
A botnet is formed when a malicious program is installed on several host computers and is remotely triggered. For example, a hacker might install a malicious program on the computers on a network to form a botnet and then remotely trigger the botnet to cause a flood of network traffic. The infected computers then act as “”zombies”” by performing malicious acts on behalf of the perpetrator. Botnets result in distributed denial of service (DDoS) attacks. A good sign that a computer has become part of a botnet is if the browser behaves erratically, performance is slow, and hundreds of outbound connections exist. The most likely cause of a single computer communicating with an unknown IRC server and scanning other systems on the network is that the computer is infected with a botnet.

If a computer has been compromised with a botnet, you should shut down the computer. However, keep in mind that the memory, network processes, and system processes will be unavailable for later investigation once the computer is shut down. So you may need to ensure that the contents of these are captured before shutting the computer down.

A trapdoor is an unreported method for entering a program. A trapdoor is typically created to debug a program, but sometimes hackers can find ways to exploit trapdoors for malicious purposes.

A virus is a program that copies itself to files on a computer.

A worm is a program that spreads itself through network connections. The main difference between a virus and a worm is that a worm is self-replicating.

“You install a network analyzer to capture your network’s traffic as part of your company’s security policy. Later, you examine the captured packets and discover that only Subnet 1 traffic was captured. You need to capture packets from all four subnets on your network. Two routers are used to connect the company’s four subnets.

What could you do? (Choose two)
Install a port scanner.
Install the network analyzer on all four subnets.
Install a distributed network analyzer.
Install the network analyzer on a router.
Install the network analyzer on the firewall.

“Answer:
Install the network analyzer on all four subnets.
Install a distributed network analyzer.

Explanation:
You could either install the network analyzer on all four subnets or install a distributed network analyzer. Standard network analyzers only capture packets on the local subnet. To capture packets on a multi-subnet network, you could install the network analyzer on all four subnets. Alternatively, you could purchase a network analyzer that can capture all packets across the subnets. A distributed network analyzer typically consists of a dedicated workstation network analyzer installed on one subnet, and software probes installed on the other subnets.

You should not install a port scanner. A port scanner reports which ports and services are being used on your network.

You should not install the network analyzer on a router. This will only allow you to capture packets on the subnets connected to the router. The scenario specifically stated that two routers are used.

You should not install the network analyzer on the firewall. This will only allow you to capture packets on the subnets connected to the firewall.

“Match the descriptions from the left with the attack types on the right.
“Explanation:
The attack types should be matched with the descriptions in the following manner:
Dictionary attack – occurs when a hacker tries to guess passwords using a list of common words
DoS attack – occurs when a server or resource is overloaded so that legitimate users cannot access it
Pharming attack – occurs when traffic is redirected to a site that looks identical to the intended site
Phishing attack – occurs when confidential information is requested by an entity that appears to be legitimate
“In which situation does cross-site scripting (XSS) pose the most danger?
A user accesses a publicly accessible Web site.
A user accesses a financial organization’s site using his or her login credentials.
A user accesses a static content Web site.
A user accesses a knowledge-based site using his or her login credentials.
“Answer:
A user accesses a financial organization’s site using his or her login credentials.

Explanation:
Cross-site scripting (XSS) poses the most danger when a user accesses a financial organization’s site using his or her login credentials. The problem is not that the hacker will take over the server. It is more likely that the hacker will take over the client’s session. This will allow the hacker to gain information about the legitimate user that is not publicly available. To prevent XSS, a programmer should validate input to remove hypertext. You can mitigate XSS by preventing the use of HTML tags or JavaScript image tags.

While the other situations can result in an XSS attack, these situations do not pose as much danger because it is unlikely that any real-world information will be obtained.

There are different steps organizations and security professionals can take to protect against XSS attacks. For regular users, you should restrict untrusted JavaScript, use built-in browser protections, restrict external Web sites from requesting internal resources, and maintain system updates and patches. Developers should use whitelisting/blacklisting, OWASP Enterprise Security API (ESAPI), Microsoft AntiXSS Library, and Web vulnerability scanners. Network administrators should White Trash Squid Web Proxy plug-ins and Web Application Firewalls (WAFs). Finally, another technique is to coordinate between the Web application and the client browser to separate user-supplied data from web application HTML using a content security policy (CSP).

“Recently, several users in your company have gained access to confidential files. Management has requested that you implement a new audit policy that will improve user accountability. Which audit events could be monitored? (Choose all that apply.)
file creation
logon attempts
file modifications
account modifications

Answer:
logon attempts
file modifications
account modifications

Explanation:
You should monitor logon attempts, file modification, and account modification events to improve user accountability. According to the principle of accountability, significant events should be traceable to an individual. What constitutes significant depends on the nature of the data and the security policy of the network. This individual accountability revolves around the use of unique IDs, access rules, and audit trails.

You do not need to monitor file creation. Users should be able to create files. When a user creates a file, the user name is listed as the file owner.

Audit logging is the process of keeping track of significant user actions. Actions that should be monitored are usually determined by the company and are dependent on the business circumstances. You should also monitor the following events: use of administration utilities, functions performed, and commands initiated. It is important that a company determine what its audit policy is to provide maximum protection while minimizing the effect on system resources.

“Match the attacks on the left with the descriptions given on the right.
“Explanation:
The attacks and their descriptions should be matched in the following manner:
Advanced persistent threat – a group of organized individuals from an enemy country is responsible for various attempts to breach the company network using sophisticated and targeted attacks
Malicious insider threat – an employee downloads intellectual property from a server to a USB drive to sell to a competitor
Spear phishing – an e-mail spoofing attack appears to come from a figure of authority seeking access to confidential data
Privilege escalation – an attacker exploits an application design flaw to gain elevated access to protected resources
“As part of your company’s security policy, you need to create a performance baseline for a Windows Server 2008 computer. You want to record the performance baselines statistics for an extended period of time. What should you do?
Create a Performance Monitor chart in real time.
Create a Performance Monitor chart based on a performance log.
Create a System Monitor chart in real time.
Create a System Monitor chart based on a performance log.
“Answer:
Create a System Monitor chart based on a performance log.

Explanation:
You should create a System Monitor chart based on a performance log. This will ensure that performance baseline statistics are recorded for an extended period of time. The first step to creating a performance baseline is to create a security policy. Without the policy, the baseline has no guidelines to follow.

Performance Monitor was replaced by System Monitor in Windows 2000 Server and later versions.

You should not create a System Monitor chart in real time. Microsoft recommends basing the chart on a performance log when needing a performance baseline for an extended period of time.

“Match the social engineering principle on the left with the descriptions given on the right.
“Explanation:
The social engineering principles and their descriptions should be matched in the following manner:
Authority – the attacker claims to have certain power, often by claiming to be an official representative
Intimidation – the attacker frightens the personnel so that the information the attacker needs is revealed
Consensus – the attacker attempts to trick personnel into releasing information by proving that it is fine to release the information based on the actions of others
Scarcity – the attacker attempts to trick personnel based on people’s tendency to place a higher value on resources that are not in great supply
Urgency – the attacker makes the situation seem like an emergency
Familiarity – the attacker tends to create a false sense of acquaintance with personnel by implying that the attacker knows someone the personnel knows or works with
Trust – the attacker gains the confidence or faith of the personnel
“You need to provide security training for a group of managers at your company. As part of this training you need to explain the purpose of baselines, guidelines, standards, and procedures. Which of these defines the minimum level of security?
baselines
guidelines
standards
procedures

Answer:
baselines

Explanation:
A baseline defines the minimum level of security and performance of a system in an organization. A baseline is also used as a benchmark for future changes. Any change made to the system should match the defined minimum security baseline. A security baseline is defined through the adoption of standards in an organization. It is important to capture the initial baseline configuration.

Guidelines are the actions that are suggested when standards are not applicable in a particular situation. Guidelines are applied where a particular standard cannot be enforced for security compliance. Guidelines can be defined for physical security, personnel, or technology in the form of security best practices.

Standards are the mandated rules that govern the acceptable level of security for hardware and software. Standards also include the regulated behavior of employees. Standards are enforceable and are the activities and actions that must be followed. Standards usually refer to rules set within an organization. When standards are set externally by a government, task force, or regulatory body, they are called regulations.

Procedures are the detailed instructions used to accomplish a task or a goal. Procedures are considered at the lowest level of an information security program because they are closely related to configuration and installation problems. Procedures define how the security policy will be implemented in an organization through repeatable steps. For instance, a backup procedure specifies the steps that a data custodian should adhere to while backing up critical data to ensure the integrity of business information. Personnel should be required to follow procedures to ensure that security policies are fully implemented.

Procedural security ensures data integrity.

“Which attack involves the use of a promiscuous mode for data analysis?
SYN flood
packet sniffing
traffic analysis
known plaintext
“Answer:
packet sniffing

Explanation:
Packet sniffers monitor the data passing through the network by using promiscuous mode. In a normal networking environment, the data travels in clear text, making it easier for anyone to discover confidential information by using packet sniffers. Promiscuous mode provides a statistical picture of the network activity. Promiscuous mode is a special mode in which a network adapter card captures and analyzes all frames, including those which are not addressed to that network adapter.

SYN flood attacks do not involve data analysis. Transmission Control Protocol (TCP) uses the synchronize (SYN) and acknowledgment (ACK) packets to established communication between two host computers. The exchange of the SYN, SYN-ACK, and ACK packets between two host computers is referred to as handshaking. Attackers flood the target computers with a series of SYN packets to which the target host computer replies. The target host computer then allocates resources to establish a connection. Because the attacker’s IP address is spoofed, the target host computer never receives a valid response from the attacking computer in the form of ACK packets. When the target computer receives many SYN packets, it runs out of resources to establish a connection with the legitimate host computers. The host computers are then rendered unreachable.

Traffic analysis is a technique employed by attackers to analyze network traffic. Traffic analysis involves the analysis of traffic trends, such as message lengths, message frequency, and so on.

A known plaintext attack is an attack on an organization’s cryptosystem. A known plaintext attack uncovers the cryptographic key. The attacker keeps several samples of plain text and ciphertext. Using these samples, the attacker tries to identify the encryption key used to encrypt the text. After determining the key, the attacker can convert the rest of the cipher text into plain text by using the same key.

Attacks against operations security include the Morris worm, SYN DOS, buffer overflow, brute force, port scanning, session hijacking, any password cracking, covert channel attacks, man-in-the-middle attacks, mail bombing, wardialing, Ping of Death, many Trojan horse attacks, teardrop attacks, traffic analysis, slamming, and cramming.

“Gaining unauthorized access to the data center by using another user’s credentials is an example of which option?
mantrap
turnstile
intrusion
piggybacking
“Answer:
piggybacking

Explanation:
Piggybacking is the act of gaining unauthorized access to a facility by using another user’s access credentials. Another common term is tailgating. Tailgating and piggybacking differ is one key way. In piggybacking, the person who piggybacks does so with the knowledge of the person entering. In tailgating, the person entering does not give the person following permission.

A mantrap refers to a set of double doors that are generally monitored by a security guard. A mantrap can help to ensure confidentiality by ensuring that no unauthorized users are allowed access. Mantraps can be used to control access to a building or to a secured section of a building.

A turnstile is a type of gate that allows movement in a single direction at a time.

While piggybacking is a form of intrusion, intrusion is a generic term used for any type of security breach.

“To which attacks are passwords susceptible? (Choose all that apply.)
sniffing
dictionary
brute force
data diddling
denial of service
social engineering
“Answer:
sniffing
dictionary
brute force
social engineering

Explanation:
Passwords are susceptible to sniffing, dictionary attacks, brute force attacks, and social engineering attacks. In addition, passwords can sometimes be obtained by gaining access to a network and accessing the password file.

Data diddling is an attack that changes data. Authorized users usually perpetuate this attack for financial gain.

A denial of service attack occurs when an attacker floods a system with certain types of messages to prevent the system from replying to valid requests.

Sniffing occurs when an attacker captures information from a network to obtain user passwords. Many times this technique provides the attacker with multiple user passwords. To prevent this, you should always encrypt your password when it is stored on electronic media or transmitted across the network.

A dictionary attack and a brute force attack are very similar in that they both focus on cracking the password. The tools used in dictionary and brute force attacks are sometimes referred to as password crackers.

Dictionary attacks employ the use of a dictionary of words as the password to repeatedly attempt to access a system using a valid user account. To protect against dictionary attacks, a password complexity policy should be enforced that requires using uppercase and lowercase characters, numbers, and symbols. A long dictionary attack can be executed against an encrypted password file provided the attacker has access to the system, has read access to the password file, and knows the encryption mechanism used to encrypt the password file.

Brute force attacks, also known as exhaustive attacks, usually cycle through a more substantial number of possibilities that can include characters, numbers, and symbols. An account length policy that requires a longer password would affect the time a manual brute force attack would take. A brute force attack can also be possible if a token and a personal identification number (PIN) are used to access a system and the token performs offline checking of the PIN. To protect against brute force attacks, an account lockout policy should be enforced that locks out a user’s account after a certain number of unsuccessful logins.

You should also be familiar with the following password attacks:
Hybrid attack – assumes that password policies require users to refrain from using dictionary words. Hybrid guessing rules vary from tool to tool, but most mix uppercase and lowercase characters, add numbers at the end of the password, spell the password backward or slightly misspell it, and include special characters in the mix.
Birthday attack – captures hashed passwords from the network and uses brute force to try out different text strings using the same hashing algorithm, hoping to end up with a matching pair of hash values, referred to as a collision.
Rainbow attack – uses the hashed password table from an organization and compares it to a rainbow table, which contains hash values of text strings.

“How does an unsigned Java applet enforce security in JDK 1.1?
by using sandboxes
by using object codes
by using macro languages
by using digital and trusted certificates
“Answer:
by using sandboxes

Explanation:
Unsigned Java applets in Java Development Kit 1.1 use sandboxes to enforce security. A sandbox is a security scheme that prevents Java applets from accessing unauthorized areas on a user’s computer. This mechanism protects the system from malicious software, such as hostile applets, by enforcing the execution of the application within the sandbox and preventing access to the system resources outside the sandbox. The concept of a Web script that runs in its own environment and cannot interfere with any other process is known as a sandbox.

A hostile applet is an active content module used to exploit system resources. Hostile applets coded in Java can pose a security threat to computer systems if the executables are downloaded from unauthorized sources. Hostile applets may disrupt the computer system operation, either through resource consumption or through covert channels.

Object code refers to a version of a computer program that is compiled before it is ready to run in a computer. The application software on a system is typically in the form of compiled object codes and does not include the source code. Object codes are not related to the security aspects of Java. They represent an application program after the compilation process.

Macro programs use macro languages. Macro languages, such as Visual Basic, are typically used to automate the common tasks and activities of application users. Macro programs have their own set of security vulnerabilities, such as macro viruses, but are not related to Java security.

Digital and trust certificates are used by Microsoft’s ActiveX technology to enforce security. ActiveX refers to a set of controls that users can download in the form of a plug-in to enhance a feature of an application. The primary difference between Java applets and ActiveX controls is that the ActiveX controls are downloaded subject to acceptance by a user. The ActiveX trust certificate also states the source of the plug-in signatures of the ActiveX modules. Java applets are short programs that use the technique of a sandbox to limit the applet’s access to specific resources stored in the system.

“You have access to several tools as part of your IT technician job. You need to understand what the tools are used for. Match the tools on the left with the descriptions given on the right.
“Explanation:
The tools and their descriptions should be matched in the following manner:
Wireshark – Network protocol analyzer
Nessus – Vulnerability scanner
Snort – Network intrusion detection system
Cain and Abel – Password recovery tool
There are many tools that can be used to manage security and network components. You should familiarize yourself with the function that the tools provide. A good place to start is with the reference provided in the References section of this question.

Which agents are used by the presence service of an IM system? (Choose two.)
presence user agent
watcher user agent
sender user agent
inbox user agent
“Answer:
presence user agent
watcher user agent

Explanation:
A presence user agent and a watcher user agent are used by the presence service of an instant messaging (IM) system. A presence service is used in an IM system to enable users to determine whether other users are online and ready to receive instant messages.

A sender user agent and an inbox user agent are used by an IM service in an IM system.

An IM service is a part of an IM system that is used to send and retrieve messages. When data is sent and received using an IM system, it is transmitted in clear text. This makes these systems vulnerable to hacker attacks. Hackers can use IM systems to implement social engineering attacks.

“What typically enables a social engineering attack to occur?
encryption
believable language
the deletion of key files
gullibility
“Answer:
gullibility

Explanation:
Gullibility and the good intentions of users typically enable a social engineering attack to occur. An example of a social engineering attack is an e-mail hoax, which is an e-mail message that indicates the possibility of virus infection. An e-mail hoax contains a message that uses believable language to trick users into believing the hoax. In the text of an e-mail hoax, users are typically instructed to forward the message to as many others as possible, which is how an e-mail hoax replicates. Sometimes, an e-mail hoax will direct users to delete key system files, an action that can seriously damage an operating system installation. Another bomb caused by an e-mail hoax is increased use of bandwidth, which results when users on a network forward a hoax to other users. Social engineering attacks do not typically use encryption.

“Which types of computers are targeted by RedPill and Scooby Doo attacks?
Windows Server 2008 computers
Windows Vista clients
virtual machines
terminal servers
“Answer:
virtual machines

Explanation:
RedPill and Scooby Doo attacks target virtual machines. These attacks attempt to detect virtual servers and machines on a network. Once the virtual machines are identified, various techniques are used to attack the virtual machines to breach the host and eventually the network.

RedPill and Scooby Doo attacks do not target Windows Server 2008 computers, Windows Vista clients, or terminal servers, unless these computers exist as virtual servers or virtual machines.

Virtual machines are usually implemented within an organization so that the organization can internally manage them. Cloud computing differs from virtual computing in that cloud computing is usually physically managed by an outside entity. An organization pays the cloud computing organization for rights to use portions of the organization’s cloud. However, the organization that is leasing the cloud is never really in physical control of the data.

“Your company has hired a security firm to test your network’s security. Which tool would need to be used outside your network?
vulnerability scanner
port scanner
penetration tester
protocol analyzer
“Answer:
penetration tester

Explanation:
A penetration tester would need to be used outside your network. This type of tool tests your network’s security to see if it can be penetrated. You can only penetrate a network from outside of it.

None of the other tests needs to be used outside your network.

A vulnerability scanner checks your network for known vulnerabilities and provides methods for protection against the vulnerabilities.

A port scanner identifies ports and services that are available on your network.

A protocol analyzer captures packets on your network. A protocol analyzer would allow a technician to view IP headers on a data packet.

A penetration test originates from outside the network. A vulnerability scan usually originates from within the network. A penetration test includes the following steps:
Gather initial information.
Determine the network range.
Identify active devices.
Discover open ports and access points.
Identify the operating systems and their settings.
Discover which services are using the open ports.
Map the network.
The IP addresses of the computers are usually discovered during a penetration test. As components of the network are discovered, the methods used will be determined.

“Which issue is primarily due to trust relationships?
DoS
DDoS
transitive access
client-side attacks
” Answer:
transitive access

Explanation:
Transitive access is primarily due to trust relationships. With transitive access, if party A trusts party B and party B trusts party C, then party A trusts party C if transitive access is allowed. In Windows Server 2008, this problem is resolved using transitive trusts, which are the trust that can be configured between Windows Server 2008 and Windows Server 2008 R2 domains.

Denial of Service (DoS) attacks prevent users from accessing a server by overloading the server with access requests.

Distributed Denial of Service (DDoS) attacks are like DoS attacks but are carried out using multiple computers.

Client-side attacks are carried out using known vulnerabilities in client applications.

” Which condition might indicate that a hacker is attacking a network?
a slight increase in network traffic
a slight decrease in network traffic
a major increase in ICMP traffic
a router that is transmitting traffic

Answer:
a major increase in ICMP traffic

Explanation:
A major increase in Internet Control Message Protocol (ICMP) traffic indicates that a hacker might be attacking a network with a ping of death denial-of-service (DoS) attack. This attack is referred to as a ping of death.

A slight increase or decrease in the baseline of network traffic is expected in general network operations. Major or sudden increases or decreases in network traffic might indicate that a network is under attack by a hacker. A router is a device that is designed to transmit traffic between networks.

ICMP traffic should be blocked at the perimeter of a network to prevent host enumeration by sweep devices. If ICMP traffic is blocked at a router, users outside the network will be unable to ping hosts within the network.

” Recently, your organization has discovered several hacker attempts to connect to its network. Management has requested that you design a solution that will monitor all access control violations. Which two methods should you implement? (Choose two.)
ACLs
IDSs
backups
audit logs

Answer:
IDSs
audit logs

Explanation:
You should implement intrusion detection systems (IDSs) and audit logs to monitor access control violations.

Access control lists (ACLs) are a method of access control. They cannot be used to monitor violations.

Backups are a method used to compensate for access violations because they allow you to recover your data. Other compensating measures include business continuity planning and insurance.

” Which attack is NOT directed only at virtual machines?
Scooby Doo
RedPill
LDT
Man-in-the-middle
“Answer:
Man-in-the-middle

Explanation:
A man-in-the-middle attack is not an attack on virtual machines only. It is an attack that uses eavesdropping to capture authentication information.

Scooby Doo, RedPill, and LDT are all attacks that target virtual machines.

” Which statement correctly defines the multipart virus?
A multipart virus is encoded in a macro.
A multipart virus can change some of its characteristics while it replicates.
A multipart virus can hide itself from antivirus software by distorting its own code.
A multipart virus can infect executable files and boot sectors of hard disk drives.
” Answer:
A multipart virus can infect executable files and boot sectors of hard disk drives.

Explanation:
A multipart virus can infect both executable files and boot sectors of hard disk drives. The multipart virus resides in the memory and then infects boot sectors and executable files of the computer system.

Macro viruses are programs written in Word Basic, Visual Basic, and VBScript. Macro viruses pose a major threat because the simplicity of the underlying language makes them easy to develop. They are platform independent and typically infect systems through Microsoft Office products.

A stealth virus hides the changes it makes to system files and boot records, making it difficult to detect its presence. A stealth virus maintains a copy of a file before infecting it and presents the original copy to the monitoring software so that no changes are detected by the system.

A self-garbling virus can hide itself from antivirus software by distorting its own code. When a self-garbling virus spreads, it jumbles and garbles its own code to prevent the antivirus software from detecting its presence. A small part of the virus code later decodes the jumbled part to obtain and subsequently execute the rest of the virus code. The ability of the self-garbling virus to format its own code makes it difficult for an antivirus to detect its presence.

At some point during the patch application process, a file may become infected with a virus. When this is discovered, you will need to recover the file by replacing the existing infected file with an uninfected backup copy. This may result in an older version of the file being restored that does not have all of the patches applied.

” Match the attacks on the left with the mode of attack given on the right.
” Explanation:
The attacks and their mode of attack should be matched in the following manner:
Pharming – Web browser
Phishing – E-mail
Spimming – Social networks
Vishing – Telephone
The following chart identifies the some of the attacks, their mode of attack, the attack target, and the attack description:

For the Security+ exam, you need to understand all of these aspects of an attack, if applicable.

” Your organization has asked you to design a strategy for documenting actions that users take on a computer network. This solution should provide user accountability. What should you implement?
audit logs
backup tapes
encryption algorithms
smart cards
” Answer:
audit logs

Explanation:
You should implement audit logs to document actions taken on a computer network, along with the parties responsible for those actions. In order to ensure the integrity of audit logs, proper identification and authentication should be required on a network. If an audit log is lost or compromised, then a company might not be able to prosecute hackers who attack or attempt to attack a network.

Regular backups on backup tapes can help protect a company against data loss. Encryption algorithms can be used to encrypt files to protect the confidentiality of the information contained in encrypted files. Smart cards are physical cards that contain digital authentication information and encryption keys that can be used to gain entry into restricted areas and computer systems.

” What is another term for ethical hacker?
white hat
grey hat
black hat
malicious insider
” Answer:
white hat

Explanation:
Another term for ethical hacker is white hat. This type of hacker breaks security to help an organization discover its security flaws. An ethical hacker provides a report to the organization on how to prevent any breaches.

A grey hat is a hacker that breaks into a network to obtain information. Part of this information is then passed on to the organization in the hopes of soliciting a contract.

A black hat is a malicious hacker. This hacker breaks into networks to obtain information that is then used to harm the organization or its reputation.

A malicious insider is an employee who uses his access to the network and facility to obtain confidential information. Often a malicious insider threat is harder to discover than a hacker attack because the insiders already have some level of access to your network.

” What is a vulnerability scanner?
an application that identifies ports and services that are at risk on a network
an application that detects when network intrusions occur and identifies the appropriate personnel
an application that protects a system against viruses
an application that identifies security issues on a network and gives suggestions on how to prevent the issues
” Answer:
an application that identifies security issues on a network and gives suggestions on how to prevent the issues

Explanation:
A vulnerability scanner is an application that identifies security issues on a network and gives suggestions on how to prevent the issues. It is a management control type.

A port scanner is an application that identifies ports and services that are at risk on a network.

An intrusion detection system (IDS) is an application that detects when network intrusions occur and identifies the appropriate personnel.

A virus scanner is an application that protects a system against viruses.

” Users report that your company’s Windows Server 2008 terminal server is experiencing performance issues. You have a performance baseline for the server. You suspect that the terminal server is under attack from a hacker. Which tool should you use to determine if the performance of the server has degraded?
a port scanner
System Monitor
a network analyzer
a vulnerability test

Answer:
System Monitor

Explanation:
You should use System Monitor to determine if the performance of the server has degraded. System Monitor can monitor particular counters. These counter statistics can be compared to the original performance baseline to determine if performance degradation has occurred. Prior to Windows 2000, Performance Monitor would provide this information. In Windows 2000, System Monitor replaced Performance Monitor.

You should not use a port scanner. A port scanner will provide information on the ports and services that are available on your network.

You should not use a network analyzer. A network analyzer can provide network statistical information, but cannot provide performance information for a single computer.

You should not use a vulnerability test. A vulnerability test checks your network for known vulnerabilities and provides methods for protection against the vulnerabilities.

For security purposes, you should establish a security baseline in addition to the performance baseline. A security baseline ensures that all devices follow certain security standards. To do this, you should capture the initial security baseline. You should continuously monitor security settings to ensure that the security configuration does not fall below the baseline. In addition, remediation should be performed if a security issue is discovered.

Baseline reporting is used to identify an application’s security posture.

” As part of your company’s security policy, you are creating a performance baseline for a Windows Server 2012 computer. Which counter does Microsoft recommend should remain at or close to zero?
MemoryPages/sec
Network InterfaceBytes total/sec
PhysicalDiskDisk Transfers/sec
PhysicalDiskAvg. Disk Queue Length
” Answer:
MemoryPages/sec

Explanation:
Microsoft recommends that the MemoryPages/sec counter should remain at or close to zero. When this counter remains low, it indicates that the paging file is not being utilized much.

None of the other counters should remain at or close to zero.

The Network InterfaceBytes total/sec counter should stay below 50 percent of the total network bandwidth.

The PhysicalDiskDisk Transfers/sec counter should remain low but will only remain at or close to zero when no disk transfers are occurring. This condition is rare.

The PhysicalDiskAvg. Disk Queue Length counter should not exceed two times the number of spindles in the physical disk.

” Your company monitors several events to ensure that the security of your servers is not compromised, and that the performance of your servers is maintained within certain thresholds.

A security consultant has been hired by your company to analyze organizational security measures. The consultant has requested access to the security monitoring logs. You need to limit the amount of audit log information you provide by discarding information that is not needed by the consultant. Which tool should you use?
performance monitor
audit-reduction tool
packet sniffer
attack signature-detection tool

” Answer:
audit-reduction tool

Explanation:
You should use an audit-reduction tool. An audit-reduction tool is used to limit the amount of audit log information by discarding information that is not needed by the security professional. This tool discards mundane information that is not needed.

A performance monitor only provides statistics on the computer’s performance.

A packet sniffer only captures the information on the network traffic.

An attack signature-detection tool monitors the network and compares events with a database of known attack patterns.

” You have recently been hired as a network administrator. The CIO informs you that their wireless networks are protected using firewalls. He has asked that you implement MAC filtering on all access points. What is the purpose of using this technology?
to restrict the clients that can access a wireless network
to restrict the clients that can access a Web site
to provide port authentication for a wireless network
to ensure that unused ports are not accessible by clients
” Answer:
to restrict the clients that can access a wireless network

Explanation:
The purpose of MAC filtering is to restrict the clients that can access a wireless network. Access is restricted based on the client’s media access control (MAC) address, which is the unique identifier that is encoded on the network interface card (NIC).

MAC filtering is not used to restrict the clients that can access a Web site. This is most often done using access control lists (ACLs).

802.1x provides port authentication for a wireless network using Extensible Authentication Protocol (EAP). 802.1x can used Protected EAP (PEAP) or Lightweight EAP (LEAP). PEAP is the more secure of the two. Both of these implementations require a server certifiate on the RADIUS server. If the RADIUS server certificate expires, then clients will be unable to connect until the RADIUS server obtains a new certificate.

To ensure that unused ports are not accessible by clients, you should disable all unused ports.

To increase network security, you should use the following mitigation and deterrent techniques:
MAC limiting and filtering
802.1x
Disable unused interfaces, applications, and services.
Rogue machine detection
You should always monitor system logs, including the audit logs, event logs, security logs, and access logs. Often by monitoring these logs, a security professional can discover issues or attacks and can take measures to prevent the issues.

Security professionals should understand an organization’s security posture. Security professionals should perform certain mitigation and deterrent activities including recording an initial baseline configuration, continually monitoring security, and performing remediation as necessary.

You should also ensure that a good reporting system is set up to notify appropriate personnel if certain actions occur. This reporting system should include alarms and alerts. Security professionals should also perform periodic trending analysis to identify any new organizational trends.

Mitigation controls help to mitigate security issues. Deterrent controls help to deter attacks. Prevention controls help to prevent attacks. Detective controls help to detect any attack when it occurs. Any security policy should employ all of these types of controls to be most effective. Cameras and intrusion detection systems (IDSs) are detective controls. Intrusion prevention systems (IPSs) and guards are preventive controls.


Which security threats are NOT self-replicating? (Choose all that apply.)
worm
virus
spyware
Trojan horse
” Answer:
spyware
Trojan horse

Explanation:
Spyware and Trojan horses are security threats that are NOT self-replicating. Spyware is actually a type of Trojan horse. These programs are downloaded and installed inadvertently when the user is downloading other programs.

An example of a Trojan infection is when the performance of a computer slows considerably and virus alerts are generated after running a keygen that was used to install pirated software. Trojans are most commonly installed through the use of portable thumb drives to compromise systems and provide unauthorized access.

Viruses and worms can both self-replicate, meaning that the virus or worm can actually copy itself to multiple locations.

” Match the descriptions on the left with the attack types on the right.
” Explanation:
The attacks should be matched with the descriptions in the following manner:
Brute force attack – occurs when a hacker tries all possible values for such variables as user names and passwords
DNS poisoning – occurs when IP addresses and host names are given out with the goal of traffic diversion
Man-in-the-middle attack – occurs when a hacker intercepts messages from a sender, modifies those messages, and sends them to a legitimate receiver
Smurf – occurs when a combination of Internet Protocol (IP) spoofing and Internet Control Message Protocol (ICMP) messages saturates a network
DNS poisoning is similar to ARP poisoning. With ARP poisoning, an attacker sends fake (“”spoofed””) Address Resolution Protocol ( ARP) messages on a network with the goal of traffic diversion.

You have configured auditing for several security events on your Windows Server 2008 network. The Event Viewer logs are backed up on a daily basis. You need to ensure that security events are only cleared manually by an administrator. What should you do?
Enable the Do not overwrite events option for the Security log.
Enable the Do not overwrite events option for the Application log.
Configure the Maximum event log size option for the Security log.
Configure the Maximum event log size option for the Application log.
” Answer:
Enable the Do not overwrite events option for the Security log.

Explanation:
You should enable the Do not overwrite events option for the Security log. The Security log of Event Viewer contains all security events based on your auditing configuration. The Do not overwrite events option configures the log so that events are only configured manually by an administrator.

You should not enable the Do not overwrite events option for the Application log. The Application log does not contain auditing-related events.

You should not configure the Maximum event log size option for the Security log. The Maximum event log size option configures the maximum size of the event log. It does not ensure that security events are only cleared manually by an administrator.

You should not configure the Maximum event log size option for the Application log. The Application log does not contain auditing-related events.


Which type of virus includes protective code that prevents outside examination of critical elements?
armored virus
companion virus
phage virus
stealth virus
” Answer:
armored virus

Explanation:
An armored virus includes protective code that prevents examination of critical elements, such as scans by anti-virus software. The armor attempts to make it difficult to destroy the virus. An armored virus is difficult to reverse engineer.

A companion virus attaches to legitimate programs and creates a program with a different file extension. When the user attempts to access the legitimate program, the companion virus executes in place of the legitimate program.

A phage virus modifies other programs and databases. The only way to remove the virus is to reinstall the infected applications.

A stealth virus prevents detection by hiding from applications. It may report a different file size than the actual file size as a method of preventing detection.

” Match the descriptions on the left with the application attacks on the right.
” Explanation:
The application attacks should be matched with the descriptions in the following manner:
Buffer overflow – an attack that occurs when an application receives more data than it is programmed to accept
Cross-site scripting (XSS) – an attack that allows code injection by hackers into the Web pages viewed by other users
Session hijacking – an attack that occurs when user validation information is stolen and used to establish a connection
Zero-day attack – an attack that occurs on the day when an application vulnerability has been discovered
Another type of overflow attack is an integer overflow, which occurs when an mathematic operation attempts to create a numeric value that is too large for the available storage space.
” You have been hired as a security administrator for a large business. The previous security administrator left behind documentation on the security policies and measures that the company implements. The network includes several security devices, including a honeypot. Which active response to a hacker attack describes this device?
deception
network reconfiguration
termination of a connection
termination of a process
” Answer:
deception

Explanation:
A honeypot is a deception method of active response to a hacker attack. In a deception response, a hacker is led to believe that he or she has infiltrated a network while information is being gathered about the attack. A honeypot is a computer on a network that is configured to lure hacker attacks so that the attacks can be studied and the intruder can be caught. Another term that you need to understand is a honeynet. A honeynet is a network that is configured to lure hackers so that attacks can be studied. Honeynets usually contain honeypots. An administrator should implement honeypots and honeynets to research current attack methodologies. A honeynet is more efficient than penetration tests, firewall logs, and IDSs when gathering intelligence about the types of attacks being launched against an organization.

Reconfiguration of a network can be used to close potential avenues of attack. Termination of a process or connection that a hacker is currently using might also counteract a hacker attack.

An active response to an attack prevents or contains the attack. A passive response to an attack just collects data about the attack for later review. Active tools are better for handling the attacks but are often more expensive than passive tools.

” What is an example of privilege escalation?
gaining access to a system by using another user’s credentials
gaining access to a system by impersonating a user in order to obtain his credentials
gaining access to a restricted file by changing the permissions of your valid account
gaining access to a restricted file by using a Trojan horse
” Answer:
gaining access to a restricted file by changing the permissions of your valid account

Explanation:
An example of privilege escalation is gaining access to a file you should not have rights to access by changing the permissions of your valid account. Privilege escalation describes logging in to a system using your valid user account and then finding a way to access files that you do not have permissions to access. This usually involves invoking a program, such as Set User ID (SUID) or Set Group ID (SGID), that can change your account permissions, or by invoking a program that runs in an administrative context. There are several methods of dealing with privilege escalation, including using least privilege accounts and privilege separation. Privilege escalation can lead to denial of service (DoS) attacks.

Gaining access to a system by using another user’s credentials is a form of hacking.

Gaining access to a system by impersonating a user to obtain his credentials is a form of social engineering.

Gaining access to a file by using a Trojan horse is not privilege escalation.

” What is also referred to as a social engineering attack?
an e-mail hoax
a logic bomb
a backdoor
a Trojan horse

Answer:
an e-mail hoax

Explanation:
An e-mail hoax is also referred to as a social engineering attack. An e-mail hoax is an e-mail message that contains a false warning about a potential virus infection. As well-meaning users forward an e-mail hoax to other users, resulting in increased e-mail traffic that can seriously deplete the amount of bandwidth available on a network. Most network-bound viruses are spread by e-mail. Hoaxes target a broad set of victims. While e-mail hoaxes work through forwarding, social media hoaxes work through sharing on your social media site. An example is a social media post to a fake free software link or to a video. In most cases, the object is to obtain the victim’s contact list.

A logic bomb is a program that is designed to destroy network resources when a specified event occurs. A backdoor is an unguarded pathway into a network. A Trojan horse is a program that seems innocuous but contains malicious code that can damage network resources or provide hackers with a pathway into a network.

” You have been asked to implement several measures that will help to detect any attacks against your network. Which of the measures is a passive measure?
event logging
firewall reconfiguration
connection termination
process termination
” Answer:
event logging

Explanation:
Event logging is a passive measure that can be used to detect hacker attacks. Event logging is considered a passive measure because it does not create obstacles to attacks. Administrators can, however, review event logs after an attack to determine the source of an attack and the means of the attack. The information obtained from log files can be used to implement active prevention measures. Log files can also be used as legal evidence in prosecuting attackers, so log files should be protected and measures should be taken to ensure their integrity.

Connection termination, firewall reconfiguration, and process termination are active measures for the prevention of hacker attacks; these methods establish obstacles intended to foreclose, or at least limit, the possibility of attack.

” You have configured several auditing events for your Windows Server 2008 network. You are concerned that hackers have obtained a list of user names. You suspect that the hackers are causing user accounts to be locked out. Which event ID in the Security log should you examine?
Event ID 531
Event ID 532
Event ID 535
Event ID 539
” Answer:
Event ID 539

Explanation:
Event ID 539 occurs when a user account is locked out. Implementing account lockout ensures that repeated attempts to guess a user’s password is not possible beyond the lockout threshold.

Event ID 531 occurs when a user account is disabled. A security policy should be in place that ensures that the user account of all terminated employees is immediately disabled so that the user can no longer access the network.

Event ID 532 occurs when a user account has expired. Account expirations ensure that accounts are not used beyond a certain date and/or time.

Event ID 535 occurs when the account’s password has expired. Password expirations ensure that users periodically change their account passwords.

” Which hacker attack can be perpetrated by hijacking a communications session between a Web browser and a Web server?
brute force
MITM
Ping of Death
SYN Attack
” Answer:
MITM

Explanation:
A man-in-the-middle (MITM) attack can be perpetrated by hijacking a communications session between a Web browser and a Web server. When a Web browser submits information to a Web server through a form, a hacker might be able to gain sensitive information, such as credit card numbers.

A brute force attack occurs when a hacker tries every possible combination to break a code such as an encryption key or a password. A brute force attack can be used to break into a system that is secured with discretionary access lists (DACs). If a hacker identifies a valid user name and password on a DAC network, then the hacker can log in by using those credentials and be assigned access to resources based on DAC settings.

A Ping of Death is a denial-of-service (DoS) attack that occurs when a hacker sends multiple Internet Control Message Protocol (ICMP) messages to a network to attempt to overwhelm servers.

A SYN attack occurs when a hacker exploits the Transmission Control Protocol (TCP) triple handshake. A flood guard protects against SYN attacks.

” Which injection attack affects a database?
command injection
XML injection
LDAP injection
SQL injection
” Answer:
SQL injection

Explanation:
A SQL injection affects a database. In this type of attack, the interface is expecting a user to enter data, but the interface is not properly designed to only allow a specific data type. A malicious user can enter SQL code.

Command injection allows users to gain access to restricted directories. If an operating system command, such as rm -rf /etc/password, is submitted in an HTML string, a command injection (or directory traversal) attack has occurred. Command injection is also referred to as directory traversal.

XML injection occurs when a user enters values in an XML query that takes advantage of security loopholes.

LDAP injection occurs when a user enters values in an LDAP query that takes advantage of security loopholes.

For testing purposes, you should also understand the following application attacks:
Zero day attack – This attack occurs when hackers learn of a security vulnerability on the same day that it is discovered by the application vendor. The hacker is able to exploit the vulnerability before the vendor is able to issue a security patch.
Header manipulation – This attack occurs when a hacker is able to manipulate a packet header to deface, hijack, or poison the packet.
Malicious add-ons – This is an application add-on that a user adds for a particular functionality, but in reality serves as a way for a hacker to create a security breach.

” After a recent vulnerability assessment, your company has decided to implement several new security devices and mechanisms, including anomaly-based monitoring. You are researching several different anomaly-based monitoring products. What must be in place for this type of monitoring to be effective?
a baseline
a database
rules
active and passive responses

Answer:
a baseline

Explanation:
A baseline must be in place for anomaly-based monitoring to be effective. Anomaly-based monitoring detects any changes or deviations in network traffic. With this type of monitoring, there is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalous behaviors. Sometimes the baseline is established through a manual process.

A database must be in place for signature-based monitoring. Signature-based monitoring requires that updates are regularly obtained to ensure effectiveness. Signature-based monitoring watches for intrusions that match a known identity or signature when checked against a database that contains the identities of possible attacks. This database is known as the signature database.

Rules must be in place for behavior-based monitoring. Behavior-based monitoring looks for behavior that is not allowed and acts accordingly.

Active and passive responses must be in place for network-based monitoring. Network-based monitoring is attached to the network in a place where it can monitor all network traffic. It implements passive and active responses. Passive responses including logging, notification, and shunning. Active responses include terminating processes or sessions, network configuration changes, and deception.

” What is tailgating?
watching someone when he enters his login credentials
following someone through a door he just unlocked
listening in on a conversation
acting like you are someone else
” Answer:
following someone through a door he just unlocked

Explanation:
Tailgating is following someone through a door he just unlocked. Tailgating is sometimes called piggybacking.

Shoulder surfing is watching someone when he enters his login credentials.

Eavesdropping is listening in on a conversation. Eavesdropping includes listening to network traffic.

Impersonation is acting as if you are someone else. This is usually done either through using false credentials or using a disguise of some sort, i.e. a uniform.

” What is another name for a cross-site request forgery (XSRF)?
baselining
session riding
buffer overflow
macro virus
” Answer:
session riding

Explanation:
Another name for cross-site request forgery (XSRF) is session riding. This application issue involves unauthorized commands coming from a trusted user to a user or Web site. It usually involves social networking. A good example is when two friends are chatting in an instant message application. During the session, user1 sends user2 a link to a video, but when user2 clicks the video, confidential information, such as bank account information, is sent to user1. Sometimes this attack is referred to as a one-click attack.

Baselining is the process of comparing performance to a recorded metric.

A buffer overflow is a type of denial of service (DoS) attack and occurs when more data is put into the buffer that it can handle.

A macro virus is programming instructions in a programming language that commands an application to perform illegal actions.

Another issue to understand is arbitrary code execution or remote code execution. Personnel should be cautioned against running code from an entity they do not know or trust. Often attackers will make the remote code look official to trick users into running it.

” Your company has recently decided to create a custom application instead of purchasing a commercial alternative. As the security administrator, you have been asked to develop security policies and procedures on examining the written code to discover any security holes that may exist. Which assessment type will be performed as a result of this new policy?
baseline reporting
secure code review
review design
vulnerability scanning
” Answer:
secure code review

Explanation:
Secure code review examines all written code for any security holes that may exist. Secure code review should occur initially in software development. Secure coding concepts include exception handling, error handling, and input validation. During the system development life cycle (SDLC), secure coding concepts are included as part of application hardening.

Baseline reporting ensures that security policies are being implemented properly. By providing baselines, gap analysis can determine if the current configuration has been changed in any way.

Review design includes any steps you take to review the design of your network, devices, and applications. It often involves examining the ports and protocols used and the access control practices implemented.

Vulnerability scanning looks for weaknesses in applications, devices, and networks.

You can also determine the attack surface and review architecture to help with the assessment. While both of these will allow you to identify areas where attacks may occur, they each assess different aspects. Determining the attack surface will help you identify the different components that can be attacked, and reviewing the architecture will help you identify network architecture security issues.

” Which hacker attack is a combination of IP spoofing and the saturation of a network with ICMP messages?
brute force
man in the middle
smurf
SYN flood
” Answer:
smurf

Explanation:
A smurf attack is a combination of Internet Protocol (IP) spoofing and the saturation of a network with Internet Control Message Protocol (ICMP) messages. To initiate a smurf attack, a hacker sends ICMP messages from a computer outside a network with a spoofed IP address of a computer inside the network. The ICMP message is broadcast on the network, and the hosts on the network attempt to reply to the spurious ICMP message. A smurf attack causes a denial of service (DoS) on a network because computers are busy responding to the ICMP messages. The IP spoofing part of a smurf attack can be countered by configuring a router to ensure that messages with IP addresses inside the network originate on the private network side of the router.

A brute force attack occurs when a hacker tries all possible values for such variables as user names and passwords.

A man-in-the-middle attack occurs when a hacker intercepts messages from a sender, modifies those messages, and sends them to a legitimate receiver. This type of attack often involves interrupting network traffic to insert malicious code.

A SYN flood attack occurs when an attacker exploits the three-packet Transmission Control Protocol (TCP) handshake. A SYN flood attack is a type of denial-of-service (DoS) attack.

” What is a rootkit?
a software application that displays advertisements while the application is executing
a collection of programs that grants a hacker administrative access to a computer or network
an application that uses tracking cookies to collect and report a user’s activities
a program that spreads itself through network connections
” Answer:
a collection of programs that grants a hacker administrative access to a computer or network

Explanation:
A rootkit is a collection of programs that grants a hacker administrative access to a computer or network. The hacker first gains access to a single system, and then uploads the rootkit to the hacked system. An example of a rootkit is a system-level kernel module that modifies file system operations. If a server dedicated to the storage and processing of sensitive information is compromised with a rootkit and sensitive data was exfiltrated, you should wipe the storage, reinstall the OS from original media, and restore the data from the last known good backup.

Adware is a software application that displays advertisements while the application is executing. Some adware is also spyware if it monitors your Internet usage and personal information. Some adware will even allow credit card information theft.

Spyware often uses tracking cookies to collect and report a user’s activities. Not all spyware is adware, and not all adware is spyware. To define a program as spyware requires that your activities are monitored and tracked; to define a program as adware requires that advertisements are displayed.

A worm is a program that spreads itself through network connections.

Another malware that you need to be familiar with is ransomware, which restricts access to a computer that it infects. The ransomware then demands a ransom paid to the creator of the malware for the restriction to be removed.

” Your organization audits a lot of information to ensure that the security administrator can fully research any issues that occur. However, recently the security administrator has complained about the amount of information. He is finding it hard to locate the information he needs for his investigations. You need to supply him with a tool that will limit the amount of log information by discarding information that is not needed. Which tool should you ask him to use?
audit filter
audit-reduction tool
variance-detection tool
attack signature-detection tool
” Answer:
audit-reduction tool

Explanation:
You should ask him to use an audit-reduction tool to limit the amount of audit log information by discarding information that is not needed by the security professional.

An audit filter is not a tool. An audit filter is part of the audit log that allows you to filter the log based on certain criteria. Because of its limited function, the audit-reduction tool is usually a better choice for the security professional.

A variance-detection tool monitors usage trends to alert security professionals of unusual activity.

An attack signature-detection tool monitors the network and compares events with a database of known attack patterns.

” What is vishing?
an attack that looks for open ports
a special type of phishing that appears to come from a trusted individual
a special type of phishing that targets a single power user
a special type of phishing that uses Voice over IP (VoIP)
” Answer:
a special type of phishing that uses Voice over IP (VoIP)

Explanation:
Vishing is a special type of phishing that uses VoIP. Often these types of attacks involve receiving telephone calls that appear to come from a trusted source, such as your financial institution. The telephone call asks you to disclose confidential information that can be used to access your account.

An Xmas attack is an attack that looks for open ports. Nmap is the most popular application that is used to carry out this type of attack.

Spear phishing is a special type of phishing that appears to come from a trusted individual. Digital signatures can help protect against spear phishing attacks, and improve the overall security posture, by assuring employees that an email originated from the CEO.

Whaling is a special type of phishing that targets a single power user, such as a Chief Executive Officer (CEO). Whaling is used to gain confidential information about the company, and usually occurs via e-mail.

” Which attack involves changing a text file in which a Web server stores persistent settings?
cookie poisoning
cross-site scripting
active content inserting
site spoofing

Answer:
cookie poisoning

Explanation:
A Web server stores persistent settings on a Web client in a text file called a cookie. In the case of cookie poisoning, a cookie is changed to modify persistent data or the user that is associated with the cookie.

With cross-site scripting (XSS), a script on a Web site, such as a JavaScript, is configured to manipulate a computer other than the Web server. With active content inserting, a program, such as a Java Applet, is inserted into a Web page. With site spoofing, a Web client is tricked into believing that one Web site is being accessed, when in fact another Web site is being accessed.

” Match the attacks on the left with the descriptions given on the right.
” Explanation:
The tests and their descriptions should be matched in the following manner:
Wireless jamming – an attack that causes all mobile devices to lose their association with corporate access points while the attack is underway
War driving – the act of discovering unprotected wireless network by using a laptop outside an office building
Bluejacking – an attack that sends unsolicited messages over a Bluetooth connection
Bluesnarfing – the act of gaining unauthorized access to a device (and the network it is connected to) through its Bluetooth connection
” You have configured auditing for several security events on your Windows Server 2008 network. The Event Viewer logs are backed up on a daily basis. You configure the following settings for the Security log:
The Maximum event log size setting is set to 70,400 KB.
The Audit: Shut down system immediately if unable to log security events setting is enabled.
The Do not overwrite events setting is enabled.
A few weeks later, the computer shuts down. You discover that the Security event log settings are causing the problem. What could you do? (Choose all that apply.)
Configure automatic log rotation.
Disable the Audit: Shut down system immediately if unable to log security events setting.
Enable the Overwrite events as needed setting.
Decrease the size of the Security log.
” Answer:
Configure automatic log rotation.
Disable the Audit: Shut down system immediately if unable to log security events setting.
Enable the Overwrite events as needed setting.

Explanation:
To prevent the computer from shutting down due to the Security event log settings, you could:
Configure automatic log rotation.
Disable the Audit: Shut down system immediately if unable to log security events setting.
Enable the Overwrite events as needed setting.
Any of these three steps will allow the Security log to continue recording security events. Automatic log rotation ensures that old logs stored using a naming convention so that they may be retained. When the new log file is then created, the old log file is not overwritten. The problem is caused because the Security log has reached the 70,400 KB limit and overwriting events is not allowed.

If you disable the Audit: Shut down system immediately if unable to log security events setting, this will prevent the computer from shutting down but will not resolve the issue with the full Security event log.

If you enable the Overwrite events as needed setting, the log will overwrite the oldest events with the new events. This solution will result in the oldest events being removed from the Security event log.

Another option would be to increase the size of the Security log. However, increasing the size could perhaps simply delay this problem in the future.

You should not decrease the size of the Security log. Decreasing the size of the Security log will allow the problem to continue.

For auditing to work properly, the security administrator should configure alarms and alerts for when certain events occur. This will ensure that the appropriate personnel are contacted. In addition, the security administrator should track trends to ensure that any unusual activity is discovered in a timely manner. Without trends, it is impossible to know what is unusual behavior for your network.

” You recently read an article about hackers using open TCP ports to access corporate networks. You need to ensure that this does not occur at your organization. First, you want to determine which TCP ports are open on your network. Which method should you use?
stealth scanning
port scanning
wardialing
whois
” Answer:
port scanning

Explanation:
You should use port scanning to determine which Transmission Control Protocol (TCP) ports are open on your network. A port scanner is a device that automatically attempts to communicate with different protocols over all ports and records which ports are open to which protocols. For example, File Transfer Protocol (FTP) generally communicates over port 21. For security reasons, however, an administrator might close port 21 and map FTP traffic to a different port. By attempting FTP communications over all ports, a port scanner might allow a hacker to find the open FTP port and bypass the security measure.

A hacker can also use stealth scanning and port scanning to determine which operating systems are being used on a network. Stealth scanning is more general in nature and usually does not include determining which ports are open.

A hacker can use wardialing to determine the telephone numbers of the modems on a company network. Whois can be used to determine information about a Domain Name Service (DNS) domain, such as contact information for domain administrators and the DNS name servers that are used to resolve a domain name to an Internet Protocol (IP) address.

” Match the descriptions on the left with the corresponding wireless security issues on the right.
” Explanation:
The wireless security issues should be matched with the descriptions in the following way:
WEP/WPA cracking – Mathematical algorithms are used to determine the pre-shared key used on the access point. This is considered a WEP/WPA attack.
Warchalking – SSID and other authentication details regarding a wireless network are written down in a prominent public place.
Evil twin – A rogue access point is configured with the same SSID as a valid access point.

” Which attack involves impersonating the identity of another host to gain access to privileged resources that are typically restricted?
spoofing
teardrop
SYN Flood
spamming

Answer:
spoofing

Explanation:
In a spoofing attack, also referred to as a masquerading attack, a person or program is able to masquerade successfully as another person or program. Spoofing refers to modifying the source IP address in an IP datagram to imitate the IP address of a packet originating from an authorized source. This results in the target computer communicating with the attacker’s computer and providing access to restricted resources. A man-in-the-middle attack is an example of a spoofing as well as a session hijacking attack. Other types of spoofing attacks apart from IP Spoofing are e-mail spoofing and Web spoofing. Do not confuse e-mail spoofing with pharming attacks. While both do involve being redirected to a fake Web site to obtain confidential information, pharming often involves poisoning the DNS cache to ensure the user is redirected to the fake site even if they correctly enter the real site’s URL. E-mail spoofing just involves clicking links in a hoax e-mail. Pharming is considered a more browser-related attack because it is designed to affect browser usage over the long term.

In a teardrop attack, the attacker uses a series of IP fragmented packets, causing the system to either freeze or crash while the packets are being reassembled by the victim host. A teardrop attack is primarily based on the fragmentation implementation of IP. To reassemble the fragments in the original packet at the destination, the host checks the incoming packets to ensure that they belong to the same original packet. The packets are malformed. Therefore, the process of reassembling the packets causes the system to either freeze or crash.

In a SYN flood attack, the attacker floods the target with spoofed IP packets and causes it to either freeze or crash. The Transmission Control Protocol (TCP) uses the synchronize (SYN) and acknowledgment (ACK) packets to establish communication between two host computers. The exchange of the SYN, SYN-ACK, and ACK packets between two host computers is referred to as handshaking. The attackers flood the target computers with a series of SYN packets to which the target host computer replies. The target host computer then allocates resources to establish a connection. The IP address is spoofed. Therefore, the target host computer never receives a valid response in the form of ACK packets from the attacking computer. When the target computer receives many such SYN packets, it runs out of resources to establish a connection with the legitimate users and becomes unreachable for processing of valid requests.

A spamming attack involves flooding an e-mail server or specific e-mail addresses repeatedly with identical unwanted e-mails. Spamming is the process of using an electronic communications medium, such as e-mail, to send unsolicited messages to users in bulk. Packet filtering routers typically do not prove helpful in such attacks because the packet filtering routers do not examine the data portion of the packet. E-mail filter programs are now being embedded either in the e-mail client or in the server. E-mail filters can be configured to prevent spamming to a great extent. A spim attack is similar to a spam attack, but features unwanted message sent via instant messages. Spim also occurs using social media.


You are using a network analyzer to monitor traffic on your network. A user reports trouble communicating with the file server. You suspect that the file server is the victim of a denial of service attack. You decide to use the network analyzer to determine the problem.

Which information should you examine?
protocol statistics
station statistics
packet capture
port statistics

” Answer:
station statistics

Explanation:
You should use station (device) statistics to examine the communication between the user’s computer and the file server. Both computers’ traffic should be examined to determine exactly where the communication fails.

You should not use protocol statistics because you do not know which protocol, if any, is causing the problem.

You should not use packet capture information because this will provide information on all packets. You know which computers are part of the problem. Therefore, examining station statistics would provide information that is more relevant.

You should not use port statistics because you do not know which port, if any, is causing the problem.

” Which methodology is used to analyze operating system vulnerabilities in a penetration testing project?
flaw hypothesis methodology
operating system fingerprint methodology
Open Web Application Security Project methodology
vulnerability assessment and recovery methodology
” Answer:
flaw hypothesis methodology

Explanation:
The flaw hypothesis methodology is used to analyze operating system vulnerabilities in a penetration testing project. The flaw hypothesis methodology refers to a system analysis and penetration technique in which the specifications and documentation for an operating system are analyzed to compile a list of possible flaws. The flaws are prioritized according to the following considerations:
existence of a flaw
ease with which a flaw can be exploited
extent of control or compromise the flaw can lead to
The prioritized list is used to perform penetration testing of operating systems.

The flaw hypothesis methodology of penetration testing includes three types of tests: open-box testing, black-box testing, and grey-box testing. Black-box testing is concerned only about the expected result of a software program and does not examine how the software program is coded to produce the expected result. Open-box testing or white-box testing focuses specifically on using the internal knowledge of the software. In white-box testing, a security firm is provided with a production-like test environment, login details, production documentation, and source code. Grey-box testing includes testing algorithms, architectures, or other high-level descriptions of the program code. Grey-box testing is performed by security professionals with limited inside knowledge of the network.

Operating system fingerprinting is the process of determining the identity of a host’s operating system. This is performed by actively sending packets to the remote host and analyzing the responses. Tools, such as Nmap and Xprobe2, extract the responses and form a fingerprint that can be queried against a signature database of the known operating systems.

The Open Web Application Security Project (OWASP) is an open source community project that develops software tools and knowledge-based documentation to secure Web applications and Web services.

Vulnerability assessment is a process of detecting the vulnerabilities on the network by using vulnerability scanning tools. Vulnerability assessment is not a methodology. When conducting a corporate vulnerability assessment, you should organize the data based on severity and asset value.

The primary objective of penetration testing or ethical hacking is to assess the capability of systems to resist attacks and to reveal system and network vulnerabilities. Penetration testing involves the use of tools to simulate attacks on the network and on the computer systems. Penetration testing enables you to detect the existing vulnerabilities of the infrastructure. The project tasks define which system penetration tests should attack. You should perform a penetration test to determine the impact of a threat against the enterprise. Penetration tests should only be performed under controlled conditions with the consent of the owner because penetration testing actively tests security controls and can cause system instability.

An organization may hire security experts from external security firms to evaluate their network infrastructure. External penetration service firms are cost effective, offer proper documentation while diagnosing security flaws, ensure that the complete process is reported, and are not affected by corporate bias.

For testing purposes, keep in mind that a penetration test should include the following steps:
Verify a threat exists.
Bypass the security controls.
Actively test the security controls.
Exploit vulnerabilities.
Keep in mind that a vulnerability test should include the following steps:
Passively test security controls.
Identify vulnerabilities.
Identify lack of security controls.
Identify common misconfigurations.
Vulnerability tests include intrusive versus non-intrusive methods. Some vulnerability tests will require that users input their credentials, while others are non-credentialed. When performing a vulnerability test, you may encounter false positives, which occurs when something is identified as a vulnerability when it is, in fact, not a vulnerability.

” Match the tests on the left with the descriptions given on the right.
” Explanation:
The tests and their descriptions should be matched in the following manner:
Vulnerability scan – a test carried out by internal staff that discovers weaknesses in systems to improve or repair them before a breach occurs
Penetration test – a form of vulnerability scan performed using an automated tool by a trained white hat security team rather than by internal security staff
Black box test – a test conducted with the assessor having no knowledge about the systems being tested
White box test – a test conducted with the assessor having all of the knowledge about the systems being tested
Gray box test – a test conducted with the assessor having a little of the knowledge about the systems being tested
” Which platform-independent virus is written in an application’s language and is capable of infecting any files using that language?
macro virus
stealth virus
self-garbling virus
polymorphic virus
” Answer:
macro virus

Explanation:
Macro viruses are programs written in Word Basic, Visual Basic, or VBScript. Macro viruses are platform-independent and pose a major threat because their underlying language is simple, so they are easy to develop. Macro viruses can infect files that are written in the same language as the macro virus is written. They do not rely on the size of the packet. The ability of macro viruses to move from one operating system to the other allows them to spread more effectively than other types of viruses. Macro viruses are typically used with Microsoft Office products.

A stealth virus hides the changes it makes to system files and boot records, making it difficult for antivirus software to detect its presence. A stealth virus keeps a copy of a file before infecting it and presents the original copy to the monitoring software. The stealth virus modifies the actual file and makes it difficult to detect the presence of the virus.

A self-garbling virus can hide itself from antivirus software by manipulating its own code. When a self-garbling virus spreads, it jumbles and garbles its own code to prevent the antivirus software from detecting its presence. A small part of the virus code later decodes the jumbled part to obtain the rest of the virus code to infect the system. The ability of the self-garbling virus to format its own code makes it difficult for an antivirus to detect its presence.

A polymorphic virus produces different operational copies of itself to evade detection by the antivirus software. It creates multiple operational copies to ensure that in the event of antivirus detection, only a few copies are caught. A polymorphic virus is also capable of implementing encryption routines that will require different decryption routines to avoid detection. A polymorphic virus is part of a group polymorphic malware. This is harmful computer software such as a virus, worm, Trojan, or spyware. These programs constantly change to make it difficult to detect with anti-malware programs.

Macro viruses written in Visual Basic for Applications almost exclusively affect operating systems.

” Which attack involves the use of multiple computers with the purpose of denying legitimate access to a critical server?
land attack
Ping of Death attack
denial-of-service (DoS) attack
distributed denial-of-service (DDoS) attack
” Answer:
distributed denial-of-service (DDoS) attack

Explanation:
Distributed denial-of-service (DDoS) attacks are an extension of the denial-of-service (DoS) attack. In DDoS, the attacker uses multiple computers to target a critical server and deny access to the legitimate users. The primary components of a DDoS attack are the client, the masters or handlers, the slaves, and the target system. The initial phase of the DDoS attack involves using numerous computers referred to as slaves and planting backdoors in the slaves that are controlled by master controllers. Handlers are the systems that instruct the slaves to launch an attack against a target host. Slaves are typically systems that have been compromised through backdoors, such as Trojans, and are not aware of their participation in the attack. Masters or handlers are systems on which the attacker has been able to gain administrative access. The primary problem with DDoS is that it addresses the issues related to the availability of critical resources instead of confidentiality and integrity issues. Therefore, it is difficult to detect DDoS attacks by using security technologies such as SSL and PKI. To detect the use of zombies in a DDoS attack, you should examine the firewall logs. Both zombies and botnets can be used in a DDoS attack. Launching a DDoS attack can bring down the critical server because the server is being overwhelmed by processing multiple requests until it ceases to be functional. Trinoo and tribal flow network (TFN) are examples of DDoS tools.

Launching a traditional DoS attack might not disrupt a critical server operation. If a security administrator notices that the company’s online store crashes after a particular search string is executed by a single user, the server that houses the online store is experiencing a DoS attack.

A land attack involves sending a spoofed TCP SYN packet with the target host’s IP address and an open port acting both as a source and a destination to the target host. The land attack causes the system to either freeze or crash because the computer continuously replies to itself.

A Ping of Death is another type of DoS attack that involves flooding target computers with oversized packets, exceeding the acceptable size during the process of reassembly, and causing the target computer to either freeze or crash. Other denial-of-service attacks, referred to as smurf and fraggle, deny access to legitimate users by causing a system to either freeze or crash.

A denial-of-service (DoS) attack is an attack on a computer system or network that causes loss of service to users. The DoS attack floods the target system with unwanted requests. It causes the loss of network connectivity and services by consuming the bandwidth of the target network or overloading the computational resources of the target system. The primary difference between DoS and DDoS is that in DoS, a particular port or service is targeted by a single system and in DDoS, the same process is accomplished by multiple computers.

There are other types of denial-of-service attacks such as buffer overflows, where a process attempts to store more data in a buffer than amount of memory allocated for it, causing the system to freeze or crash.

” You have decided to attach a digital timestamp to a document that is shared on the network. Which attack does this prevent?
a replay attack
a side channel attack
a ciphertext-only attack
a known-plaintext attack
” Answer:
a replay attack

Explanation:
Digital timestamps prove helpful in preventing replay attacks. In a replay attack, the attacker monitors the traffic stream in a network. The attacker maliciously repeats or delays the transmission of valid data over the network. Setting a threshold time value on each system ensures that the computer only accepts packets within a specified time frame. A packet received after the specified time will indicate the chances of a replay attack. Digital timestamps are attached to a document at document creation.

In a side channel attack, the attacker gains information about the encryption algorithms from the cryptosystem that is implemented in the network. The attacker can use information, such as power consumption, electromagnetic radiations, and sound to break into a system. The side channel attack can also be based on the measurement of time taken to perform a computation.

A ciphertext-only attack is primarily focused on discovering the encryption key by gathering multiple encrypted messages and then trying to deduce a pattern from the encrypted messages.

A known-plaintext attack primarily focuses on the discovery of the key used to encrypt the messages. The key can be used to decrypt and read messages. The attacker has access to multiple instances of plaintext and ciphertext for several messages.

” Which type of attack relies on mistakes made by users when they input Web addresses?
malicious insider threat
watering hole attack
URL hijacking
DoS

Answer:
URL hijacking

Explanation:
A URL hijacking, or typo squatting, attack relies on mistakes made by users when they input Web addresses.

A malicious insider threat occurs when legitimate users take advantage of the valid access they have to resources to carry out an attack against an organization. Disgruntled employees are most often the malicious insiders that initiate these attacks.

A watering hole attack occurs when an attacker profiles victims to discover the sites they visit. The attacker then accesses the most commonly accessed sites for vulnerabilities. Once a vulnerability is discovered, the attacker then compromises the site and redirects users to an alternative site that will infect the computers of users who access this alternative site. This attack may also be called a waterhole attack.

A denial of service (DoS) attack occurs when attackers overrun a server with requests so that legitimate users cannot access the server.

” Which technology will phreakers attack?
firewalls
Web servers
VoIP
NAT
” Answer:
VoIP

Explanation:
Phreakers will attack Voice over Internet Protocol (VoIP). Phreakers generally attack PBX equipment used for telephone lines. VoIP is a type of telephony. Telephony is the mechanism by which an organization uses telephone services for either voice and/or data communications.

Phreakers do not attack firewalls, Web servers, or NAT. Hackers attacks these technologies. Firewalls are used to protect local networks and create demilitarized zones (DMZs). Web servers provide Web services to users, including Web sites, FTP sites, and news sites. Network Address Translation (NAT) provides a transparent firewall solution between an internal network and outside networks.

” Which of the following is the best description of a zero-day exploit?
an attack where a user is sent an e-mail that appears to come from a valid entity asking for private information
an attack that exploits a security vulnerability on the day the vulnerability becomes generally known
an attack where a ping request is sent to a broadcast network address with the aim of overwhelming the system
an attack where an intruder records between a user and a server and later plays the recorded information back to impersonate the user
” Answer:
an attack that exploits a security vulnerability on the day the vulnerability becomes generally known

Explanation:
A zero-day exploit is an attack that exploits a security vulnerability on the same day the vulnerability becomes generally known.

A phishing attack is an attack where a user is sent an e-mail that appears to come from a valid entity asking for personally identifiable information (PII). PII is any data that can be used to identify a person. This information includes the following:
Personal characteristics – includes full name, date of birth, height, weight, ethnicity, place of birth, mother’s maiden name, biometric characteristics, and so on.
A unique set of numbers assigned to an individual – includes social security number, telephone number, driver’s license number, PIN, and so on
Descriptions of events or points in time – includes arrest records, employment records, medical records, and so on.
Descriptions of locations or places – includes GPS tracking information and other such information.
PII should be discussed in annual security awareness training. Employees should understand that PII can be exploited easily and requires special handling and exploit policies for retention and distribution of any PII.

A smurf attack is an attack where a ping request is sent to a broadcast network address with the aim of overwhelming the system.

A replay attack is an attack where an intruder records between a user and a server and later plays the recorded information back to impersonate the user.

” You receive the following message in your e-mail message inbox:

From: [email protected]
To: [email protected]
Subject: Virus Alert!

Microsoft, Symantec and McAfee have issued an urgent virus warning.
All Windows Vista Home Edition Service Pack 1 users should delete the
following file from their computers:

C:Windowsexplorer.exe

This action should be taken as soon as possible to ensure that your
computer does not become infected with the StealthExplorer virus.

PLEASE FORWARD THIS MESSAGE TO EVERYONE IN YOUR ADDRESS BOOK ASAP!

Which type of attack does the e-mail message represent?
a zombie
a Trojan horse
a social engineering attack
a worm

” Answer:
a social engineering attack

Explanation:
The e-mail in this scenario is an example of a social engineering attack, which is sometimes referred to as an e-mail hoax. In this scenario, users should not follow the directions in this e-mail message because deleting the Explorer.exe file will damage their Windows XP installations.

An e-mail message hoax is concealed as an innocuous e-mail message that uses the names of reputable software vendors for credibility. The last line of the message urges users to send the message to everyone in their address books, which will cause the e-mail hoax to replicate. E-mail hoaxes typically increase bandwidth use on a network because non-technical users typically forward hoaxes to others. The bomb in the virus will be triggered if a user follows the instructions contained in the fraudulent e-mail message. Users should research the validity of virus warnings in e-mail messages before following the instructions contained in such messages.

A zombie is a malicious program that can be installed on a computer and remotely triggered. A Trojan horse is a seemingly safe program that contains malicious code, which a hacker can use to gain access to a network or to destroy network resources. A worm is a program that is transmitted through network connections.

” Your manager suspects that your network is under attack. You have been asked to provide information regarding traffic flow and statistical information for your network. Which tool should you use?
port scanner
protocol analyzer
penetration test
vulnerability test
” Answer:
protocol analyzer

Explanation:
A protocol analyzer provides information regarding traffic flow and statistical information for your network. A protocol analyzer is also referred to as a network analyzer or packet sniffer.

None of the other tools can provide this information. A port scanner provides a list of open ports and services on your network. A penetration test determines whether network security is properly configured to rebuff hacker attacks. A vulnerability test or vulnerability scanner checks your network for known vulnerabilities and provides methods for protection against the vulnerabilities.

A vulnerability scan would allow a security administrator to test the lack of security controls for applications with the least impact to the system as compared to a penetration test, load test, or port scan.

” Which security threat often uses tracking cookies to collect and report on a user’s activities?
virus
worm
Trojan horse
spyware
” Answer:
spyware

Explanation:
Spyware often uses tracking cookies to collect and report on a user’s activities to the spyware programmer.

None of the other options is correct. A virus is malicious software (malware) that relies upon other application programs to execute itself and infect a system. A worm is a program that spreads itself through network connections. A Trojan horse is malware that is disguised as a useful utility, but embeds malicious code in itself.

Another malware that you need to be familiar with is ransomware, which restricts access to the computer that it infects. The ransomware then demands a ransom paid to the creator of the malware for the restriction to be removed.

” Match the Web site application code attack types on the left with the mitigations given on the right. Choose the mitigation that BEST applies to the attack.
” Explanation:
The attacks and their mitigations should be matched in the following manner:
Cross-site request forgery (CSRF) – Validate both the client and server side.
Cross-site scripting (XSS) – Implement input validation.
Session hijacking – Encrypt communications between the two parties.
Malicious add-ons – Implement application white-listing.
It is important that you understand application attacks and how to prevent them.

” You are using a network analyzer to monitor traffic on your network. Users report that sessions are hanging intermittently throughout the day. You suspect that your network is under attack. You decide to use the network analyzer to determine the problem.

Which information should you examine?
protocol statistics
station statistics
packet capture
port statistics

” Answer:
packet capture

Explanation:
You should use packet capture information to examine the sessions that are hanging intermittently throughout the day. You will need to examine the packets being sent and determine which devices failed to respond. A packet capture provides detailed information on each packet on your network.

All of the other options should only be used if you know which protocol, station (device), or port is the cause of the problem.

You should not use protocol statistics for this problem because you are not sure which protocol, if any, is causing the problem.

You should not use station statistics for this problem because you are not sure which station or device, if any, is causing the problem.

You should not use port statistics for this problem because you are not sure which port, if any, is causing the problem.

” Your company has been having problems with its host name registrations. You have been asked to determine the problem. You need to view events on host name registrations. Which log in Event Viewer should you view?
Application
Security
System
DNS
” Answer:
DNS

Explanation:
You should use the DNS log in Event Viewer to view events on host name registrations. You should log DNS entries so that you can watch for unauthorized DNS clients or servers. Without a DNS log, you would be unable to discover how long an entry was being used.

None of the other logs will contain this type of information. The Application log contains events logged by applications. The Security log contains events based on the auditing configuration. Only administrators can configure and view auditing. The System log contains events logged by computer system components.

” Which security threat is a software application that displays advertisements while the application is executing?
worm
adware
spyware
virus
” Answer:
adware

Explanation:
Adware is a software application that displays advertisements while the application is executing. Some adware is also spyware that monitors your Internet usage and personal information. Some adware will even allow credit card information theft.

A worm is a program that spreads itself through network connections.

Spyware often uses tracking cookies to collect and report on a user’s activities. Not all spyware is adware, and not all adware is spyware. Spyware requires that your activities be monitored and tracked; adware requires that advertisements be displayed.

A virus is malicious software (malware) that relies upon other application programs to execute itself and infect a system.

Another malware that you need to be familiar with is ransomware, which restricts access to a computer that it infects. The ransomware then demands a ransom paid to the creator of the malware for the restriction to be removed.

” Which tool is NOT a back door application?
Back Orifice
NetBus
Masters Paradise
Nessus
” Answer:
Nessus

Explanation:
Nessus is NOT a back door application. It is a network vulnerability scanner.

Back Orifice, NetBus, and Masters Paradise are all back door applications. These applications work by installing a client application on the attacked computer and then using a remote application to gain access to the attacked computer.