PASS - TAKER : Anonymos

CEH v10 Certified Ethical Hacker Study Guide 2019 - Exam Questions

Correct : 245

100% Complete (success)

100 %

False : 0

0% Complete (success)

0 %



Anonymos 2019-10-17T06:51:52

Correct

Which of these devices would not be considered part of the Internet of Things?

A thermostat is an embedded device without a traditional user interface. A light bulb would have no user interface, even if it has network capabilities. A set-top cable box would have a custom interface and not a general-purpose one. The only device here that is a general-purpose computing platform with a traditional user interface—screen and keyboard—is the smartphone, so it isn’t part of the IoT.

Correct

If you wanted a lightweight protocol to send real-time data over, which of these would you use?

TCP uses a three-way handshake, which is fairly heavyweight. HTTP uses TCP and adds more on top of it. ICMP is used for control messages. UDP has very little overhead and is commonly used for real-time data transport.

Correct

What order, from bottom to top, does the TCP/IP architecture use?

From top to bottom, the TCP/IP architecture is Link, Internet, Transport, and Application. B is the only answer that reflects that.

Correct

Which of these services would be considered a storage as a service solution?

While Microsoft Azure and Google Compute have storage capabilities, they aren’t storage as a service solutions. Drop leaf is a type of table. Dropbox is a storage as a service solution. The only one listed here that is storage as a solution is iCloud, which is Apple’s cloud storage platform.

Correct

The UDP headers contain which of the following fields?

The IP headers include addresses. UDP headers use ports. TCP headers use flags, but UDP headers do not. The UDP headers have the source and destination port fields along with checksum and length.

Correct

What are the three steps in the TCP handshake as described by the flags set?

The three-way handshake is used to establish a connection. The first message has the SYN flag set and includes the sequence number. The response from the server has the ACK flag set for the SYN message that was sent from the client. The acknowledgment number is set. Additionally, in the same message, the server sends its own SYN flag and sequence number. The client then responds with an ACK message. So, the sequence is SYN, SYN/ACK, and ACK.

Correct

Which of these protocols would be used to communicate with an IoT device?

While ICMP may be used as part of passing control messages in case of errors in the network, it wouldn’t be used between the IoT device and a server. SMTP is an email protocol that also wouldn’t be used. Telnet is a cleartext protocol used to gain commandline access to a system. HTTP would commonly be used to pass messages between a controlling server and an IoT device.

Correct

Which network topology are you most likely to run across in a large enterprise network?

Ring networks were once common but are much less so now. You may find a ring network in a service provider network today. A bus topology is best suited for a smaller network. Full mesh isn’t a very common topology, in part because of the expense and complexity it brings. A star-bus hybrid would be common. An enterprise would use multiple switches that were all connected to one another over a bus, while all the endpoints would connect to the switch in a star topology.

Correct

If you were to see the subnet mask 255.255.252.0, what CIDR notation (prefix) would you use to indicate the same thing?

A /23 network would be 255.255.254.0. A /21 would be 255.255.248. A /20 would be 255.255.240.0. Only a /22 would give you a 255.255.252.0 subnet mask.

Correct

Which of these addresses would be considered a private address (RFC 1918 address)?

The RFC 1918 address blocks are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The only address listed that fits into one of those address blocks is 172.20.128.240. The address block is 172.16.0.0–172.31.255.255.

Correct

If you were looking for the definitive documentation on a protocol, what would you consult?

Manual pages provide documentation for commands and programs. IEEE is the Institute for Electrical and Electronics Engineers, which does manage some protocols but isn’t documentation itself. Standards on the Internet are actually uncommon and only happen after a very long period of time. The best place to find definitive documentation about protocols seen on the Internet is in the Request for Comments (RFC) documents.

Correct

The PDU for TCP is called a ____________________.

At the Network layer, the PDU is a packet. The Network layer is IP. At the Data Link layer, the PDU is a frame. Commonly, the protocol would be Ethernet there. UDP uses datagram as the PDU. TCP uses segment for the PDU.

Correct

Which header field is used to reassemble fragmented IP packets?

The source address is used as the address to send back to on the response, making it the destination address. The don’t fragment bit is used to tell network devices not to fragment the packet. The acknowledgment field is part of the TCP header and not the IP header. The IP identification field is used to identify fragments of the same packet, as they would all have the same IP identification number.

Correct

Which protocol is necessary to enable the functionality of traceroute?

The traceroute program uses UDP messages with the time to live field starting at 1. This is incremented for each hop in the network until the destination is reached. Each device would send an ICMP time exceeded in transit message back to indicate the TTL had expired. The source of that message indicates the address of the network hop. On Windows systems, tracert uses ICMP echo request messages, also incrementing the time to live value. Because of these two factors, traceroute requires ICMP to work.

Correct

What is a MAC address used for?

Systems over a VPN may use a MAC address but they may also use IP addresses. The same would be true for a tunnel. Using TCP, we would use ports for addressing. On the local network, the MAC address is used.

Correct

To remove malware from the network before it gets to the endpoint, you would use which of the following?

Packet filters are used to make block/allow decisions based on header data like source and destination address and port. Stateful firewalls add in the ability to factor in the state of the connection—new, related, established. An Application layer gateway knows about Application layer protocols. A unified threat management appliance adds additional capabilities on top of firewall functions, including antivirus.

Correct

If you were on a client engagement and discovered that you left an external hard drive with essential data on it at home, which security principle would you be violating?

Confidentiality is about making sure secrets are kept secret. Integrity makes sure that data isn’t altered accidentally or by an unauthorized agent. Non-repudiation makes sure someone can’t say a message didn’t originate with them if it came from their identity. Availability means making sure data is where it needs to be when it should be there. This includes services as well.

Correct

How would you calculate risk?

Risk is the probability of the occurrence of an event multiplied by the dollar value of loss. There is no mitigation factor that is quantified, so it could be put into a risk calculation.

Correct

Which of the following is one factor of a defense in depth approach to network design?

Switches and optical cable connections can certainly be part of a network design, but in and of themselves they don’t add any security features. You may use Linux on the desktop, but without more of a strategy for patch and vulnerability management, Linux is no better than other operating systems. Access control lists on routers can add an additional layer of security, especially when combined with other elements like firewalls and intrusion detection systems.

Correct

How would you ensure that confidentiality is implemented in an organization?

Confidentiality is keeping secret information secret, which means unauthorized users can’t access it. Encryption is a good way to keep unauthorized users from data because in order to get to the data, they need to have the key. Watchdog processes are used to ensure that programs remain running. Cryptographic hashes are used to verify the integrity of data. Web servers are used to serve up information.

Correct

An intrusion detection system can perform which of the following functions?

Firewalls are used to block traffic into a network, though an intrusion prevention system will also block traffic. A packet filtering firewall uses header information, such as source and destination address and port, to determine whether to allow traffic into the network. Syslog and the Windows event subsystem can be used to log system messages. Intrusion detection systems can be used to generate alerts on traffic.

Correct

Which of these would be an example of a loss of integrity?

If a user makes a change to a file and saves it, that’s an intentional act and the data is what the user expects and wants. If the disk drive has flagged bad blocks on the disk, the drive won’t write any data out to those blocks, so there will be no loss of integrity. Credit cards passed in cleartext would be a violation of confidentiality. Memory failures, though, could cause a loss of data integrity, even in the case of writing data to the drive. The corrupted data in memory could be written to disk. Also, memory failures may cause issues with the disk driver, which may also cause data corruption.

Correct

What would you use a security information event manager for?

Security information event managers are used to aggregate event data, such as log information. Once the data has been aggregated, it can be searched and correlated. Even though it’s called an event manager, it isn’t used to manage security projects, nor is it used to escalate security events. Other tools can be used to gather and store open-source intelligence.

Correct

Why is it important to store system logs remotely?

Commonly, system logs are stored on the system that generated the log message. Certainly local systems can handle the logs they have generated. Log messages don’t typically consume a lot of space at an individual message level, so bandwidth isn’t a problem. Transmitting over a network is generally not faster than moving data within local disks. System logs can be used in identifying attacks, but the logs won’t defend against attacks. However, if an attacker does compromise a system, the attacker may delete the local logs because they could get access to them.

Correct

What would be necessary for a TCP conversation to be considered ESTABLISHED by a stateful firewall?

In TCP, a three-way handshake is used to synchronize sequence numbers and establish a connection. While the sequence numbers are shared, they wouldn’t be called aligned, which might suggest that each end was using the same sequence number. A SYN message is part of the three-way handshake, but it is not sufficient to establish a connection. Option A, “Final acknowledgment message,” is ambiguous. It could refer to the acknowledgment to a FIN message, closing the connection.

Correct

What is the purpose of a security policy?

Standards and practices should be derived from a security policy, which is the highlevel guidance on the role of security within an organization. Security does not generally increase the bottom line of a company. Policies are not for providing specific directions, which would be the role of procedures.

Correct

What additional properties does the Parkerian hexad offer over the CIA triad?

The Parkerian hexad takes the confidentiality, integrity, and availability of the CIA triad and adds utility, possession (or control), and authenticity.

Correct

What important event can be exposed by enabling auditing?

While system shutdown, service startup, and package installation may be events that are logged, they are generally logged by normal system logging. Auditing functions are different between Windows and Linux/Unix, but audit systems for both will generate logs when a user logs into a system.

Correct

What can an intrusion prevention system do that an intrusion detection system can’t?

While an intrusion prevention system can generate alerts, so can an intrusion detection system. Both systems may also be able to log packets, as needed. A bogus message likely wouldn’t result in a completed three-way handshake, and the handshake shouldn’t be completed anyway. An intrusion prevention system can, however, block or reject network traffic, while an intrusion detection system can’t.

Correct

Which of these is an example of an application layer gateway?

Runtime application self-protection is a plug-in used on an application server to prevent bad messages from impacting the application. A Java applet is an implementation of a Java program. An intrusion prevention system is used to detect and block potential intrusions. A web application firewall, however, makes decisions based on Application layer traffic and will either allow or block that traffic. This makes it an Application layer gateway.

Correct

Which information would a packet filter use to make decisions about what traffic to allow into the network?

A packet filter would use layer 2/3/4 headers to make decisions. An HTTP REQUEST message is at the Application layer (layer 7). Ethernet type isn’t used to make decisions in a packet filter. SNMP OID is also an Application layer message. A packet filter would, though, use source or destination ports, potentially, to make decisions about allowing or blocking a packet.

Correct

Which of the following products might be used as an intrusion detection system?

ElasticStack is an implementation of a security information event manager. Prewikka can be used along with an intrusion detection system as a dashboard. Snorby is an auxiliary program used with Snort. Snort is an intrusion detection program.

Correct

Which of these isn’t an example of an attack that compromises integrity?

A buffer overflow attack is used to execute attacker-supplied code by altering the return address in the stack. A man in the middle attack can be used to intercept and potentially alter a conversation between two systems. A heap spraying attack sends a lot of data into the heap to overwrite what’s there. A watering hole attack does not compromise integrity since its purpose is to introduce malware to a system. The malware might eventually compromise integrity, but the watering hole attack itself does not.

Correct

What type of attack is a compromise of availability?

A watering hole attack looks to compromise a system that visits a website. A phishing attack looks to gather information from victims, potentially by compromising the victim’s system. A buffer overflow attack tries to introduce code provided by the attacker. A denial of service attack, however, has the intention of making a service unavailable for users.

Correct

If you were implementing defense in breadth, what might you do?

Installing multiple firewalls and intrusion detection systems and ensuring that policies are up to date are all elements of a defense in depth approach. Introducing a DevSecOps culture may be an attempt to reduce the number of vulnerabilities and also get them resolved more quickly. As such, it might be considered defense in breadth.

Correct

If you were checking on the IP addresses for a company in France, what RIR would you be checking with for details?

France is in Europe, and as such, it falls under the jurisdiction of RIPE. ARIN handles North America. AfriNIC handles Africa, and LACNIC handles Latin America and parts of the Caribbean.

Correct

You need to identify all Excel spreadsheets available from the company Example, Inc., whose domain is example.com. What search query would you use?

The keyword site indicates the site (or domain) you want to search in. You need to provide either a domain, which would catch all FQDNs in that domain that were available in the search database, or a specific hostname. The keyword filetype indicates the file extension for the results. This keyword requires that a file extension be provided. There is no files or domain keyword that can be used in Google or other search engines.

Correct

If you found a colleague searching at pgp.mit.edu, what would they likely be looking for?

PGP uses public servers and shared verification to store and validate keys and key ownership. Keys are owned by individuals, as a general rule. If someone were searching at pgp.mit.edu, they would likely be looking for people and, most specifically, email addresses.

Correct

What information could you get from running p0f?

p0f can provide the uptime for some systems. Packets don’t include any time information, so it’s not possible to gather local or remote time. Absolute time would be based in a particular time zone, and time zones aren’t communicated at the Network or Data Link layers.

Correct

The DNS server where records for a domain belonging to an organization or enterprise reside is called the ________________ server.

A local caching server is what most people use to perform DNS lookups from their systems in order to get better performance. Recursion is the process used to look up DNS addresses from a caching server. Eventually, the caching server would ask an authoritative server for the information.

Correct

What strategy does a local, caching DNS server use to look up records when asked?

DNS requests from a local caching server start with the cache, then move to root servers and then subsequent servers, always getting closer to the final destination. This process of asking a question, getting an answer, and asking again using the new information is called recursion. Neither serial nor combinatorics make sense in this context, and bistromathics is a field of study invented by Douglas Adams for the book Life, the Universe and Everything.

Correct

What would you use a job listing for when performing reconnaissance?

It would be unusual to find executive staff identified in a job listing. It may be possible to get phishing targets, but it’s not guaranteed, and a single individual usually isn’t identified. No financial records would be available in a job listing. Technologies used at a company, though, would be identified in order to ensure that the applicant has the right experience.

Correct

What tool could be used to gather email addresses from PGP servers: Bing, Google, or LinkedIn?

whois is used to inquire about domains, IP addresses, and other related information. dig is used to issue queries to DNS servers. netstat is used for network statistics. theHarvester, though, can be used to search across multiple sources, including Bing, Google, PGP servers, and LinkedIn.

Correct

What social networking site would be most likely to be useful in gathering information about a company, including job titles?

While the others may include details about companies, only LinkedIn is primarily used as a business social networking site. People who have profiles there would list job titles, and job searches would indicate openings, including job titles.

Correct

You see the following text written down—port:502. What does that likely reference?

Shodan is a website you would use to look for IoT devices. The query language is similar to that used by Google, except it has additional keywords that could be used to identify network traffic. This may include port numbers. p0f is used for passive network traffic analysis. You might query an RIR for information about an IP address block. The domain name for Shodan is shodan.io, but there is no IO search.

Correct

What would you use Wappalyzer for?

WappAlyzer is an extension for the Chrome browser that can be used to identify technologies used in a website. It will, in part, use HTTP headers, but it doesn’t identify the headers. It’s also not used for analyzing web headers because there is more to what WappAlyzer does than that. It may look at some pieces of application code to get frameworks that are used, but it doesn’t analyze application code in the traditional sense of application code analysis.

Correct

What technique would you ideally use to get all of the hostnames associated with a domain?

A DNS query can be used to identify an IP address from a hostname or vice versa. You could potentially use a brute force technique to identify hostnames, though you may not get everything using that method. A recursive request is common from a caching server to get an authoritative response. The term for getting all the contents of the zone is a zone transfer.

Correct

What information would you not expect to find in the response to a whois query about an IP address?

When you run a whois query against an IP address, you will get the block the address belongs to, the owner of the block, and the technical contact. You will also get address information and possibly additional information. You will not get an association between a domain and the address block. This may be something you might infer, but it is not something that the results provide for you.

Correct

What would you be looking for with the following Google query? filetype:txt Administrator:500:

Google uses the keyword filetype: to identify filename extensions that should be searched. Administrator: is not a keyword, which means Administrator:500: is the search term that Google would use along with the filetype of txt, which would mean text files.

Correct

What command would you use to get the list of mail servers for a domain?

The command whois would be used to query the RIR for information about an IP address block. It could also be used to identify information about a domain. The program netstat is used for network statistics. dig can be used, but when you provide the @ parameter, it would be followed by the name server you want to query. The correct way to look for name server records is to use ns as the record type. When you are looking for mail servers, you would look for the mx record type.

Correct

What would you get from running the command dig ns domain.com?

Mail exchanger records would be identified as mx records. A name server record is identified with the tag ns. While an enterprise may have one or even several caching name servers, the caching name server wouldn’t be said to belong to the domain because it doesn’t have any domain identification associated with it.

Correct

If you wanted to locate detailed information about a person using either their name or a username you have, which website would you use?

Twitter and Facebook are social networking sites. While you may be able to locate someone using a username, you may not be able to get detailed information about the user. Intelius is a person search site, and you can get detailed information there, but you can’t search by username. PeekYou is a web site that will allow you to search for people by either name or username.

Correct

If you were looking for detailed financial information on a target company, with what resource would you have the most success?

LinkedIn is typically used for business networking, but there wouldn’t be much in the way of detailed financial information there. Facebook is a social networking site, commonly used by people for social interaction. EDGAR is the database that is maintained by the SEC and includes filing information from public companies. MORTIMER is a joke. Bonus points if you recognize what the joke is.

Correct

What financial filing is required for public companies and would provide you with the annual report?

The 10-Q is a quarterly filing. The 11-K form is related to stock options for employees. The 401(k) is a retirement account. The 14-A report required by the SEC for public companies would include the annual report to shareholders.

Correct

If you were looking up information about a company in New Zealand, which RIR would you be looking in for data?

New Zealand is located in Oceania, considered to be in the Pacific Rim. This means it falls under the Asia Pacific Network Information Center (APNIC). AfriNIC covers Africa. RIPE covers Europe, and LACNIC covers Latin America and parts of the Caribbean.

Correct

If you receive a RST packet back from a target host, what do you know about your target?

A TCP scan sends messages to the target, expecting to get a response. With a SYN or full connect scan, the target will respond with a SYN/ACK message from an open port. With a closed port, the target will respond with a RST.

Correct

What is the difference between a SYN scan and a full connect scan?

A SYN scan sends the first SYN message and then responds with a RST message after receiving the SYN/ACK from the target. A full connect scan completes the three-way handshake before sending the RST message. Since the full connect scan follows the correct order of the three-way handshake, it doesn’t send an ACK first. There is also no PSH flag sent with the SYN flag, since there is no data to push up the stack yet.

Correct

What is one reason a UDP scan may take longer than a TCP scan of the same host?

There is no defined response to a message to a UDP port. It is left entirely up to the application. Since a lack of response can mean the message never reached its recipient, the scanning system has to retransmit to closed ports. UDP is generally quicker than TCP because of a lack of overhead, it requires no messages to set up, and it has the same number of ports as TCP.

Correct

Why does an ACK scan not indicate clearly that ports are open?

When a system receives an ACK message, meaning a TCP segment with the ACK flag enabled (bit position storing a 1), it assumes there is an open connection and there is data that is being acknowledged. When there is no open connection, there is nothing to respond with. The system, not having anything else to do with the ACK, discards it. The scanner won’t receive a response if the port is open. However, the scanner can’t be certain that the message hasn’t just been discarded by a firewall. As a result, it indicates that the port is either open or filtered. Either would result in no response. The scanner isn’t guessing; it is providing two alternatives but can’t be certain which it is. ACK is a supported flag in the right circumstances and ACK scans do not cause retransmits, since no response means one of two things.

Correct

What is one reason for using a scan like an ACK scan?

Evasion is an important concept. You may spend a lot of time working on evading detection or getting blocked. Since an ACK without an open connection is aberrant, the firewall or IDS may ignore it, avoiding detection. As a result, you may be able to get ACK messages through. ACK scans are not better supported. In fact, there is really no support from the network stack for an ACK scan. The code is no more robust in nmap for an ACK scan than other scans, or at least there is no evidence of that being the case. ACK scans are not needed for scripting support.

Correct

What does nmap look at for fingerprinting an operating system?

Correct

What is nmap looking at when it conducts a version scan?

A version scan with nmap is looking to identify versions of the services/applications running on the target. The kernel is identified with an OS scan. TCP and IP headers don’t provide application versions. The IP ID field and TCP sequence number fields don’t provide version information either.

Correct

What is an advantage of using masscan over nmap?

The program masscan is a port scanner, like nmap. However, masscan was developed to scan the entire Internet as quickly as possible. As a result, if speed is a consideration, and especially if you are scanning large address blocks, masscan is probably better suited for that task. Both nmap and masscan have access to the same address space, and masscan uses the same command-line parameters, for the most part, as nmap, so they are similarly easy to use. nmap has also been around for considerably longer, since the 1990s, than masscan has.

Correct

If you were to see the following command run, what would you assume? hping -S -p 25 10.5.16.2

hping is a program used to send specially designed messages to a target. You use command-line parameters to tell hping what to include in the message being sent. The command hping -S -p 25 10.5.16.2 is used to have hping send SYN messages to port 25, the default SMTP port, at 10.5.16.2. It’s possible that someone mistyped ping, but those parameters aren’t used by ping programs, and since they are coherent for the action above, it makes more sense that they were trying to use hping. SNMP and web traffic both use different ports than port 25.

Correct

If you were to see that someone was using OpenVAS, followed by Nessus, what might you assume?

Vulnerability scanners don’t exploit vulnerabilities in order to gain access to a system. They would only exploit a vulnerability to the extent necessary to determine whether a vulnerability exists. If they didn’t know how to use Nessus or OpenVAS, they likely wouldn’t be using them. It’s possible they are looking to compare results from the two, but it’s also very likely they are trying to compare the results with the intention of reducing false positives.

Correct

What is the difference between a false positive and a false negative?

A false positive is when a finding is identified when it doesn’t actually exist. A false negative is when there is no finding identified but, in fact, there is a vulnerability. A true positive is when a finding is identified that is a vulnerability. A true negative is when a finding isn’t identified and there is no known vulnerability.

Correct

What would be the purpose of running a ping sweep?

There may be several reasons for performing a ping sweep. You likely want to identify responsive hosts on the network segment you are targeting. You may not, though, want to use a full port scan. ICMP is a lightweight protocol and there is a chance it will be allowed through the firewall, since it’s used for troubleshooting and diagnostics.

Correct

Which of these may be considered worst practice when it comes to vulnerability scans?

You would be expected to scan production servers, since that would be where you would be most interested to find vulnerabilities. Letting operations staff know ahead of time is polite since vulnerability scans may inadvertently knock over systems that would need to be stood back up. Being paged in the middle of the night unexpectedly isn’t fun. If you know it’s coming, it makes it easier. You may have reasons to use limited details in your scan reports, including trying to reduce the disk space used or the paper used in printing the reports. Taking no action on the results of a vulnerability scan is about the worst thing you can do when it comes to vulnerability scans. It’s worse than not running them, since you could be considered liable because you know about the vulnerabilities but you aren’t doing anything about them.

Correct

Which of these may be considered an evasive technique?

Scanning nonstandard ports isn’t evasive. It’s just as noisy as, and potentially more detectable than, scanning standard ports. You could use a proxy for some tasks, but all it would do would be to hide your own IP address, which isn’t evasive. You could still be blocked or detected. Nmap does not have a blind mode. When you encode data, though, you make it harder for the firewall or IDS to identify something bad that may be happening, since these devices can’t read the messages coming through.

Correct

If you were to notice operating system commands inside a DNS request while looking at a packet capture, what might you be looking at?

Tunneling attacks can be used to hide one protocol inside another. They may be used to send operating system commands using a tunnel system. A DNS amplification attack is where a small DNS request results in much larger responses sent to the target. DNS recursion is used to look up information from DNS servers. An XML entity injection attack is a web-based attack and wouldn’t be found inside a DNS request.

Correct

What is an XMAS scan

The XMAS scan is a TCP scan that uses unusual flag settings in the TCP headers to attempt to evade firewalls or IDSs. The XMAS scan uses the FIN, PSH, and URG flags and is called an XMAS scan because it looks like the packet is lit up like a Christmas tree. None of the other answers match what an XMAS scan is.

Correct

What would you use MegaPing for?

MegaPing can be used to perform a lot of different functions, but crafting packets, sending manual web requests, and running exploits are not functions it supports. It can, though, run a port scan.

Correct

What would be a reason to use the Override feature in OpenVAS?

Plug-ins are matched to vulnerabilities. A different plug-in would identify a different vulnerability and there is no way to change that. Scanner settings can be changed when you set up a scan. Using TCP rather than UDP is vague. If you want to change a severity rating from the one supplied by OpenVAS, you would override that rating. You may have mitigations in place or you may have investigated and found the finding to be a false positive.

Correct

What would you use credentials for in a vulnerability scanner?

Credentials wouldn’t give better reliability in network findings, and vulnerability scanners don’t typically provide a way to directly authenticate through a VPN. The VPN client would be expected to be running ahead of time if the network is behind the VPN. An Active Directory scan is a vague answer, and it may not be something you can do with a vulnerability scanner. If you provide credentials, though, the scanner can authenticate against systems on the network and check for local vulnerabilities.

Correct

What is fragroute primarily used for?

The program fragroute uses configuration statements to determine what should be done to packets destined for a specific host. This may include fragmenting application traffic as well as duplicating and delaying traffic. While there is a possibility of fragmenting layer 3 headers, if layer 2 headers were fragmented, there would be no way to get the message to the destination.

Correct

What is are RPCs primarily used for?

Remote procedure calls are a way for processes on one system to communicate with processes on another system. This does not preclude two processes on the same system communicating, of course. Semaphores are another concept in computer science that can enable interprocess communication. Remote method invocation is a way for Java programs to implement interprocess communications. Process demand paging isn’t a thing.

Correct

What would you be trying to enumerate if you were to use enum4linux?

enum4linux is a tool that makes use of other, underlying tools to scan systems that have implemented SMB. This means enum4linux can be used to enumerate shares or users, as well as other information. None of the other options are valid.

Correct

How do you authenticate with SNMPv1?

SNMPv3 implemented username and password authentication. With version 1, you used a cleartext community string. SNMP doesn’t use hashes, and while the word public is often used to describe a community string, a public string is not a way to authenticate with SNMPv1.

Correct

What SMTP command would you use to get the list of users in a mailing list?

The SMTP command used to expand a mailing list alias to get the underlying email addresses that belong to that mailing list or group is EXPN. VRFY is verify, and the other two are not valid SMTP commands.

Correct

What type of enumeration would you use the utility dirb for?

The utility dirb uses a word list to attempt to enumerate directories available through a web server that may not be available by looking at all the pages and links in the site.

Correct

What are data descriptions in SNMP called?

SNMP can be used to retrieve information from remote systems. This information has to be described, including the different data types. All of the information available is described in a management information base (MIB). The Extensible Markup Language (XML) is a way of packaging data in a structured way but it is not used in SNMP.

Correct

What is the process Java programs identify themselves to if they are sharing procedures over the network?

Interprocess communications across systems using a network is called Remote Method Invocation. The process with which programs have to communicate to get a dynamic port allocation is the RMI registry. This is the program you query to identify services that are available on a system that has implemented RMI.

Correct

You are working with a colleague and you see them interacting with an email server using the VRFY command. What is it your colleague is doing?

The extended SMTP (ESMTP) protocol has a command that is abbreviated VRFY that is used to verify email addresses. A mail server may or may not have exposed this command, even if the server software supports ESMTP. Expanding mailing lists is EXPN. You wouldn’t use VRFY for a mailing list in that same sense. The other two don’t have specific commands that are specified in the SMTP protocol definition.

Correct

What is the SMB protocol used for?

The Server Message Block (SMB) protocol is used for multiple functions on Windows networks. One of them is to transfer files (data) from one system to another. Email attachments would be transmitted using SMTP. NFS manages its own data transfer when files are being copied from one system to another. There are no data transfers specifically for Windows Registry updates.

Correct

Which of these is a built-in program on Windows for gathering information using SMB?

The program nmblookup can be used on Linux systems. smbclient is a program that comes with a Samba installation that can be used to interact with a system using SMB. Metasploit has a lot of functions, but it’s not built into Windows. The program nbtstat, though, can be used to gather information using SMB, and it is a program that is installed with Windows.

Correct

What status code will you get if your attempt to use the VRFY command fails?

The status code you would get if your VRFY command failed against an SMTP server is 550. 200 is the status code for success with a web server. The other codes are not valid in this context.

Correct

What program would you use to enumerate services?

The programs smbclient and enum4linux may be used to enumerate information using SMB. The program snmpwalk can be used to enumerate information over SNMP. Nmap, though, can be used to enumerate services running on all the systems on a network.

Correct

What version of SNMP introduced encryption and user-based authentication?

Version 1 of SNMP used community strings. Version 2c also used community strings. Version 2 improved version 1, but it was version 3 that implemented user-based authentication as well as encryption.

Correct

Which of these could you enumerate on a WordPress site using wpscan?

The program wpscan can be used to enumerate themes, users, and plug-ins. It can’t be used to enumerate administrators, specifically. It also can’t be used to enumerate posts, and since there would only be a single version, you wouldn’t enumerate versions.

Correct

Which of these tools allows you to create your own enumeration function based on ports being identified as open?

Metasploit can be extended with user-created programs. However, you wouldn’t call a Metasploit module based on ports being open. Netcat doesn’t do any enumeration, and nbtstat is a Windows program that can’t be extended. Nmap can be extended with userwritten scripts. An nmap script includes a port registration so nmap knows to call that script when specific ports are found to be open.

Correct

What underlying functionality is necessary to enable Windows file sharing?

SMB relies on remote procedure calls (RPCs) in order to function. The common Internet File System (CIFS) is an implementation of file sharing and system management using SMB. The Network File System (NFS) is a protocol that makes use of remote procedure calls. Remote Method Invocation (RMI) is a way to call procedures remotely over Java.

Correct

What is the IPC$ share used for?

The IPC$ share is a named pipe that enables interprocess communications over a network. While you may be able to do some remote management using the IPC$ share, it is not used for remote process management.

Correct

What tool does a Java program need to use to implement remote process communication?

The JRE is the Java runtime environment and is necessary to run Java programs. The JDK is the Java development kit and is necessary to develop Java programs. The program rmic is used to create RMI programs. It creates the stubs necessary for RMI to function. rmir isn’t anything.

Correct

Which of these passes objects between systems?

RMI is a way to implement interprocess communications using Java. Since Java is an object-oriented programming language, it would transmit objects. SMB is the Server Message Block protocol. SunRPC does remote procedure calls but the data transmitted isn’t object oriented. Nmap is a program used to scan ports.

Correct

If you needed to enumerate data across multiple services and also store the data for retrieval later, what tool would you use?

While nmap is an excellent program in its own right and can be used to enumerate data across multiple services, it doesn’t store data for retrieval later without some additional help. Metasploit can also be used to enumerate data across multiple services and also uses a database on the backend to store data to be retrieved later. RMI is Remote Method Invocation, a way to implement interprocess communications across a network. Postgresql is the database server commonly used underneath Metasploit. Postgres is a much older version of what is now PostgreSQL.

Correct

What are the three times that are typically stored as part of file metadata?

There are three date and time stamps commonly used in file metadata. When the file is created, that moment is stored. When a file is accessed by a user, that moment is stored. When a file is modified, that moment is stored. Accessed is not the same as modified since accessing a file could be read-only. You could open a file expecting to modify it, but not end up doing the modification. The access time still changes. While moves, adds, and changes may sometimes be referred to as MAC, like modified, accessed, and created, those are not tasks associated with file times.

Correct

What is it called when you obtain administrative privileges from a normal user account?

Account migration, privilege migration, and account escalation are vague and don’t have clearly defined definitions, even if they may exist. Privilege escalation, on the other hand, is used to gain elevated privileges when you only have the permissions of a normal user.

Correct

What does John the Ripper’s single crack mode, the default mode, do?

Incremental mode in John will run an attack in which it will try every possible password within specified parameters, meaning John will generate the passwords. The default mode in John is single crack mode, which uses information including the username and the home directory to generate a password using mangling rules. Incremental mode does not use wordlists, though John does support the use of wordlists.

Correct

What is the trade-off for using rainbow tables?

Rainbow tables use precomputed hashes that are mapped to plaintext passwords in order to speed up the process of obtaining the passwords from stored hashes. Rainbow tables, though, are very expensive when it comes to disk space. Hashes and passwords are stored in the rainbow tables. Accuracy is neither sacrificed nor prioritized using rainbow tables. You will give up disk space to get faster cracking times using rainbow tables.

Correct

Which of these is a reason to use an exploit against a local vulnerability?

Local vulnerabilities are used against applications that are not listening on the network. This means they require you to be “local” to the machine and not remote. In other words, you have to be logged in somehow. A local vulnerability would not be used to collect passwords; you don’t need a vulnerability to do that. Similarly, you don’t need to make use of a vulnerability to manipulate logs or to pivot. Most of those would require you to have elevated permissions, though. A local vulnerability may be exploited to get you those elevated permissions.

Correct

What is it called when you manipulate the time stamps on files?

Manipulating time stamps on files is called timestomping. It is used to set file times, which may be used to throw off investigations or identify intrusions. None of the other answers are real things.

Correct

What would an attacker use an alternate data stream on a Windows system for?

Alternate data streams are a function of the New Technology File System (NTFS), created to support the resource forks of Apple’s file system in Windows NT. Since many of the utilities and programs in Windows don’t natively understand alternate data streams, they can’t make use of them and won’t show them. The file can be accessed if the user knows how to display and manipulate the alternate data streams.

Correct

Which of these techniques might be used to maintain access to a system?

You may use a PowerShell script to perform functions that could support persistence on a system, but the PowerShell script alone won’t be used to maintain access. Alternate data streams won’t be of any use for maintaining access, and a .vimrc file is a startup file for the Vi editor. The run key in the Windows Registry, though, could be used to put an entry in that would run a program automatically that could make sure an attacker could get access even after a reboot.

Correct

If you were looking for reliable exploits you could use against known vulnerabilities, what would you use?

While the Tor network may be used to obtain an exploit against a vulnerability, there is some question as to how reliable that exploit may be. The Tor network may contain malicious content, even in the case of source code. Meterpreter and msfvenom are elements of Metasploit that don’t have anything to do with locating vulnerabilities. Exploit-DB is a website and repository of exploits that could be searched to locate an exploit targeting specific and known vulnerabilities.

Correct

What might an attacker be trying to do by using the clearev command in Meterpreter?

The clearev command is a Meterpreter command used to clear the Windows Event Viewer logs. While you may be able to manipulate time stamps and log files in Meterpreter, you wouldn’t use the clearev command for that. The clearev command does not allow an attacker to log in remotely.

Correct

You find after you get access to a system that you are the user www-data. What might you try to do very shortly after getting access to the system?

When the Apache web server runs on a Linux system, it will commonly run as the user www-data. This is a privilege-restricted account that would prevent an attacker from doing much on the system. In order to do anything, like wiping log files or pivoting to another network, you would need to elevate privileges to administrative/root level. Exploiting the web browser wouldn’t be done in this context. A web server more than likely wouldn’t even have a web browser installed.

Correct

You’ve installed multiple files and processes on the compromised system. What should you also look at installing?

Attackers often install extra files and run extra processes on systems. These could easily be detected by manual investigation or, certainly, by automated detection tools. The way around that is to install a rootkit, which may include kernel-mode drivers or replacement system utilities that would hide the existence of these files and processes. Alternate data streams may be used to hide files but not processes. Registry keys could also hide files but not processes.

Correct

What does pivoting on a compromised system get you?

Pivoting is the process of using a compromised system to move onto other systems and networks within the target environment. Pivoting does not get you higher-level permissions or persistent access. You may ultimately get to a database server by pivoting, but that’s not what pivoting does or is specifically used for. It would be a nice side effect of pivoting.

Correct

What would you use the program rtgen for?

The program rtgen is a program that is part of the rcrack suite. rcrack is used to crack passwords with rainbow tables. It is used to generate the rainbow tables that rcrack will use to crack passwords. Rainbow tables are not wordlists but mappings of plaintext passwords to hashes, which makes it much easier to get passwords from hashes.

Correct

Which of these would be a way to exploit a client-side vulnerability?

Malformed packets could potentially cause a failure or trigger a vulnerability on the server side. Large ICMP packets aren’t likely to do anything and certainly wouldn’t exploit a client-side vulnerability. A brute-force password attack isn’t exploiting a vulnerability, even if it is an attack technique. Sending a crafted URL could potentially exploit a clientside vulnerability in a web browser.

Correct

What is one outcome from process injection?

Steganography is the process of hiding data inside of other data, such as media files like MP3s, WAVs, or video files. An alternate data stream is a secondary data stream attached to a filename in the NT file system. A rootkit can be used to hide processes. It may use process injection but wouldn’t be the outcome from process injection. When you inject into a process, you are putting executable operations you have created into the space of another executable. The end result could be an execution thread running your code without any new process name indicating it was running.

Correct

What tool would you use to compromise a system and then perform post-exploitation actions?

John the Ripper is used for cracking passwords, while nmap is used for port scanning. They could be part of the overall process of system compromise, but neither could be used to compromise a system, in spite of what it suggests in The Matrix. searchsploit is a program used to search a local exploit-db repository. Metasploit is an exploit framework that could be used to compromise a system. Once the system is compromised, Metasploit could then be used for post-exploitation actions using modules that come with it.

Correct

What application would be a common target for client-side exploits?

Of all of the options presented, only the web browser exists on the client side. By definition, the web server is on the server. A web application firewall is placed with the server to protect the server from Application layer attacks. Web pages are hosted on a web server. They are not a target for client-side exploits, though they would be used to carry out those attacks.

Correct

What are two advantages of using a rootkit?

A rootkit is a piece of malicious software that is used to accomplish several tasks. This may include hiding processes and files through the use of kernel-mode drivers or replaced system utilities. A rootkit may also provide a backdoor for attackers to maintain long-term access to the system after the initial compromise. None of the other answers are things that a rootkit does.

Correct

What could you use to obtain password hashes from a compromised system?

John the Ripper and Rainbow tables are tools for cracking passwords, not gathering or obtaining password hashes. Process dumping could possibly yield passwords associated with a certain process/application. However, you may not get password hashes, depending on how the passwords are maintained in memory. Process dumping is taking the memory space of a process and writing it out to disk for analysis. Mimikatz is a utility and Metasploit module that could be used to extract passwords from a compromised system.

Correct

In a botnet, what are the systems that tell individual bots what to do called?

C2 servers are command and control servers. These are servers that can be used to provide management and control of bots in a botnet. The communication may be IRC or HTTP, but not necessarily. The servers aren’t called that in a botnet anyway. ISC2 servers don’t exist.

Correct

What is the primary difference between a worm and a virus?

Both worms and viruses could be written to use polymorphic code, which means they could modify what they look like as they propagate. A worm, though, could self-propagate. It’s the one distinction between worms and viruses. Viruses require some intervention on the part of the user to propagate and execute.

Correct

What is one advantage of static analysis over dynamic analysis of malware?

Static analysis is looking at the properties of the executable file and evaluating the assembly language code without running the program. This will limit your exposure to infection, because if you do it right you aren’t running the program, which would infect you. Dynamic analysis is trustworthy, and malware can’t deploy if you don’t run it. Dynamic analysis is commonly done in virtual machines.

Correct

What would you use VirusTotal for?

VirusTotal takes dozens of antivirus engines and runs samples through them to identify what malware they might be. VirusTotal is a website, which means it can’t check your system for viruses and also can’t do any endpoint protection. While VirusTotal can identify the name given to a malware sample by different antivirus solutions, to find the research associated with that malware, you would need to check with the antivirus vendor.

Correct

What are two sections you would commonly find in a portable executable file?

PE files have multiple sections that you may find in an executable. Two that are very common, though, are .text and .data. The .text section includes all the executable code. The .data section includes all the predefined and initialized variables. The other sections listed in other answers aren’t sections of a PE file.

Correct

What could you use to generate your own malware?

Metasploit can be used to generate your own malware from one of the payload modules. Empire is another exploitation framework built around PowerShell. IDA Pro is a debugger and Rcconsole doesn’t exist.

Correct

What is the purpose of a packer for malware?

All programs that have been compiled are in binary. Even scripting languages are in binary by the time they hit the processor. Packers will make a program smaller, which was initially of some value when bandwidth wasn’t as ubiquitous, but a packer doesn’t do any compilation. A packer does not remove null characters. A packer can, however, obscure the actual program code because the only executable function is one designed to extract and decompress the real malware.

Correct

What is the primary purpose of polymorphic code for malware programs?

Polymorphic means many bodies, which means it has multiple looks. When a program has multiple looks, it can cause antivirus programs to misidentify it. Polymorphic code rewrites the program when it is copied or moved from one system or location to another. It isn’t more efficient and doesn’t help with propagation, though it could be part of the propagation process. It also doesn’t speed compilation.

Correct

What would be one reason not to write malware in Python?

Python interpreters may be considered slower to execute than a compiled program, but the difference is negligible and speed of execution generally isn’t much of a concern when it comes to malware. Python is not a hard language to learn, and there are a lot of community-developed libraries. One challenge, though, is that you may need a Python interpreter unless you go through the step of getting a Python compiler and compiling your script. Windows systems wouldn’t commonly have a Python interpreter installed.

Correct

What would you use Cuckoo Sandbox for?

Cuckoo Sandbox is a set of programs and infrastructure used to run malware and identify changes to the system that result. This means it is used for dynamic analysis of malware, not for static analysis. Because it’s automated, it’s not manual. Also, it’s used for analysis, not development.

Correct

If you wanted a tool that could help with both static and dynamic analysis of malware, which would you choose?

You need a tool that can perform disassembly if you are doing static analysis. Dynamic analysis can make use of disassembled executables, but the tool would need to also be able to execute the code. IDA is the only tool there that does both disassembly and execution. Cutter only does disassembly. PE Explorer does neither, and MalAlyzer doesn’t exist.

Correct

What is the purpose of using a disassembler?

An executable contains a set of binary values that the CPU will interpret as operation codes (opcodes) when the program is run. These binary values won’t generally mean much to people when they are bare. As a result, disassemblers are used to convert opcodes to mnemonics, which are short/abbreviated words that can let someone know what the opcode does.

Correct

What does the malware that is referred to as a dropper do?

A dropper downloads (drops) additional files, which may be malware. It doesn’t do any of the things mentioned in the other options.

Correct

Why would you use an encoder when you are creating malware using Metasploit?

An encoder is used to alter the look of an executable file. This alteration is done in order to prevent the antivirus program from recognizing the executable as malware. It doesn’t compile the malware and doesn’t evade user detection. A packer would be used to compress malware.

Correct

If you were to see the following command in someone’s history, what would you think had happened? msfvenom -i 5 -p windows/x64/shell_reverse_tcp -o program

The program msfvenom is used to convert a payload module from Metasploit into an executable program. The malware could potentially be used as part of a poison pill, which is a type of defensive tactic, but it’s hard to determine that just from the command line. While the malware is encoded as part of this process, it is not an existing piece of malware. This is not a way to start Metasploit, though msfvenom does make use of the Metasploit framework.

Correct

What is the difference between a virus and ransomware

This is a bit of a trick question. Ransomware may be a virus, which means it is a subset of the category virus. Ransomware may ask to be paid in Bitcoins, but it doesn’t include Bitcoins. Ransomware has been generated all over the world and viruses run on all operating systems.

Correct

Why would someone use a Trojan?

A Trojan, also called a Trojan horse, appears to be one thing but is, in fact, another. It can fool users into running the malware because they are expecting something else. A Trojan can’t evade antivirus if there is a signature that matches the executable. It doesn’t act as malware infrastructure, and while it may be polymorphic, that wouldn’t be why someone used a Trojan.

Correct

Which of these tools would be most beneficial when trying to dynamically analyze malware?

When you are trying to dynamically analyze malware, a debugger is useful because it allows you to run the malware and also control its execution. OllyDbg is the only debugger in that list. Cutter does disassembly but does not allow you to run the malware and control its execution.

Correct

Which of these would be a reason why it is best for communications to originate from inside the infected network?

The firewall may block inbound communications, which is why it’s better for the communication to originate from the inside. Either direction could be caught by intrusion detection. Virtual machines don’t factor in here, and antivirus could catch the malware regardless of which direction the traffic is going, since antivirus uses the executable file rather than the communication stream for detection.

Correct

Which hardware vendor uses the term SPAN on switches?

Different vendors use different terms to refer to port mirroring. Cisco uses the term Switch Port Analyzer (SPAN), which leads to the process sometimes being called port spanning.

Correct

If you saw the following command line, what would you be capturing? tcpdump -i eth2 host 192.168.10.5

The expression host 192.168.10.5 is BPF, indicating that tcpdump should only capture packets to and from 192.168.10.5. If you wanted to only get it to or from, you would need to modify host with src or dest.

Correct

In the following packet, what port is the source port? 20:45:55.272087 IP yazpistachio.lan.62882 > loft.lan.afs3-fileserver: Flags [P.], seq 915235445:915235528, ack 3437317287, win 2048, options [nop,nop,TS val 1310611430 ecr 1794010423], length 83

tcpdump uses the format hostname/IP.port when it prints an address. The addresses go source > destination, so yazpistachio.lan is the hostname and 62882 is the port on the source address.

Correct

What is one downside to running a default tcpdump without any parameters?

By default, tcpdump does name resolution. Not only does tcpdump look up port numbers and print their service names, it also triggers a DNS lookup. This DNS lookup is network traffic, which means that for most packets there is probably a DNS lookup request showing in the packet capture.

Correct

At which protocol layer does the Berkeley Packet Filter operate?

BPF operates at the Data Link layer. This allows filtering down to the MAC address. If BPF operated at other layers, you wouldn’t get the entire set of packet headers.

Correct

What do we call an ARP response without a corresponding ARP request?

When an ARP response is sent without a corresponding ARP request, it’s an unexpected or unnecessary message. This makes it a gratuitous ARP.

Correct

Which functionality in Wireshark will provide you with percentages for every protocol in the packet capture, ordered by protocol layers?

While conversations and endpoints are statistics you can get from Wireshark, the protocol hierarchy view shows a layered look at all the protocols in the capture, showing percentages for all of the protocols.

Correct

Which program would you use if you wanted to only print specific fields from the captured packet?

While tcpdump and tshark can both be used to capture packets, tshark gives you the ability to specify which fields you want to output. The other two options don’t exist.

Correct

The following shows a time stamp. What does the time of this message reflect? 630 41.897644 192.168.86.210 239.255.255.250 SSDP 750 NOTIFY * HTTP/1.1 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]

By default, Wireshark shows a relative time since the start of the packet capture. You can change the field to show absolute time, such as the time of day or the time since 1970 (epoch time). However, that’s not what is shown.

Correct

What protocol is being used in the frame listed in this summary? 719 42.691135 157.240.19.26 192.168.86.26 TCP 1464 443 ? 61618 [ACK] Seq=4361 Ack=1276 Win=31232 Len=1398 TSval=3725556941 TSecr=1266252437 [TCP segment of a reassembled PDU]

After the frame number, time, source IP, and destination IP is the protocol. This frame shows TCP is the protocol in use.

Correct

What program could be used to perform spoofing attacks and also supports plug-ins?

arpspoof and Ettercap can both be used to perform ARP spoofing. Ettercap also supports other types of spoofing attacks and plug-ins. Sslstrip is a plug-in supported in Ettercap. Fragroute is a program that does something completely different.

Correct

What would you need to do before you could perform a DNS spoof attack?

A DNS spoofing attack requires that the program can see the DNS request in order to respond to it. This means there needs to be an ARP spoof in place so Ettercap (or another tool) can get the traffic on the network to get the DNS request to respond to.

Correct

Which command-line parameter would you use to disable name resolutions in tcpdump?

The -i flag indicates which interface you are going to listen on. The -n flag tells Wireshark to not do name resolution, leaving you with numeric values for the IP address and port number.

Correct

Why might you have more endpoints shown at layer 4 than at layer 2?

The number of MAC addresses can be smaller than the number of layer 3 addresses because multiple IP addresses could be associated with a single MAC address if the IP addresses are off network; the MAC address for those would be the gateway’s MAC address. If a system opens multiple connections to the same system, as may happen when rendering a web page, there would be multiple port combinations for the same IP source and destination.

Correct

What would you use sslstrip for?

Sslstrip is used to get plaintext traffic. It does not remove SSL requests, though it may be used to convert an HTTPS request to an HTTP request. It does not convert SSL to TLS or TLS to SSL, and there would be no particular advantage to either of those tasks.

Correct

Why might you have problems with sslstrip?

Sslstrip was released in 2009 and took advantage of problems in SSL. These problems not only existed in SSL but also continued through early versions of TLS. Newer versions of TLS don’t have the same issues, which means sslstrip won’t work with them.

Correct

What does the following line mean? Sequence number: 4361 (relative sequence number)

Wireshark presents a relative sequence number, which means the initial sequence number as far as Wireshark is concerned in presenting it to you is 1. The relative sequence number increments just as the real sequence number does. The real sequence number, which is a very large value, is hidden to make analysis easier.

Correct

What can you say about [TCP Segment Len: 35], as provided by Wireshark?

Anything you see in Wireshark that is in square brackets [] is something Wireshark has calculated or inferred. It is not something that has been extracted directly from the packet capture. Wireshark is helping with the packet analysis.

Correct

What problem does port spanning overcome?

Switches filter traffic by only sending traffic destined for the MAC address associated with the port to which the system that owns the MAC address is attached. Switches are reliable. They don’t support layer 3 as switches, though there are such things as multilayer switches that include routing functionality. Either way, that’s not something that port spanning overcomes. Switches may aggregate ports, but port spanning doesn’t have anything to do with that.

Correct

What is the /etc/ettercap/etter.dns file used for?

The ipchains/iptables command to turn on redirection for Ettercap is done in a different file. In the etter.dns file is the mapping of hostnames to IP addresses as well as other DNS resource records.

Correct

You get a phone call from someone telling you they are from the IRS and they are sending the police to your house now to arrest you unless you provide a method of payment immediately. What tactic is the caller using?

Biometrics is the use of a physical attribute to provide authentication. Smishing is using short message service (SMS/texting) to gather information from people. Rogue access isn’t really anything. Pretexting is coming up with a believable story that you can use when trying to perform a social engineering attack on someone.

Correct

You are working on a red-team engagement. Your team leader has asked you to use baiting as a way to get in. What are you being asked to do?

Baiting is leaving a lure out in order to gather targets. You could use USB sticks or CDs around as bait if they had software on them that would run and “infect” the target system in a way that would give you control over them. While all of the other options are related to social engineering, none of them is called baiting.

Correct

Which of the social engineering principles is in use when you see a line of people at a vendor booth at a security conference waiting to grab free USB sticks and CDs?

Social proof is in use when it appears to be okay to engage in a behavior because you see others engaging in it. When people see a line of others waiting to grab USB sticks, in spite of knowing they shouldn’t trust USB sticks, they may be inclined to lower their defenses. There is no reciprocity or authority here. There may eventually be scarcity, but that’s not what would drive people to stand in line to acquire a potentially dangerous item.

Correct

What is a viable approach to protecting against tailgaiting?

Biometrics and badge access are forms of physical access control. Phone verification could possibly be used as a way of verifying identity, but it won’t protect against tailgating. A man trap, however, will protect against tailgating because a man trap allows only one person in at a time.

Correct

Why would you use wireless social engineering?

Especially in enterprises, there is generally some authentication that happens. This could be in the form of a pre-shared key or a username/password combination. Either way, when you are using social engineering of wireless networks, you are probably attempting to gather credentials to gain access to sites. It’s unlikely you’d use this vector for sending phishing messages or getting email addresses, and it wouldn’t be used to make phone calls.

Correct

Which social engineering principle may allow a phony call from the help desk to be effective?

While you might be imitating someone, imitation is not a social engineering principle. Neither social proof nor scarcity are at play in this situation. However, if you are calling from the help desk, you may be considered to be in a position of authority.

Correct

Why would you use automated tools for social engineering attacks?

It’s debatable whether you get better control over outcomes executing your attacks manually. You would not be implementing social proof or demonstrating authority using an automated attack any more than if you did it manually. You would be reducing complexity, though, since doing it manually means you would be setting up and controlling multiple moving pieces. This gets to be complex, and the attack would fail if you didn’t get it just right.

Correct

What social engineering vector would you use if you wanted to gain access to a building?

Vishing and smishing are non-kinetic approaches to social engineering. Scarcity is not a social engineering vector. Impersonation is a social engineering vector and the one used to gain unauthorized access to a facility.

Correct

Which of these would be an example of pretexting?

If you sent an email posing as a former co-worker, you could be implementing a couple of different social engineering principles. Because you have a story and a means to collect information fraudulently, you are using pretexting. The other attacks are also social engineering, but they are not pretexting.

Correct

What tool could you use to clone a website?

wget is the only one of these options that is a legitimate program, and it can be used to clone a website.

Correct

What tool could you use to clone a website?

wget is the only one of these options that is a legitimate program, and it can be used to clone a website.

Correct

How would someone keep a baiting attack from being successful?

While some people do epoxy USB ports to prevent USB sticks from being inserted, it’s not a good approach and wouldn’t necessarily keep a baiting attack from working if the bait is a CD-ROM. Browsing the Internet is common and no longer doing that won’t protect you against baiting. Registry cloning isn’t really a thing in this context. Disabling autorun would keep any malicious software from running automatically from external devices.

Correct

What statistic are you more likely to be concerned about when thinking about implementing biometrics?

A false acceptance rate measures how often a biometric system allows unauthorized users access to a facility or area. A false failure (or reject) rate is inconvenient, and some organizations may consider that to be an issue, especially if it’s very high. However, a high false accept rate is probably more concerning because you are allowing people who are really unauthorized to have access. The other two are not statistics that are measured; though they correlate to the others, they are not called false positive rate or false negative rate.

Correct

Which of these forms of biometrics is least likely to give a high true accept rate while minimizing false reject rates?

Voiceprint identification is the least reliable of these options. As a result, it would be the most likely to give you a high false reject rate, which would lower the true accept rate.

Correct

What attack can a proximity card be susceptible to?

A proximity card could enable tailgating, but it’s not the only thing—a key could enable tailgating as well. Technically, it’s not the card that allows tailgating anyway. It’s the way the doors are configured and implemented. Phishing is unrelated, and technically, credential theft is as well. Proximity cards, particularly if they use RFID tags, are susceptible to cloning.

Correct

Which form of biometrics scans a pattern in the area of the eye around the pupil?

While the retina and the uvea are also parts of the eye, neither of them encloses the pupil and can be used as a means of identification. Fingerprints are not part of the eye.

Correct

What would the result of a high false failure rate be?

A false acceptance rate would be allowing unauthorized people in. If you are an authorized person but your biometric scanner isn’t working reliably and rejects you, you may need to call security or someone else to let you into the building. Neither of the other two would be a result of a high false failure rate. They may be solutions to other problems, but not a high false failure rate.

Correct

You’ve received a text message from an unknown number that is only five digits long. It doesn’t have any text, just a URL. What might this be an example of?

Smishing is short message phishing, which means someone is sending a text message, attempting to fraudulently gather information. Vishing is a phone call (voice). Phishing can be an overall term but commonly refers to email. Impersonation is more of a physical approach.

Correct

What is an advantage of a phone call over a phishing email?

Pretexting can work over email just as well as via a phone call. It may be more common for people to have email than a phone, especially a company-owned landline. Phishing attacks are very successful, which is why they are so commonly used. With a phone call, though, you could go into more detail and address questions or concerns as they arise. You could include additional layers that you couldn’t with an email since you could never be sure if your email was read, or deleted, or caught in a filter.

Correct

What is the web page you may be presented with when connecting to a wireless access point, especially in a public place?

The captive portal is the page that is opened when you connect to a public access point. None of the other answers are real things.

Correct

What tool could you use to generate email attacks as well as wireless attacks?

You may end up with a Meterpreter interface to a remote system, but it wouldn’t be used to generate the attacks. wifiphisher is only used for Wi-Fi–based attacks and Social Automator doesn’t exist. The Social-Engineer Toolkit (SE Toolkit) could be used to automate email attacks as well as wireless attacks.

Correct

What are the two types of wireless networks?

An infrastructure wireless network is one that uses an access point. An ad hoc wireless network is one organized by the participants. These are the two types of wireless networks. Star, ring, bus, and hybrid are all wired topologies.

Correct

How many stages are used in the WPA handshake?

There are four stages used in a WPA handshake. This four-stage process is used to derive the key and agree on capabilities.

Correct

What mode has to be enabled on a network interface to allow all headers in wireless traffic to be captured?

Promiscuous mode is used on network interfaces to collect frames that are not destined for the network interface. This is insufficient on a wireless network because the radio headers are not captured. To capture radio headers, monitor mode needs to be enabled in addition to the promiscuous mode that will always be set to get all frames and all information from the frame. Only monitor mode gives the radio headers.

Correct

What wireless attack would you use to take a known piece of information in order to be able to decrypt wireless traffic?

Sniffing can be used to collect information that may be needed to launch wireless attacks. A deauthentication attack can be used to force a station to generate traffic. An evil twin attack uses a rogue access point to pretend to be a legitimate network. In order to decrypt network traffic, you would need the key. One way to get the key is to reuse information from network traffic that generated a known key. This is a key reinstallation attack.

Correct

What is the purpose of performing a Bluetooth scan?

Bluetooth doesn’t use ports. While profiles are important, you get the profile capabilities during the pairing process. Just performing a scan won’t get you a list of supported profiles. While you should be able to identify vendors as part of the process of running a Bluetooth scan, it’s not the purpose of the scan. The purpose is to identify endpoints and their associated addresses so you can run other attacks on them.

Correct

What is the purpose of a deauthentication attack?

The purpose of a deauthentication attack is to force stations to reauthenticate. This allows the attacker to collect information from the authentication and handshake. This information could be used later to potentially derive the key, as in WEP transmissions. A deauthentication attack doesn’t disable stations. There is no way to reduce the number of steps in a handshake, and downgrading encryption is considerably harder, if it’s possible at all.

Correct

What is the policy that allows people to use their own smartphones on the enterprise network?

Bring your own device (BYOD) is a policy that allows employees to use their own devices on an enterprise network. This opens the door to the potential for attacks from unknown and unexpected devices. None of the other answers are real things.

Correct

What part of the encryption process was weak in WEP?

The initialization vector is a random value that seeds the key used for encryption and decryption. In WEP, the algorithm specified for the initialization vector yielded nonrandom, predictable values. While the initialization vector is part of keying, it’s not the keying itself that was weak. Seeding vector is not a real thing, and Diffie-Hellman is a process used to derive and exchange keys securely. It’s not part of WEP.

Correct

What is the four-stage handshake used for?

The four-stage handshake is used to authenticate stations against wireless networks. As part of the handshake, encryption keys are generated. Keys are derived on both sides of the transaction rather than being exchanged directly. This is handled during the four-way handshake. Keys are not passed. Messages can’t be encrypted until the four-way handshake is complete and the keys are generated. There is no such thing as initialization seeding.

Correct

What is the SSID used for?

The service set identifier (SSID) is used to identify a network. It is the name of the network you would select when you were trying to connect to a network. The SSID is not the MAC address, and it has nothing to do with keys or encryption.

Correct

What kind of access point is being used in an evil twin attack?

Ad hoc and infrastructure are types of wireless networks. Only infrastructure uses access points, but infrastructure is not a type of access point. WPA is an encryption protocol. A rogue access point, meaning one that isn’t legitimate, is used in an evil twin attack by pretending to be a legitimate access point.

Correct

How does an evil twin attack work?

An evil twin attack uses an access point masquerading as the point of connection for stations trying to connect to a legitimate wireless network. Stations reach out to make connections to this access point masquerading as another access point. While you may phish for credentials as part of an evil twin attack, credential phishing is not how evil twin attacks work. SSIDs don’t get changed as part of an evil twin attack, meaning no SSID that exists will become another SSID. Injecting four-way handshakes won’t do much, since fourway assumes both ends are communicating, so the injection of a full communication stream will get ignored.

Correct

What method might you use to successfully get malware onto a mobile device?

The Apple App Store and the Google Play Store are controlled by Apple and Google. It’s not impossible to get malware onto mobile devices through them, but it’s very difficult because apps get run through a vetting process. While some Android devices will support external storage, it’s not an effective way to get malware onto a smartphone or other mobile device. Jailbreaking can lead to malware being installed, but it’s not the means to get malware onto a mobile device. Third-party app stores can be a good means to get malware onto mobile devices because some third-party app stores don’t vet apps that are submitted.

Correct

What would you use a bluebugging attack for?

A bluebugging attack is used to gain access to a smartphone in order to initiate a call out to the attacker’s phone. This allows the attacker to listen to anything happening around the phone owner. Scanning is used to identify Bluetooth devices nearby. There is no particular attack used to enable a phone’s camera. Gathering data from a target device or system is bluesnarfing.

Correct

What would a signal range for a Bluetooth device commonly be?

While there are Bluetooth devices that will transmit much further, a common range is about 300 feet (100 meters) for Bluetooth 4.0.

Correct

What tool could you use to enable sniffing on your wireless network to acquire all headers?

Tcpdump can be used to capture frames/packets. Ettercap is used for captures and spoofing attacks. Neither can capture all headers, including radio headers in a wireless network. The package aircrack-ng includes the program airmon-ng, which can turn on monitor mode on a network interface. The program aircrack-ng itself cannot do that.

Correct

Why is bluesnarfing potentially more dangerous than bluejacking from the standpoint of the victim?

Bluesnarfing is an attack that connects to a Bluetooth device in order to grab data from that device. Bluesnarfing sends data to the attacker. Bluejacking can be used to send information to a Bluetooth device, such as a text message. Neither of these attacks install keyloggers.

Correct

What tool would allow you to run an evil twin attack?

Wireshark is used to capture packets/frames from a network. Ettercap is used for spoofing attacks. The program aircrack-ng can be used to crack wireless keys. Wifiphisher, though, can be used to set up an evil twin attack.

Correct

What types of authentication are allowed in a WPA-encrypted network?

WPA supports both Personal and Enterprise authentication. Personal authentication makes use of a pre-shared key, while Enterprise authentication uses usernames and passwords to authenticate specific users, providing accounting and access control, meaning we know exactly who has connected to the network.

Correct

What wouldn’t you see when you capture wireless traffic that includes radio headers?

Radio headers in a wireless network will provide you with the capabilities of the devices, since that’s negotiated during the association process. You will also see probe requests asking what networks are in the area, including specific networks that a station knows about. These requests will include the SSID. The responses will also include the SSID. You will not get the network type in the headers.

Correct

What protocol is used for a Smurf attack?

While DNS is also used for amplification attacks, Smurf attacks are a result of someone sending ICMP echo requests to the broadcast address of a network. The echo responses would be sent to the address in the source of the request, which would be spoofed. If enough systems respond, the volume of responses can overwhelm the target system.

Correct

If you were to see ' or 1=1; in a packet capture, what would you expect was happening?

An SQL injection attack makes use of SQL queries, which can include logic that may alter the flow of the application. In the example provided, the intent is to force the result of the SQL query to always return a true. It is quoted the way it is to escape the existing query already in place in the application. None of the other attacks use a syntax that looks like the example.

Correct

Which protocol is commonly used for amplification attacks?

Because TCP uses a three-way handshake, spoofing like that needed in amplification is very difficult. SMTP also uses TCP. XML is used for data structure and presentation. DNS is often used for modern amplification attacks.

Correct

What is the purpose of a SYN flood?

A SYN flood takes advantage of the three-way handshake. A SYN message alone will consume a connection buffer at the operating system. Until the operating system has passed the three-way handshake, the request won’t make it to the web server at the Application layer. SYN is not a header flag used with UDP.

Correct

How does a slowloris attack work?

A slowloris attack is used to hold open connection buffers at the web server. Enough of these requests will consume all of the possible connections for the web server. The Application layer doesn’t factor in here because there are no connection buffers at the Application layer. Web servers don’t use UDP for HTTP requests, and slowloris is an attack against a web server.

Correct

What would be the result of sending the string AAAAAAAAAAAAAAAAA into a variable that has been allocated space for 8 bytes?

Heap spraying uses dynamically allocated space to store attack code. A slowloris attack is used to hold open web server connection buffers. An SQL injection will be used to inject SQL queries to the database server. A buffer overflow sends more data than space has been allocated for into the application.

Correct

What is the target of a cross-site scripting attack?

A cross-site scripting attack uses a scripting language to run in the browser. Since the browser is with the user, ultimately the attack targets the user, even if the injection code is stored in a database server.

Correct

If you were to see the following in a packet capture, what would you think was happening? <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

Cross-site scripting attacks usually use JavaScript or perhaps VBScript. SQL injection uses SQL. Command injection uses operating system commands. The fragment shows XML using an external entity. This is, then, an XML external entity injection.

Correct

What protection could be used to prevent an SQL injection attack?

SQL injection attacks take data injected from the user/attacker. Any data sent in from a user should always be validated before being acted on. Nothing coming in from a user should be trusted. None of the other answers could be used to prevent an SQL injection attack.

Correct

What security element would be a crucial part of a defense in depth network design?

A defense in depth network design makes use of multiple prevention layers to make breaching the inside of the network quite a bit harder. A SIEM is used to collect and correlate intelligence and log data. A web application firewall protects against Application layer attacks. A log management system is just what it says. A firewall, though, is commonly used in a defense in depth network design.

Correct

What does a defense in breadth approach add?

Defense in breadth starts with defense in depth and takes a broader range of attack strategies into consideration. Defense in breadth doesn’t necessarily protect against SQL injection and probably doesn’t protect against buffer overflows or heap spraying attacks. Those protections may possibly be achieved, but ultimately defense in breadth would achieve them by taking a broader range of attacks into consideration.

Correct

What attack injects code into dynamically allocated memory?

A buffer overflow attack is an attack against data in the stack, which is known about at compile time and, as a result, is not dynamic. Cross-site scripting attacks and slowloris attacks don’t inject code into memory. A heap spraying attack, though, injects code into the heap, which is where dynamically allocated memory is taken from.

Correct

If you were to see the following in a packet capture, what attack would you expect is happening? %3Cscript%3Ealert('wubble');%3C/script%3E

A buffer overflow takes an excess amount of data and tries to store it into a memory location that can’t accommodate it. An SQL injection attack uses SQL. Command injection attacks use operating system commands. A cross-site scripting attack uses a scripting language such as JavaScript or VBScript. The script is injected using a <script> HTML tag, and the %3C is a way of encoding < while %3E is a way of encoding >. This means %3Cscript%3E would be decoded to <script>.

Correct

What has been done to the following string? %3Cscript%3Ealert('wubble');%3C/script%3E

Base64 encoding takes non-printable characters and encodes them in a way that they can be rendered in text. Encryption would generally render text unreadable to people. A cryptographic hash is a way of generating a fixed-length value. URL encoding takes text and uses hexadecimal values to represent the characters. This is text that has been converted into hexadecimal so they can be used in a URL.

Correct

What technique does a slow read attack use?

A slowloris attack uses small HTTP requests to hold open a web server’s available connections. There are attacks that use body requests in a slow fashion. However, a slow read attack tries to download a file in very small increments to keep a web server from serving legitimate requests.

Correct

What element could be used to facilitate log collection, aggregation, and correlation?

While a firewall and an IDS will generate logs, they don’t collect them. A log manager will collect logs and perhaps aggregate them, but it probably doesn’t correlate log messages. A SIEM, though, will consume logs, aggregate them, and correlate them.

Correct

What is the target of a command injection attack?

A command injection sends operating system commands into a web application so they can be run by the operating system. The web server (meaning the web server application) is not the target of the command injection, nor is the database server or the user.

Correct

What would the Low Orbit Ion Cannon be used for?

The Low Orbit Ion Cannon is a .NET-based application used to launch denial of service attacks. It is not used for log management or SQL injection attacks, nor is it used for buffer overflows.

Correct

What could you use to inform a defensive strategy?

SIEM output is useful and may have some value in understanding current attacks. The same is true with logs and intrusion detection systems. However, the attack life cycle is a structured way to understand how attacks happen in order to better inform a defensive strategy so controls can be implemented for each of the phases of the attack.

Correct

What information does a buffer overflow intend to control?

The stack pointer indicates where the stack is in memory. The frame pointer indicates which part of the stack is being used for the current frame. There is no buffer pointer from the perspective of the operating system, though applications do use pointers and they do point to buffers. An instruction pointer tells the processor where the next instruction to be executed is. Controlling this piece of information can allow the attacker to control the execution flow of the program.

Correct

With a rotation of 4, what does erwaiv decrypt to?

This is a rotation cipher with a key of 4. When you rotate the alphabet by 4, you end up with e = a, r = n, w = s, and so on. In addition to not being the right decryption, none of the others have the correct number of letters. In a substitution cipher like a rotation cipher, you will always have the same number of letters in the output as you do in the input.

Correct

What do you call a message before it is encrypted?

In cryptography, any data or message that is in an unencrypted state is called plaintext. The output from a cryptographic process is ciphertext. While you may have text as input to an encryption process, the word text would be ambiguous in this context. The other two are unrelated to cryptography.

Correct

What does PGP use to verify identity?

Where certificate authorities use a centralized mechanism for verification of users or certificate subjects, PGP uses a decentralized model. PGP calls this a web of trust, where individual users sign keys that belong to other people to validate that they are who they say they are. All of the other answers are made-up terms.

Correct

What principle is used to demonstrate that a signed message came from the owner of the key that signed it?

Integrity is part of the CIA triad but isn’t the principle that ties a signed message back to the subject of the signing certificate. Non-verifiability is nonsense, and authority isn’t relevant here. Instead, non-repudiation means someone can’t say they didn’t send a message if it was signed with their key. This assumes the key was in their possession and password protected, meaning no one else could use it.

Correct

What is Diffie-Hellman used for?

Certificates can be revoked but that’s not what Diffie-Hellman is used for. Key management is a much broader topic than key exchange, which is what Diffie-Hellman is used for. It is a process that allows two parties to an encrypted conversation to mutually derive the same key starting with the same base value.

Correct

How did 3DES improve on DES?

3DES, or Triple DES, uses three keys. The first key is used to encrypt the plaintext. The second key is used to decrypt the ciphertext resulting from the first round of encryption. Finally, the third key is used to encrypt the ciphertext that resulted from the decryption with the second key. The key wasn’t made longer because the 168 bits used in 3DES aren’t used in a single key. The underlying DES algorithm is still used.

Correct

What improvement does elliptic curve cryptography make?

Algorithms used for elliptic curve cryptography are not more complex, necessarily. While they don’t use factoring, that fact alone doesn’t necessarily make the algorithms better. Instead, elliptic curve cryptography relies on the assumption that determining a discrete logarithm of a point on an elliptic curve can’t be computed in a consistent way. The keys that result from elliptic key cryptography are actually smaller than those that result from factoring with large prime numbers.

Correct

What is it called when two different data sets yield the same cryptographic hash?

When two different data sets yield the same cryptographic hash, it is called a collision. It relates to a mathematical problem called the birthday paradox, but two values being the same is not a paradox. It’s also not unrealistic, nor is it a crash.

Correct

Which of the following terms can be used in a description of asymmetric key encryption?

Asymmetric key cryptography uses two related keys. One key is used for encryption and one is used for decryption. These keys are referred to as the public and private key. Because it’s the public key that is used to encrypt messages to the owner of the paired private key, this type of encryption is commonly referred to as public key cryptography. It is neither single factor nor multifactor since it’s not authentication.

Correct

If Alice were to send an email to Bob, what key would she use to encrypt the message?

Public key cryptography works because the public key can be provided to anyone. The only thing you can do with the public key is encrypt a message that could be decrypted by the matched private key. This process uses asymmetric encryption, so it’s not a symmetric key. The private key has to be with the owner of the key and protected. If that key gets out, any messages encrypted to the owner by the public key could be decrypted. PGP uses public/private keys and does not have its own type of key.

Correct

What property allows you to trust someone trusted by a certificate authority you trust?

What this says is that if A trusts B and B trusts C, then A can trust C. This is an application of the transitive property. The commutative and associative properties are both also mathematical principles. There is no such thing as a communicative property.

Correct

Why is symmetric key encryption typically used over asymmetric key encryption?

Symmetric key encryption is generally used instead of asymmetric key encryption because symmetric key encryption uses shorter keys and fewer resources, resulting in shorter times for encryption and decryption. This does not make it more secure, even if that word were to be defined in this context. Symmetric key is not easier to implement and asymmetric key is not encumbered with patents, which is why C and D are wrong.

Correct

What is it called when both symmetric and asymmetric keys are used?

When both symmetric and asymmetric keys are used, typically where the asymmetric key is used to protect the symmetric key, it is called a hybrid cryptosystem. The other options don’t exist.

Correct

What is MD5 or SHA-1 commonly used for in cryptography?

Media access control (MAC) is an address attached to physical network interfaces. The correct answer is message authentication code because SHA-1 and MD-5 are used as message authentication codes to ensure that a message has not been tampered with. This means it is being authenticated.

Correct

What type of encryption does PGP use?

PGP uses public and private keys. The public key is stored in a public place like a key repository. Since there are two keys, PGP uses asymmetric key encryption, sometimes known as public key encryption.

Correct

Which of the security triad properties does the Biba security model relate to?

The Biba security model covers data integrity. While other models cover confidentiality, none of them cover availability.

Correct

How many tiers are there in an n-tier application design?

An n-tier application, sometimes called a multitier application, can have as many tiers as necessary. While you may think there are three, there could be more tiers than that, depending on how the application is designed.

Correct

What type of database may JSON be most likely to represent?

JavaScript Object Notation (JSON) uses keys and values to store data. While you could theoretically represent a relational database in JSON, it wouldn’t be the most efficient. SQL is a language used to query relational databases, and document-based databases may be more likely to use other document types to store data.

Correct

How many functions are specified by NIST’s cybersecurity framework?

The NIST cybersecurity framework specifies five functions: identify, protect, detect, response, recover.

Correct

How many steps in the ISO 27001 cycle?

The ISO 27001 specification takes a different approach than NIST’s cybersecurity framework. ISO 27001 specifies Plan, Do, Act, Check, which is four steps.

Correct

What is the highest level of classification used by the U.S. government?

The highest level of classification used by the US government is top secret. Confidential and restricted are lower levels, and eyes only is not a classification used by the U.S. government.

Correct

Which of these is microservices a specific implementation of?

Micro Channel architecture is a specification for peripherals to interact with hardware systems that was proposed and implemented by IBM in the 1990s. Service-oriented architecture is an older concept that has been revived, to a degree, by microservices. The other answers are not things that exist.

Correct

What is an application referred to if it is only using AWS Lambda functions?

Infrastructure as a service is a cloud-based offering where companies may just acquire servers they can use for their infrastructure. Service oriented is a way of potentially designing applications. Everything in AWS is virtualized. This leaves serverless. Lambda functions don’t require the provisioning of servers to support them. All processing of the function and its data is handled by AWS infrastructure.

Correct

What does the Clark-Wilson model use to refer to objects?

The Clark-Wilson Integrity Model specifies Constrained Data Items (CDIs) and Unconstrained Data Items (UDIs) that are used when identifying and implementing rules. The other answers either don’t exist or refer to things that are not related to information security.

Correct

What type of application virtualization would you use without going all the way to using a hypervisor?

Emulation is where applications may be run on a processor they were not compiled for so the operation codes are emulated. AWS is Amazon Web Services, which can offer application virtualization services but is not a type of application virtualization. Paravirtualization is partial virtualization. Containers are a way of isolating applications without using full virtual machines on a hypervisor.

Correct

What is the first function specified by NIST in its cybersecurity framework?

The Five Functions designated by NIST are Identify, Protect, Detect, Respond, and Recover. You can’t do any of the other functions until you have been through Identify, which defines business needs and essential assets for the business.

Correct

What is a common middle tier in an n-tier application design?

Commonly, you will see the following in an n-tier application design as core features: browser, application server, database server. There may also be security functions and load balancers as well as a web server in front of the application server. When you focus just on the core, though, the application server is in the middle of the architecture.

Correct

What is a common open-source relational database server that may be used in web applications?

MongoDB is a NoSQL server that is not relational. SQL Server is ambiguous but could refer to Microsoft SQL Server, which is not open-source. Oracle is a company that owns relational database servers, including MySQL, but only MySQL is open-source.

Correct

Which of the following is true about the Bell-LaPadula Simple Security Property?

The Bell-LaPadula Simple Security Property says a subject cannot read an object at a higher level than the subject. None of the other answers are correct.

Correct

What are the phases of the ISO 27001 cycle?

Some of the answers here mingle the five functions from NIST with the phases of the ISO 27001 cycle. The only option that has only ISO 27001 phases is D, and those are Plan, Do, Check, and Act.