1. A vendor is alerted of a newly discovered flaw in its software that presents a major vulnerability to systems. While working to prepare a fix action, the vendor releases a notice alerting the community of the discovered flaw and providing best practices to follow until the patch is available. Which of the following best describes the discovered flaw?
Zero day means there has been no time to work on a solution. The bad thing is that the discovery by security personnel of the existing vulnerability doesn’t mean it just magically popped up—it means it has been there without the good guys’ knowledge and could have already been exploited.
2. A security professional applies encryption methods to communication channels. Which security control role is she attempting to meet?
Controls fall into three categories: preventive, detective, and corrective. In this instance, encryption of data is designed to prevent unauthorized eyes from seeing it. Depending on the encryption used, this can provide for confidentiality and nonrepudiation and is most definitely preventive in nature.
3. Bob is working with senior management to identify the systems and processes that are critical for operations. As part of this business impact assessment, he performs calculations on various systems to place value on them. On a certain server he discovers the following:The server costs $2500 to purchase.The server typically fails once every five years.Salary for the repair technician for a server failure is at $40 hourly, and it typically takes two hours to fully restore a failure.The accounting group has five employees paid at $25 an hour who are at a standstill during an outage.What is the ALE for the server?
ALE = ARO × SLE. To find the correct annualized loss expectancy, multiply the percentage of time it is likely to occur annually (annual rate of occurrence—in this case, 0.2 [1 failure / 5 years = 20%]) by the amount of cost incurred from a single failure (single loss expectancy—in this case, $80 [for the repair guy] + $250 [5 employees at $25 an hour for 2 hours] + $2500 (replacement of server) = $2830). ALE = 0.2 × $2830, so the ALE for this case is $566.
4. You’ve discovered a certain application in your environment that has proven to contain vulnerabilities. Which of the following actions best describes avoiding the risk?
Removing the software or service that contains a vulnerability is described as avoiding the risk—if it’s not there to be exploited, there’s no risk.
5. James is a member of a pen test team newly hired to test a bank’s security. He begins searching for IP addresses the bank may own, using public records on the Internet, and also looks up news articles and job postings to discover information that may be valuable. What phase of the pen test is James working?
The pre-attack phase (a.k.a. the preparation phase) is where all this activity takes place—including the passive information gathering performed by James in this example. This would be followed by the attack and post-attack phases.
6. Enacted in 2002, this U.S. law requires every federal agency to implement information security programs, including significant reporting on compliance and accreditation. Which of the following is the best choice for this definition?
FISMA has been around since 2002 and was updated in 2014. It gave certain information security responsibilities to NIST, OMB, and other government agencies, and declared the Department of Homeland Security (DHS) as the operational lead for budgets and guidelines on security matters.
7. Which of the following is true regarding MX records?
MX records have a preference number to tell the SMTP client to try (and retry) each of the relevant addresses in a list in order, until a delivery attempt succeeds. The smallest preference number has the highest priority, and any server with the smallest preference number must be tried first. If there is more than one MX record with the same preference number, all of them must be tried before moving on to lower-priority entries.
8. Which Google operator is the best choice in searching for a particular string in the website’s title?
Google hacking refers to manipulating a search string with additional specific operators to search for valuable information. The intitle: operator will return websites with a particular string in their title. Website titles contain all sorts of things, from legitimate descriptions of the page or author information to a list of words useful for a search engine.
9. An ethical hacker begins by visiting the target’s website and then peruses social networking sites and job boards looking for information and building a profile on the organization. Which of the following best describes this effort?
An ethical hacker begins by visiting the target’s website and then peruses social networking sites and job boards looking for information and building a profile on the organization. Which of the following best describes this effort?
10. Internet attackers—whether State sponsored or otherwise—often discover vulnerabilities in a service or product but keep the information quiet and to themselves, ensuring the vendor is unaware of the vulnerability, until the attackers are ready to launch an exploit. Which of the following best describes this?
A zero-day attack is one carried out on a vulnerability the good guys didn’t even know existed. The true horror of these attacks is that you do not known about the vulnerability until it’s far too late
11. The organization has a DNS server out in the DMZ and a second one internal to the network. Which of the following best describes this DNC configuration?
Split DNS is recommended virtually everywhere. Internal hosts may need to see everything internal, but external hosts do not. Keep internal DNS records split away from external ones, as there is no need for anyone outside your organization to see them
12. Search engines assist users in finding the information they want on the Internet. Which of the following is known as the hacker’s search engine, explicitly allowing you to find specific types of computers (for example, routers or servers) connected to the Internet?
Shodan allows users to search for very specific types of hosts, which can be very helpful to attackers—ethical or not.
13. Which of the following methods correctly performs banner grabbing with Telnet on a Windows system?
Telnetting to port 80 will generally pull a banner from a web server. You can telnet to any port you want to check, for that matter, and ideally pull a port; however, port 80 just seems to be the one used on the exam the most.
14. Which TCP flag instructs the recipient to ignore buffering constraints and immediately send all data?
It really does sound like an urgent request, but the PSH flag is designed for these scenarios.
15. Which of the following correctly describes the TCP three-way handshake?
This is bedrock knowledge you should already have memorized from networking 101 classes. TCP starts a communication with a synchronize packet (with the SYN flag set). The recipient acknowledges this by sending both the SYN and ACK flags. Finally, the originator acknowledges communications can begin with an ACK packet.
16. You are examining results of a SYN scan. A port returns a RST/ACK. What does this mean?
Think about a TCP handshake—SYN, SYN/ACK, ACK—and then read this question again. Easy, right? In a SYN scan, an open port is going to respond with a SYN/ACK, and a closed one is going to respond with a RST/ACK.
17. You want to run a reliable scan but remain as stealthy as possible. Which of the following nmap commands accomplishes your goal best?
A full-connect scan would probably be best, provided you run it slowly. However, given the choices, a half-open scan, as defined by this nmap command line, is the best remaining option.
18. You are examining a host with an IP address of 126.96.36.199/20, and you want to determine the broadcast address for the subnet. Which of the following is the correct broadcast address for the subnet?
If you view the address 188.8.131.52 in binary, it looks like this: 01000001.01011101.00011000.00101010. The subnet mask given (/20) tells us only the first 24 bits count as the network ID (which cannot change if we are to stay in the same subnet), and the remaining 12 bits belong to the host. Turning off all the host bits (after the 20th) gives us our network ID: 01000001.01011101.00010000.00000000 (184.108.40.206/20). Turning on all the host bits gives us our broadcast address: 01000001.01011101.00011111.11111111 (220.127.116.11/20)
19. Angie captures traffic using Wireshark. Which filter should she apply to see only packets sent from 18.104.22.168?
The ip.src== xxxx filter tells Wireshark to display only those packets with the IP address xxxx in the source field
A systems administrator notices log entries from a host named MATTSYS (22.214.171.124) are not showing up on the syslog server (126.96.36.199). Which of the following Wireshark filters would show any attempted syslog communications from the machine to the syslog server?
This Wireshark filter basically says, “Show all packets with a destination port matching syslog (which is, by default, UDP 514) coming from MATTSYS (whose IP address is 188.8.131.52).
21. What does the following Snort rule accomplish?alert tcp any any -> any 23(msg: “Telnet Connection Attempt”)?
This rule alerts on Telnet in only one direction—into the internal network. It states that any IP address on any port attempting to connect to an internal client will generate the message “Telnet Connection Attempt.”
22. A pen tester connects a laptop to a switch port and enables promiscuous mode on the NIC. He then turns on Wireshark and leaves for the day, hoping to catch interesting traffic over the next few hours. Which of the following is true regarding this scenario? (Choose all that apply.)
Switches are designed to filter traffic—that is, they send traffic intended for a destination MAC—to only the port that holds the MAC address as an attached host. The exception, however, is broadcast and multicast traffic, which gets sent out every port. Because ARP is broadcast in nature, all machines’ ARP messages would be viewable.
23. Which of the following best describes ARP poisoning?
In ARP poisoning, the bad guy keeps injecting a bad IP-to-MAC mapping in order to have traffic intended for the target go somewhere else.
Which of the following best describes port security?
This is exceedingly confusing on purpose—because it’s how you’ll see it on the exam. “Port security” refers to a security feature on switches that allows an administrator to manually assign MAC addresses to a specific port; if the machine connecting to the port does not use that particular MAC, it isn’t allowed to even connect. Port security works on source addresses, so you’re automatically looking at “from,” not “to.” In other words, it is specifically allowing access (entering a port) to a defined MAC address—think of it as a whitelist.
Where is the SAM file found on a Windows 7 machine?
The SAM file, holding all those wonderful password hashes you want access to, is located in the C:\Windows\system32\config folder. You may also find a copy sitting in repair, at c:\windows\repair\sam.
26. Which of the following commands would be useful in adjusting settings on the built-in firewall on a Windows machine?
Netsh is “a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running.” Typing netsh at the command line then allows you to step into various “contexts” for adjusting all sorts of network configuration options, including the firewall. Typing a question mark shows all available commands at the context you are in. You can also execute the command without stepping into each context. For example, typing netsh firewall show config will show the configuration of the firewall.
27. Which SID indicates the true administrator account on the Windows machine?
A security identifier (SID) has five components, each one providing specific information. The last component—the relative identifier (RID)—provides information on the type of account. The RID of 500 indicates the true administrator account on the machine.
28. Which of the following is true regarding LM hashes?
In a password less than eight characters, LM hashes will always have the right side of the hash the same, ending in 1404EE, because of the method by which LM performs the hash.
29. Which password-cracking method usually takes the most time and uses the most resources?
Brute-force attacks attempt every conceivable combination of letters, numbers, characters, and length in an attempt to find a match. Given you’re starting from scratch, it follows you’d need a lot of time and a lot of resources. As an aside, the increase in processing power of systems and the ability to combine multiple systems together to work on problems cuts down on the time portion of this in modern cracking technique fairly significantly.
30. Which of the following is the best choice for protection against privilege escalation vulnerabilities?
Ensuring your services run with least privilege (instead of having all services run at admin level) can help in slowing down privilege escalation.