CompTIA Security+ Exam Cram: Domain 3.0: Threats and Vulnerabilities

This chapter is from the book

CompTIA Security+ SY0-301 Practice Questions Exam Cram, 3rd Edition

Learn More Buy

This chapter is from the book

This chapter is from the book 

CompTIA Security+ SY0-301 Practice Questions Exam Cram, 3rd Edition

Learn More Buy

Answers and Explanations

Objective 3.1: Analyze and differentiate among types of malware.

1. Answer: A. Perhaps the most popular method of privilege escalation is a buffer overflow attack. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory for that application or service. Answer B is incorrect because programs disguised as useful applications are Trojans. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code is hidden inside the application that can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software (such as a game) and a user’s willingness to download and install the software. Answer C is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer D is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user.
2. Answer: C. A program or piece of code that runs on your computer without your knowledge is a virus. It is designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer A is incorrect. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory for that application or service. Answer B is incorrect because programs disguised as useful applications are Trojans. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code is hidden inside the application that can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Answer D is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user.
3. Answer: A. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer B is incorrect because it describes IP spoofing. Answer C is incorrect because it describes spyware. Answer D is incorrect because it describes a worm. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating.
4. Answer: B. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights. Answer A is incorrect because spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer C is incorrect. A bot provides a spam or virus originator with the venue to propagate. Many computers compromised in this way are unprotected home computers (although recently it has become known that many computers in the corporate world are bots, too). A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer D is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited.
5. Answer: C. Code Red is an exploit used to spread a worm. This threat affected only web servers running Microsoft’s Internet Information Server. Answers A, B, and D are incorrect; Melissa, Acid Rain, and Mocmex are not worms. Melissa is a virus. Acid Rain and Mocmex are Trojans.
6. Answer: B. A logic bomb is a virus or Trojan horse that is built to go off when a certain event occurs or a period of time goes by. Answers A and D are incorrect because a specified time element is not involved. Answer C is incorrect because spoofing involves modifying the source address of traffic or the source of information.
7. Answer: A. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect because a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights is a rootkit. Answer C is incorrect because a large number of computers that forward transmissions to other computers on the Internet, allowing the originator a venue to propagate, is a botnet. Answer D is incorrect because a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection is adware. It reports data to the company, such as your surfing habits and which sites you have visited.
8. Answer: C. Requesting to be removed from junk email lists often results in more spam because it verifies that you have a legitimate, working email address. Therefore answers A, B, and D are incorrect.
9. Answer: A, B, C. Email spam lists are often created by scanning newsgroup postings, stealing Internet mailing lists, or searching the Web for addresses. Spammers use automated tools to subscribe to as many mailing lists as possible. From those lists, they capture addresses or use the mailing list as a direct target for their attacks. Answer D is incorrect because email spam lists are not created in this manner.
10. Answer: A. Perhaps the most popular method of privilege escalation is a buffer overflow attack. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory for that application or service. Answer B is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer D is incorrect. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by.
11. Answer: D. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. Answer A is incorrect. Spyware is associated with behaviors such as collecting personal information or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed.
12. Answer: C. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer A is incorrect. Spyware is associated with behaviors such as collecting personal information or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer D is incorrect. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host.
13. Answer: A. Spyware is associated with behaviors such as collecting personal information or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer D is incorrect. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host.
14. Answer: D. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights. Answer A is incorrect. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software that communicates information from a user’s system to another party without notifying the user. Answer B is incorrect. Spam is a term that refers to the sending of unsolicited commercial email. Email spam targets individual users with direct mail messages. Answer C is incorrect because adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection.
15. Answer: B. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer A is incorrect. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer C is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. Answer D is incorrect. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights.
16. Answer: A. Many spyware-eliminator programs are available. These programs scan your machine, similarly to how antivirus software scans for viruses; just as with antivirus software, you should keep spyware-eliminator programs updated and regularly run scans. Therefore, answer D is incorrect. Answers B and C are incorrect because antispyware programs cannot detect rootkits or botnets.
17. Answer: B. The main issue with botnets is that they are securely hidden. This allows the botnet masters to perform tasks, gather information, and commit crimes while remaining undetected. Answers A, C, and D are concerns, but the main security concern it is they can remain undetected.
18. Answer: A. A logic bomb is also referred to as slag code. It is malicious in intent, and usually planted by a disgruntled employee. Answer B is incorrect. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer C is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. Answer D is incorrect. A rootkit is a piece of software that can be installed and hidden on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights.
19. Answer: A, B, D. A buffer overflow can result in the overwriting of data or memory storage, a denial of service due to overloading the input buffer’s ability to cope with the additional data, or the originator can execute arbitrary code, often at a privileged level. Answer C is incorrect because a buffer overflow is targeted toward an individual machine.
20. Answer: A, C. There are several types of viruses, including boot sector, polymorphic, macro, program, stealth, and multipartite. Answers B and D are incorrect because they do not describe types of viruses.
21. Answer: C. A boot sector virus is placed into the first sector of the hard drive so that when the computer boots, the virus loads into memory. Answer A is incorrect because it describes a polymorphic virus. Answer B is incorrect because it describes a stealth virus. Answer D is incorrect because it describes a program virus.
22. Answer: D. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer A is incorrect because a popular method of privilege escalation is a buffer-overflow attack. Answer B is incorrect because most rootkits use global hooks for stealth activity. Answer C is incorrect because a honeynet is used for monitoring large networks.
23. Answer: B. A Trojan horse appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer A is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect because spam is a term that refers to the sending of unsolicited commercial email. Email spam targets individual users with direct mail messages. Answer D is incorrect. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system, find other systems running the same software, and automatically replicate itself to the new host.
24. Answer: A. Most rootkits use global hooks for stealth activity. So, if you use security tools that can prevent programs from installing global hooks and stop process injection, you can prevent rootkit functioning. Answer B is incorrect because adware uses tracking software. Answer C is incorrect because privilege escalation is associated with buffer overflows. Answer D is incorrect because social engineering is taking advantage of human nature.
25. Answer: B. Rootkit functionality requires full administrator rights. Therefore, you can avoid rootkit infection by running Windows from an account with lesser privileges. Answer A is incorrect; it describes an effective way to deal with spam. Answer C is incorrect; it describes an effective way to deal with user account exploitation. Answer D is incorrect because it describes an effective way to deal with spyware.
26. Answer: C. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer A is incorrect because it describes a logic bomb. Answer B is incorrect because it describes Trojans. Answer D is incorrect because it describes a buffer overflow.
27. Answer: B. Privilege escalation takes advantage of a program’s flawed code, which then crashes the system and leaves it in a state where arbitrary code can be executed or an intruder can function as an administrator. Answer A is incorrect because a logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer C is incorrect; spam is a term that refers to the sending of unsolicited commercial email. Email spam targets individual users with direct mail messages. Answer D is incorrect; Trojans are programs disguised as useful applications.
28. Answer: A, C, D. Currently, the most effective way to prevent an attacker from exploiting software is to keep the manufacturer’s latest patches and service packs applied and to monitor the Web for newly discovered vulnerabilities. Answer B is incorrect because it not feasible to disconnect the network from the Internet.
29. Answer: D. A multipartite virus is a hybrid of boot and program viruses. It first attacks a boot sector and then attacks system files or vice versa. Answer A is incorrect because a polymorphic virus can change each time it is executed. It was developed to avoid detection by antivirus software. Answer B is incorrect because a macro virus is inserted into a Microsoft Office document and emailed to unsuspecting users. Answer C is incorrect because a stealth virus uses techniques to avoid detection, such as temporarily removing itself from an infected file or masking a file’s size.
30. Answer: C. Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system, find other systems running the same software, and automatically replicate itself to the new host. Answer A is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer B is incorrect because a Trojan appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer D is incorrect because a logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by.
31. Answer: B. Trojans are programs disguised as useful applications. Trojans do not replicate themselves like viruses, but they can be just as destructive. Code hidden inside the application can attack your system directly or allow the system to be compromised by the code’s originator. The Trojan is typically hidden, so its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Answer A is incorrect because Trojans can perform actions without the user’s knowledge or consent, such as collecting and sending data or causing the computer to malfunction. Answers C and D are incorrect; a virus is a program or piece of code that runs on your computer without your knowledge. It is designed to attach itself to other code and replicate.
32. Answer: A, B, C. Indications that a computer may contain spyware include the following: the system is slow, (especially when browsing the Internet), it takes a long time for the Windows desktop to come up, clicking a link does nothing or goes to an unexpected website, the browser home page changes (and you might not be able to reset it), and web pages are automatically added to your favorites list. Answer D is incorrect because it describes spam.
33. Answer: A, C. When dealing with spam, the user should delete the email without opening it and turn off the preview function of the mail software. Answer B is incorrect because this is an inappropriate action. There are specific laws that deal with spamming, and trying to conduct your own investigation can be dangerous. Answer D is incorrect because local law enforcement does not investigate a single spam incident.
34. Answer: B, C, D. Rootkits can be included as part of a software package and can be installed by way of an unpatched vulnerability or by the user downloading and installing it. Answer A is incorrect because accessing documents on the local intranet should not result in a rootkit installation.
35. Answer: D. Rootkits have also been known to use encryption to protect outbound communications and piggyback on commonly used ports to communicate without interrupting other applications that use that port. Answer A is incorrect. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer B is incorrect. A botnet is a large number of computers that forward transmissions to other computers on the Internet. You may also hear a botnet referred to as a zombie army. Answer C is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited.
36. Answer: A. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer B is incorrect. A botnet is a large number of computers that forward transmissions to other computers. Answer C is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. Answer D is incorrect. A rootkit is a piece of software that can be installed and hidden on a computer, mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights.
37. Answer: B. A Trojan appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Answer A is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. Answer C is incorrect because a worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. Answer D is incorrect because a logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by.
38. Answer: A. A polymorphic virus can change each time it is executed. It was developed to avoid detection by antivirus software. Answer B is incorrect because a macro virus is inserted into a Microsoft Office document and emailed to unsuspecting users. Answer C is incorrect because a stealth virus uses techniques to avoid detection, such as temporarily removing itself from an infected file or masking a file’s size. Answer D is incorrect because a multipartite virus is a hybrid of boot and program viruses. It first attacks a boot sector and then attacks system files, or vice versa.
39. Answer: C. A bot, short for robot, is an automated computer program that needs no user interaction. Bots are systems that outside sources can control. A bot provides a spam or virus originator with the venue to propagate. Answer A is incorrect because a logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer B is incorrect. Adware is a form of advertising that installs additional tracking software on your system that keeps in contact with the company through your Internet connection. It reports data to the company, such as your surfing habits and which sites you have visited. Answer D is incorrect because a virus is a program or piece of code designed to attach itself to other code and replicate.
40. Answer: A, C, D. You can take steps to protect your network from malicious code, such as not using any type of removable media from another user without first scanning for malware, performing backups on a daily basis, installing firewalls or intrusion-prevention systems on client machines, and subscribing to newsgroups and checking antivirus websites regularly. Answer B is incorrect. Opening all attachments will mostly likely infect a machine.

Objective 3.2: Analyze and differentiate among types of attacks.

1. Answer: C. Telnet uses port 23. Answer A is incorrect because port 110 is used for POP3 incoming mail. Answer B is incorrect because port 21 is used for FTP. Port 443 is used by HTTPS; therefore, answer D is incorrect.
2. Answer: A, B. UDP ports 161 and 162 are used by SNMP. Answer C is incorrect because port 443 is used by HTTPS. Answer D is incorrect because port 4445 uses TCP/UDP for service type upnotifyp.
3. Answer: C. TCP/IP hijacking is the term used when an attacker takes control of a session between the server and a client. This can occur due to the TCP three-way handshake. The three-way handshake is the method used to establish and tear down network connections. Answer A is incorrect because it describes spoofing. Spoofing is a method of providing false identity information to gain unauthorized access. Answer B is incorrect because it describes a null session. A null session is a connection without specifying a username or password. Answer D is incorrect because it describes DNS poisoning. DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting attackers to send legitimate traffic anywhere they choose.
4. Answer: A. Spoofing is a method of providing false identity information to gain unauthorized access. Answer B is incorrect because it describes a null session. A null session is a connection without specifying a username or password. Answer C is incorrect because it describes TCP/IP hijacking. TCP/IP hijacking is the term used when an attacker takes control of a session between the server and a client. Answer D is incorrect because it describes DNS poisoning. DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting attackers to send legitimate traffic anywhere they choose.
5. Answer: B. A null session is a connection without specifying a username or password. Answer A is incorrect because it describes spoofing. Spoofing is a method of providing false identity information to gain unauthorized access. Answer C is incorrect because it describes TCP/IP hijacking. TCP/IP hijacking is the term used when an attacker takes control of a session between the server and a client. Answer D is incorrect because it describes DNS poisoning. DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain, thus permitting attackers to send legitimate traffic anywhere they choose.
6. Answer: D. DNS poisoning allows a perpetrator to redirect traffic by changing the IP record for a specific domain. Query results that are forged and returned to the requesting client or recursive DNS query can poison the DNS records, thus permitting attackers to send legitimate traffic anywhere they choose. Answer A is incorrect because it describes spoofing. Spoofing is a method of providing false identity information to gain unauthorized access. Answer B is incorrect because it describes a null session. A null session is a connection without specifying a username or password. Answer C is incorrect because it describes TCP/IP hijacking. TCP/IP hijacking is the term used when an attacker takes control of a session between the server and a client.
7. Answer: D. The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other. Answer A is incorrect; it describes DNS kiting. DNS kiting refers to the practice of taking advantage of the add/grace period (AGP) to monopolize domain names without ever paying for them. Answer B is incorrect; it describes a replay attack. In a replay attack, packets are captured by using sniffers. After the pertinent information is extracted, the packets are placed back on the network. Answer C is incorrect; it describes a denial-of-service attack. The purpose of a DoS attack is to disrupt the resources or services that a user would expect to have access to.
8. Answer: B. In a replay attack, packets are captured by using sniffers. After the pertinent information is extracted, the packets are placed back on the network. Answer A is incorrect; it describes DNS kiting. DNS kiting refers to the practice of taking advantage of the AGP to monopolize domain names without ever paying for them. Answer C is incorrect; it describes a denial-of-service attack. The purpose of a DoS attack is to disrupt the resources or services that a user would expect to have access to. Answer D is incorrect; it describes a man-in-the-middle attack. The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other.
9. Answer: C. The purpose of a distributed denial of service (DDoS) attack is to disrupt the resources or services that a user would expect to have access to. Answer A is incorrect; it describes DNS kiting. DNS kiting refers to the practice of taking advantage of the AGP to monopolize domain names without ever paying for them. Answer B is incorrect; it describes a replay attack. In a replay attack, packets are captured by using sniffers. After the pertinent information is extracted, the packets are placed back on the network. Answer D is incorrect; it describes a man-in-the-middle attack. The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other.
10. Answer: A, B, D. To help protect your network, you can set up filters on external routers to drop packets involved in these types of attacks. You should also set up another filter that denies traffic originating from the Internet that shows an internal network address. If the operating system allows it, reduce the amount of time before the reset of an unfinished TCP connection. Doing so makes it harder to keep resources unavailable for extended periods of time. Answer C is incorrect; increasing the amount of time before the reset of an unfinished TCP connection makes the resources unavailable for a longer period of time.
11. Answer: A. Because ARP does not require any type of validation, as ARP requests are sent, the requesting devices believe that the incoming ARP replies are from the correct devices. This can allow a perpetrator to trick a device into thinking any IP is related to any MAC address. Answer B is incorrect because it describes DNS poisoning. Answer C is incorrect. A Teardrop attack sends fragmented UDP packets. Answer D is incorrect. In a DDoS attack, the attackers distribute zombie software that allows the attacker partial or full control of the infected computer system.
12. Answer: B. A null session is a connection without specifying a username or password. Null sessions are a possible security risk because the connection is not really authenticated. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer C is incorrect because ARP poisoning allows a perpetrator to trick a device into thinking that an incorrect IP address is related to a MAC address. The implementation of the ARP protocol is simple. The receipt of an ARP reply at any time causes the receiving computer to add the newly received information to its ARP cache without any type of verification. Answer D is incorrect because domain kiting refers to the practice of taking advantage of this AGP period to monopolize domain names without ever paying for them.
13. Answer: D. A denial-of-service (DoS) attack that attempts to block service or reduce activity on a host by sending ping requests directly to the victim using ICMP is called a ping flood. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer C is incorrect because a man-in-the middle attack is commonly used to gather information in transit between two hosts. Answer B is incorrect because the purpose of a DoS attack is to disrupt the resources or services that a user would expect to have access to.
14. Answer: C. A man-in-the-middle attack is commonly used to gather information in transit between two hosts. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. ARP poisoning allows a perpetrator to trick a device into thinking any IP is related to any MAC address; therefore, Answer B is incorrect. Because the purpose of a DoS attack is to deny use of resources or services to legitimate users, answer D is incorrect.
15. Answer: B. A null session is a connection without specifying a username or password. Null sessions are a possible security risk because the connection is not really authenticated. Answer A is incorrect because the session is not abnormally terminated. Although answer C may be a concern, it is not the primary issue. Answer D is incorrect because null sessions are direct connections and are not remote controlled.
16. Answer: D. The most effective way to reduce null session vulnerability is by disabling NetBIOS over TCP/IP. Editing the Registry to restrict anonymous access is another method used to control null session access. After you have done this, verify that ports 139 and 445 are closed. Answer A is incorrect; reducing the amount of time before the reset of an unfinished TCP connection deals with DoS attacks. Answers B and C are incorrect; using the signing capabilities of certificates and denying traffic originating from the Internet that shows an internal network address are protective measures against spoofing.
17. Answer: B, C, D. To mitigate the effects of spoofing, you should set up a filter that denies traffic originating from the Internet that shows an internal network address. Using the signing capabilities of certificates on servers and clients allows web and email services to be more secure. The use of IPsec can secure transmissions between critical servers and clients. Answer A is incorrect because editing the Registry to restrict anonymous access is a method used to control null session access.
18. Answer: B. Forcing a user to reauthenticate before allowing transactions to occur could help prevent this type of attack. Protection mechanisms include the use of unique initial sequence numbers (ISNs) and web session cookies. Answer A is incorrect because to mitigate the effects of spoofing, you should set up a filter that denies traffic originating from the Internet that shows an internal network address. Answers C and D are incorrect; to mitigate the vulnerability of DDoS attacks, reduce the amount of time before the reset of an unfinished TCP connection and set up filters on external routers.
19. Answer: C, D. The most effective way to reduce null session vulnerability is by disabling NetBIOS over TCP/IP. After you have done this, verify that ports 139 and 445 are closed. Answers A and B are incorrect; Simple Network Management Protocol (SNMP) is often overlooked when checking for vulnerabilities because it uses User Datagram Protocol (UDP) ports 161 and 162.
20. Answer: A, B. The man-in-the-middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other. This attack is common in Telnet and wireless technologies. Answer C is incorrect because email is susceptible to spoofing not hijacking. Answer D is incorrect. Samba provides file and print services to SMB/CIFS clients for Linux-based operating systems.
21. Answer: A, C, D. To minimize the effects of DNS poisoning, check the DNS setup if you are hosting your own DNS. Be sure the DNS server is not open-recursive. An open-recursive DNS server responds to any lookup request, without checking where it originates. Disable recursive access for other networks to resolve names that are not in your zone files. You can also use different servers for authoritative and recursive lookups and require that caches discard information except from the .com servers and the root servers. Answer B is incorrect because it describes an effective way to deal with rootkits.
22. Answer: A, D. ARP poisoning is limited to attacks that are locally based, so an intruder needs either physical access to your network or control of a device on your local network. To mitigate ARP poisoning on a small network, you can use static or script-based mapping for IP addresses and ARP tables. For large networks, use equipment that offers port security. Answers B and C are incorrect; they are solutions for small networks, not large networks.
23. Answer: C. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of the latter would be if User A could read User B’s email without specific authorization. Answer A is incorrect because it describes default accounts. Answer B is incorrect because data transmitted over a wireless network using 802.1x that can be easily “sniffed” is referred to as data emanations. Answer D is incorrect because a back door is an application code function, created intentionally or unintentionally, which allows unauthorized access to networked resources.
24. Answer: D. A back door is an application code function, created intentionally or unintentionally, which allows unauthorized access to networked resources. Answer A is incorrect because it describes default accounts. Answer B is incorrect because data transmitted over a wireless network using 802.1x that can be easily “sniffed” is referred to as data emanations. Answer C is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of the latter would be if User A could read User B’s email without specific authorization.
25. Answer: B. Unlike resources located on the local system, network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. By blocking access to a website or network resource, the attacker effectively prevents authorized availability. Answer A is incorrect because a DoS focuses on network resources, not local resources. Answer C is incorrect; viruses and worms ranked the highest for sheer number of attacks against network storage. Answer D is incorrect; DoS attacks are launched against servers in the DMZ, not the internal network, unless there is not a DMZ in place. However, corporate networks usually have some type of segmentation keeping the internal network and DMZ separated, making this answer choice incorrect.
26. Answer: C. Unlike resources located on the local system, network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. By blocking access to a website or network resource, the attacker effectively prevents authorized availability. Answer A is incorrect because privilege escalation is the intentional access to resources not intended for access by the user. Answer B is incorrect; a back door is an application code function, created intentionally or unintentionally, which allows unauthorized access to networked resources. Answer D is incorrect; attempting to directly access the resources through unauthorized means would fall along the lines of a spoofing attack.
27. Answer: C. Many networking devices and services are initially installed with a default set of user credentials, such as Oracle’s Scott/Tiger and IBM’s qsecofr/qsecofr. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack because they are known to potential attackers. Answer A is incorrect because replacing them on an as-needed basis is not proper policy. Answer B is incorrect; replacing them when an attack has been detected is reactive instead of proactive. Answer D is incorrect because using the same logon credential for all devices and services leaves them all vulnerable should the password be compromised.
28. Answer: A. Back doors are application code functions created intentionally or unintentionally that enable unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. Other back doors may be inserted by the application designers purposefully, presenting later threats to the network if applications are never reviewed by another application designer before deployment. Answer B is incorrect because back doors are associated with code development, not system certification. Answer C is incorrect because during user interface testing, the users do not have access to the code and cannot create back doors. Answer D is incorrect because the code has already been developed and tested during the implementation phase. At this point, there is not access to the code itself.
29. Answer: D. To optimize network layout within each unique location, a site survey is necessary before implementing any WLAN solution. This is particularly important in distributed wireless network configurations spanning multiple buildings or open natural areas, where imposing structures and tree growth may affect network access in key areas. Answers A, B, and C are incorrect. Land surveys, building inspections, and OSHA inspections are agency-related functions and cannot be conducted by the organization.
30. Answer: B. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer A is incorrect because it describes the vulnerability of a broadcast packet sniffer readily identifying a WAP. Answer C is incorrect. Back doors represent application code functions, created intentionally or unintentionally, which allow unauthorized access to networked resources. Answer D is incorrect because automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details.
31. Answer: D. Automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details. Answer A is incorrect because it describes the vulnerability of a broadcast packet sniffer readily identifying a WAP. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer C is incorrect. Back doors represent application code functions, created intentionally or unintentionally, which allow unauthorized access to networked resources.
32. Answer: C. Back doors represent application code functions, created intentionally or unintentionally, which allow unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. Answer A is incorrect because it describes the vulnerability of a broadcast packet sniffer readily identifying a WAP. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer D is incorrect because automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details.
33. Answer: C. Many networking devices and services are initially installed with a default set of user credentials, such as Oracle’s Scott/Tiger and IBM’s qsecofr/qsecofr. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack. Answer A is incorrect. Network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer D is incorrect because automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details.
34. Answer: A. Network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. Answer B is incorrect. Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. Answer C is incorrect. Many networking devices and services are initially installed with a default set of user credentials. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack. Answer D is incorrect because automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity, derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details.
35. Answer: A. Privilege escalation represents the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of the latter is if User A can read User B’s email without specific authorization. Answer B is incorrect. Many networking devices and services are initially installed with a default set of user credentials. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack. Answer C is incorrect. Any resource exposed on a network may be attacked to gain unauthorized access. The most common form of authentication and user access control is the username/password combination, which can be significantly weakened as a security measure if a “weak” password is selected. Answer D is incorrect. Back doors are application code functions, created intentionally or unintentionally, that enable unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later.
36. Answer: D. Back doors are application code functions, created intentionally or unintentionally, that enable unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. Answer A is incorrect. Privilege escalation represents the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of the latter is if User A can read User B’s email without specific authorization. Answer B is incorrect. Many networking devices and services are initially installed with a default set of user credentials. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack. Answer C is incorrect. Any resource exposed on a network may be attacked to gain unauthorized access. The most common form of authentication and user access control is the username/password combination, which can be significantly weakened as a security measure if a “weak” password is selected.
37. Answer: B, C. Automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity (complexity here meaning a mixture of character case, numbers, and symbols), derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details. Answer A is incorrect because it is an attack associated with WAPs announcing their service set identifier (SSID). Answer D is incorrect because DoS attacks are often used for Internet extortion schemes, where an attacking botnet of tens of thousands of zombied client systems can be used to consume all available connections to a business website.
38. Answer: D. DoS attacks are often used for Internet extortion schemes, where an attacking botnet of tens of thousands of zombied client systems can be used to consume all available connections to a business website. Many fringe service industries, such as online casinos, are regularly targeted with this type of attack. Answer A is incorrect because it is an attack associated with WAPs announcing their service set identifier (SSID). Answers B and C are incorrect; automated and social-engineering assaults on passwords are easier when a password is short, lacking in complexity (complexity here meaning a mixture of character case, numbers, and symbols), derived from a common word found in the dictionary, or derived from easily guessable personal information such as birthdays, family names, pet names, and similar details.
39. Answer: A. Spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer B is incorrect because Vishing is voice phishing; the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer C is incorrect because smishing, also known as SMS phishing, involves using phishing methods through text messaging. Answer D is incorrect because pharming redirects victims to a bogus website, even if they correctly entered the intended site. To accomplish this, the attacker employs another attack such as DNS cache poisoning.
40. Answer: B. Vishing is voice phishing; the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer A is incorrect because spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer C is incorrect because smishing, also known as SMS phishing, involves using phishing methods through text messaging. Answer D is incorrect because pharming redirects victims to a bogus website, even if they correctly entered the intended site. To accomplish this, the attacker employs another attack such as DNS cache poisoning.
41. Answer: D. Pharming redirects victims to a bogus website, even if they correctly entered the intended site. To accomplish this, the attacker employs another attack such as DNS cache poisoning. Answer A is incorrect because spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer B is incorrect because vishing is voice phishing, the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer C is incorrect because smishing, also known as SMS phishing, involves using phishing methods through text messaging.
42. Answer: C. Smishing, also known as SMS phishing, involves using phishing methods through text messaging. Answer A is incorrect because spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer B is incorrect because vishing is voice phishing, the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer D is incorrect because pharming redirects victims to a bogus website, even if they correctly entered the intended site. To accomplish this, the attacker employs another attack such as DNS cache poisoning.
43. Answer: B. Messaging spam, sometimes called SPIM, is a type of spam targeting users of instant messaging (IM) services. Answer A is incorrect because spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer C is incorrect because spam targets email. Answer D is incorrect because pharming redirects victims to a bogus website, even if they correctly entered the intended site. To accomplish this, the attacker employs another attack such as DNS cache poisoning.
44. Answer: D. When used as part of scanning a system, the TCP header of Christmas tree packets has the flags SYN, FIN, URG and PSH set. By observing how a host responds to an odd packet, such as a Christmas tree packet, assumptions can be made regarding the host’s operating system. Answer A is incorrect because spoofing involves modifying the source address of traffic or source of information. Answer B is incorrect because a null session is a connection without specifying a username or password. Null sessions are a possible security risk because the connection is not really authenticated. Answer C is incorrect because ARP poisoning allows a perpetrator to trick a device into thinking that an incorrect IP address is related to a MAC address. The implementation of the ARP protocol is simple. The receipt of an ARP reply at any time causes the receiving computer to add the newly received information to its ARP cache without any type of verification.
45. Answer: B. Transitive access can be achieved by gaining the trust of a computer that is trusted by the target network allowing the bypass of security measures. Answer A is incorrect because packet sniffing targets packets not hosts. Answer C is incorrect; Social-engineering attacks target humans, not computers. Answer D is incorrect. DoS attacks are often used for Internet extortion schemes, where an attacking botnet of tens of thousands of zombied client systems can be used to consume all available connections to a business website.

Objective 3.3: Analyze and differentiate among types of social engineering attacks.

1. Answer: B. Social engineering is a process by which an attacker may extract useful information from users who are often just tricked into helping the attacker. Answer A is incorrect because pharming is a hacker’s attack aiming to redirect a website’s traffic to another, bogus, website. Answer C is incorrect because phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually email. Answer D is incorrect because shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information.
2. Answer: C. Phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually email. Answer A is incorrect because pharming is a hacker’s attack aiming to redirect a website’s traffic to another, bogus, website. Answer B is incorrect. Social engineering is a process by which an attacker may extract useful information from users who are often just tricked into helping the attacker. Answer D is incorrect because shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder.
3. Answer: B. Hoax messages may warn of emerging threats that do not exist. They might instruct users to delete certain files to ensure their security against a new virus, while actually only rendering the system more susceptible to later viral agents. Answer A is incorrect because pharming is a hacker’s attack aiming to redirect a website’s traffic to another, bogus, website. Answer C is incorrect because phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually email. Answer D is incorrect because spam is unwanted email communication.
4. Answer: A. Although hoaxes present issues such as loss of functionality or security vulnerabilities, they also use system resources and consume users’ time. This results in lost productivity and an undue burden on the organization’s resources, especially if many employees respond. Answer B is incorrect; although virus may be a concern, the idea behind a chain letter is to occupy time and resources. Answer C is incorrect because hoaxes try to occupy time and resources, not garner proprietary information. Answer D is incorrect because this statement is simply not true.
5. Answer: D. Shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information. Shoulder surfing is an effective way to get information in crowded places such as airports, conventions, or coffee shops because it’s relatively easy to stand next to someone and watch as the person enters a PIN or a password. Answer A is incorrect; virus infection is a concern. However, the real danger is the organizational information that is readily accessible. Answer B is incorrect because social engineering is a process by which an attacker may extract useful information from users who are often tricked into helping the attacker. Answer C is incorrect because dumpster diving is scavenging through discarded equipment and documents and extracting sensitive information from it without ever contacting anyone in the company.
6. Answer: D. Whaling is identical to spear phishing except for the “size of the fish.” Whaling employs spear phishing tactics, but is intended to go after high-profile targets such as an executive within a company. Answer A is incorrect because spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer B is incorrect because vishing is voice phishing; the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer C is incorrect because smishing, also known as SMS phishing, involves using phishing methods through text messaging.
7. Answer: B. Vishing is voice phishing; the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer A is incorrect because spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual. Answer C is incorrect because smishing, also known as SMS phishing, involves using phishing methods through text messaging. Answer D is incorrect because whaling is identical to spear phishing except for the “size of the fish.” Whaling employs spear phishing tactics, but is intended to go after high-profile targets such as an executive within a company.
8. Answer: A. Spear phishing is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual or groups of individuals. Answer B is incorrect because vishing is voice phishing; the attacker will often use a fake caller-ID to appear as a trusted organization and attempt to get the individual to enter account details via the phone. Answer C is incorrect because smishing, also known as SMS phishing, involves using phishing methods through text messaging. Answer D is incorrect. Whaling is identical to spear phishing except for the “size of the fish.” Whaling employs spear phishing tactics, but is intended to go after high-profile targets such as an executive within a company.
9. Answer: C. Dumpster diving is scavenging through discarded equipment and documents and extracting sensitive information from it without ever contacting anyone in the company. Answer A is incorrect; virus infection is a technical concern, not a human concern. Answer B is incorrect because social engineering is a process by which an attacker may extract useful information from users who are often tricked into helping the attacker. Answer D is incorrect because shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information. Shoulder surfing is an effective way to get information in crowded places such as airports, conventions, or coffee shops because it’s relatively easy to stand next to someone and watch as the person enters a PIN or a password.
10. Answer: D. Tailgating refers to the act of tagging along with another person who is authorized in order to gain entry into a restricted area. Answer A is incorrect because pharming redirects victims to a bogus website, even if they correctly entered the intended site. To accomplish this, the attacker employs another attack such as DNS cache poisoning. Answer B is incorrect because dumpster diving is scavenging through discarded equipment and documents and extracting sensitive information from it without ever contacting anyone in the company. Answer C is incorrect because shoulder surfing uses direct observation techniques. It gets its name from looking over someone’s shoulder to get information. Shoulder surfing is an effective way to get information in crowded places such as airports, conventions, or coffee shops because it’s relatively easy to stand next to someone and watch as the person enters a PIN or a password.

Objective 3.4: Analyze and differentiate among types of wireless attacks.

1. Answer: B. Wireless networks often announce their service set identifier (SSID) to allow mobile devices to discover available Wireless Access Points (WAPs). Turning off this broadcast can reduce the vulnerability of a wireless packet sniffer detecting broadcasts that readily identify a WAP. In this particular instance, the WAP is not secure because the SSID is broadcast in plain text whenever a client connects to the network. Answer A is incorrect because WAPs by default do not have encryption enabled. Answer C is incorrect because if physical access is limited, the risk is mitigated. Answer D is incorrect because it describes the characteristics of a hub.
2. Answer: D. 802.1x transmissions generate detectable radio-frequency signals in all directions. Persons who want to “sniff” the data transmitted over the network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides. Answer A is incorrect because the radio-frequency signals are generated in all directions, not in one direction. Answers B and C are incorrect because data emanation is what allows for the sniffing of the data, not why data emanation is a risk.
3. Answer: C. Without the use of a mandated encryption standard, data transmitted over an 802.1x wireless link may be passed in clear form. Forms of encryption may be implemented, such as Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) and Temporal Key Integrity Protocol (TKIP). Answers A, B, and D are incorrect because authorization, authentication, and identification are access control methods, not methods to mitigate data transmissions.
4. Answer: A, B, C. Wireless communications are susceptible to data emanation, weak encryption, session hijacking, man-in-the-middle attacks, and war-driving. Answer D is incorrect because spam relaying is associated with open SMTP relays in email servers.
5. Answer: C. Because the authentication mechanism is one-way, it is easy for a hijacker to wait until the authentication cycle is completed and then generate a signal to the client that causes the client to think it has been disconnected from the access point, while at the same time beginning to transmit data traffic pretending to be from the original client. Answers A and D are incorrect. Both of these answers deal with authorization, and session hijacking deals with authentication. Answer B is incorrect because it is not true that an authentication mechanism is not there. It exists and is one-way.
6. Answer: D. The request for connection by the client is an omnidirectional open broadcast. It is possible for a hijacker to act as an access point to the client, and as a client to the true network access point, allowing the hijacker to follow all data transactions with the ability to modify, insert, or delete packets at will. Answer A is incorrect because a request for connection by the client is an omnidirectional open broadcast. Answers B and C are incorrect; the connection request is made by the client, not the access point.
7. Answer: A. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer B is incorrect because it describes war-dialing. Answer C is incorrect because it describes war-chalking. Answer D is incorrect because it describes a hotspot.
8. Answer: C. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details. Answer A is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer B is incorrect because it describes war-dialing. Answer D is incorrect because it describes a hotspot.
9. Answer: B. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. Answer A is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer C is incorrect because it describes bluesnarfing. Answer D is incorrect. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details.
10. Answer: C. Although typically benign, attackers use bluejacking to generate messages that appear to be from the device itself. This leads users to follow obvious prompts and establish an open Bluetooth connection to the attacker’s device. Once paired with the attacker’s device, the user’s data becomes available for unauthorized access, modification, or deletion, which is an attack referred to as bluesnarfing. Answer B is incorrect. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. Answer A is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details.
11. Answer: A. The 802.11 (Wi-Fi) standard uses the CSMA/CA connectivity methods commonly found in Ethernet connectivity. Answers B and D are incorrect because both i-Mode and WAP are standards used by mobile devices such as cell phones, pagers, and PDAs and are not used to specify WLAN standards. Answer C is incorrect because Bluetooth is based on a different transmission protocol.
12. Answer: D. Data emanation happens because 802.1x transmissions generate detectable radio-frequency signals in all directions. Persons wanting to sniff the data transmitted over the network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures. Answer A is incorrect because without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form, and attackers can take advantage of this weak or nonexistent encryption. Answer B is incorrect because the wireless authentication mechanism is one-way, allowing session hijacking. Answer C is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving.
13. Answer: B. Because the authentication mechanism is one-way, it is easy for a hijacker to wait until the authentication cycle is completed and then generate a signal to the client that causes the client to think it has been disconnected from the access point, while at the same time beginning to transact data traffic pretending to be the original client. Answer A is incorrect because without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form, and attackers can take advantage of this weak or nonexistent encryption. Answer C is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures.
14. Answer: A. Without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form, and attackers can take advantage of this weak or nonexistent encryption. Answer B is incorrect because the wireless authentication mechanism is one-way, allowing session hijacking. Answer C is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures.
15. Answer: B. Although typically benign, attackers can use bluejacking to generate messages that appear to be from the device itself, leading users to follow obvious prompts and establish an open Bluetooth connection to the attacker’s device. Once paired with the attacker’s device, the user’s data becomes available for unauthorized access, modification, or deletion, which is a more aggressive attack referred to as bluesnarfing. Answer A is incorrect. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. Answer C is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details.
16. Answer: C. War-driving is aimed at identification of existing wireless networks, the service set identifier (SSID) used to identify the wireless network, and any known WEP keys. Answer A is incorrect because without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form and attackers can take advantage of this weak or nonexistent encryption. Answer B is incorrect because the wireless authentication mechanism is one way, allowing session hijacking. Answer D is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures.
17. Answer: A. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are subject to receiving text and message broadcast spam sent from a nearby Bluetooth-enabled transmitting device in an attack referred to as bluejacking. Answer B is incorrect. Although typically benign, attackers can use bluejacking to generate messages that appear to be from the device itself, leading users to follow obvious prompts and establish an open Bluetooth connection to the attacker’s device. Once paired with the attacker’s device, the user’s data becomes available for unauthorized access, modification, or deletion, which is a more aggressive attack referred to as bluesnarfing. Answer C is incorrect. A popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. War-chalking utilizes a set of symbols and shorthand details to provide specifics needed to connect using a business access point. This is done by marking buildings, curbs, and other landmarks to indicate the presence of an available access point and its connection details.
18. Answer: B. Because the request for connection by the client is an omnidirectional open broadcast, it is possible for a hijacker to act as an access point to the client, and as a client to the true network access point, allowing the hijacker to follow all data transactions with the ability to modify, insert, or delete packets at will. By implementing a rogue AP with stronger signal strength than more remote permanent installations, the attacker can cause a wireless client to preferentially connect to their own stronger nearby connection using the wireless device’s standard roaming handoff mechanism. Answer A is incorrect. Without the use of a mandated encryption standard, data transacted over an 802.1x wireless link may be passed in clear form and attackers can take advantage of this weak or nonexistent encryption. Answer C is incorrect because a popular pastime involves driving around with a laptop system configured to listen for open 802.1x access points announcing their SSID broadcasts, which is known as war-driving. Answer D is incorrect. Persons wanting to “sniff” the data transmitted over the wireless network may use many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringle’s can) and flying devices overhead to increase detection range without interference from building structures.
19. Answer: D. The Wi-Fi Protected Access (WPA and later WPA2) standards were developed by the Wi-Fi Alliance to replace the WEP protocol while the 802.11i standard was being developed. The WPA includes many of the functions of the 802.11i protocol but relies on the Rivest Cipher 4 (RC4), which is considered vulnerable to keystream attacks. The later WPA2 standard was certified to include the full 802.11i standard after its final approval. Answers A and C are incorrect because they are encryptions standards not associated with the Wi-Fi Alliance. Answer B is incorrect because a WAP refers to both handheld devices as well as wireless access points.
20. Answer: A. Wireless Session Layer (WSL) is equivalent to the session layer of the Open Systems Interconnection (OSI) model. Based on this information, answers B, C, and D are incorrect.

Objective 3.5: Analyze and differentiate among types of application attacks.

1. Answer: A, D. Some identified vulnerabilities of the Java language include buffer overflows, ability to execute instructions, resource monopolization, and unexpected redirection. Answers B and C are incorrect because unauthorized file upload and email exposure are associated with JavaScript, not the Java language.
2. Answer: C. Java applets execute when the client machine’s browser loads the hosting web page. Vulnerabilities are based on the Java language. JavaScript vulnerabilities must be addressed based on the operating system and browser version in use on each client. Answers A and B are incorrect because JavaScript vulnerabilities must be addressed based on the operating system and browser version in use on each client, not the server. Answer D is incorrect because the operating system does not load the hosting web page—an application and browser do.
3. Answer: B. Java is a precompiled language. Before it can be executed, it undergoes a Just In Time (JIT) compilation into the necessary binary bytes. A Java-based miniprogram, called an applet, may present many security risks to the client. Applets execute when the client machine’s browser loads the hosting web page. Answers A and C are incorrect because Java is a precompiled language. Answer D is incorrect because applets execute when the client machine’s browser loads the hosting web page.
4. Answer: B, C. JavaScript is a client-side interpreted language that mainly poses privacy-related vulnerability issues such as unauthorized file upload and email exposure. Answers A and D are incorrect because they are associated with the Java language. Some identified vulnerabilities of the Java language include buffer overflows, ability to execute instructions, resource monopolization, and unexpected redirection.
5. Answer: A. To avoid vulnerabilities exposed by earlier forms of Java and ActiveX development, all machines should be kept up-to-date with new version releases. Scripting language vulnerabilities may be addressed in this manner, as well as by turning off or increasing the client’s browser security settings to prevent automatic code execution. Answer B is incorrect because this setting controls third-party tool bands and browser helper objects. Answer C is incorrect because increasing the pop-up setting will not mitigate Java vulnerabilities. Answer D is incorrect because Integrated Windows Authentication has to do with logon information, not Java vulnerabilities.
6. Answer: C. Microsoft developed a precompiled application technology that can be embedded in a web page in the same way as Java applets. This technology is referred to as ActiveX, and its controls share many of the same vulnerabilities present in embedded Java applets. Answer A is incorrect because cookies are temporary files stored in the client’s browser cache to maintain settings across multiple pages, servers, or sites. Answer B is incorrect because JavaScript is a smaller language that does not create applets or standalone applications. Answer D is incorrect because CGI (Common Gateway Interface) scripts are programs that run on the server to service client requests.
7. Answer: B. Clients should regularly clear their browser cookie cache to avoid exposing long-term browsing habits in this way. Where possible, client browsers may also be configured to block third-party cookies, although many online commerce sites require this functionality for their operation. Answer A is incorrect because this setting controls third-party tool bands and browser helper objects. Answer C is incorrect because blocking all cookies would hamper the functionality for many online commerce sites. Answer D is incorrect because disabling automatic code execution on client browsers has more to do with Java applets and ActiveX controls.
8. Answer: D. By restricting the data that can be input and using proper input validation, application designers can reduce the threat posed by maliciously crafted URL references and redirected web content. Answer A is incorrect because third-party cookies would limit exposing long-term browsing habits. Answer B is incorrect because accepting only numeric data input is not feasible, and if it is not validated, it will not mitigate attacks. Answer C is incorrect because this setting controls third-party tool bands and browser helper objects.
9. Answer: A. Whereas cookies generally provide benefits to the end users, spyware would be most likely to use a tracking cookie. A tracking cookie is a particular type of permanent cookie that stays around, whereas a session cookie stays around only for the particular visit to a website. Answers B and D are incorrect because these sites would use session cookies, not tracking cookies. Answer C is incorrect because a Trojan appears to be useful software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed.
10. Answer: D. Spammers search for unprotected SMTP relay services running on public servers, which may then be used to resend SMTP messages to obscure their true source. Answer A is incorrect because buffer overflows are associated with not using proper input validation. Answer B is incorrect. A logic bomb is a virus or Trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. Answer C is incorrect. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent.
11. Answer: B. A tracking cookie is a particular type of permanent cookie that stays around, whereas a session cookie stays around only for the particular visit to a website. Therefore, answer C is incorrect. Answers A and D are incorrect because tracking cookies are beneficial or valuable only to the tracking party, not the user.
12. Answer: A. Secure Hypertext Transport Protocol (S-HTTP) operates over port 80 along with regular HTTP traffic. Answer B is incorrect because HTTPS (HTTP over SSL) and SSL employ X.509 digital certificates and operate over port 443. Answer C is incorrect. Email clients connect to port 110 of a remote email server, and then use the POP3 protocol to retrieve email. Answer D is incorrect. Port 4445 uses TCP/UDP for service type upnotifyp.
13. Answer: B. HTTPS (HTTP over SSL) and SSL employ X.509 digital certificates and operate over port 443. Answer A is incorrect because Secure Hypertext Transport Protocol (S-HTTP) operates over port 80 along with regular HTTP traffic. Answer C is incorrect. Email clients connect to port 110 of a remote email server, and then use the POP3 protocol to retrieve email. Port 4445 uses TCP/UDP for service type upnotifyp; therefore, Answer D is incorrect.
14. Answer: B, C. Malformed certificates may be used to exploit the parsing libraries used by SSL agents. SSL certificates may also be used to establish links vulnerable to packet sniffing by using compromised self-signed or expired certificates. Other exploits include the use of small key sizes, outdated certificate revocation lists, and other mechanisms intended to provide weak or compromised SSL certificates. Answers A and D are incorrect because they are associated with programming errors. Buffer-overflow vulnerabilities may be used to enact arbitrary commands on a server. Format string vulnerabilities may result in unauthorized access to enact commands on a server or impair its normal operation. Improperly formatted requests may be used to create an effective denial-of-service (DoS) attack against the server, preventing it from responding to normal requests.
15. Answer: A, D. Buffer-overflow vulnerabilities may be used to enact arbitrary commands on the LDAP server. Format string vulnerabilities may result in unauthorized access to enact commands on the LDAP server or impair its normal operation. Improperly formatted requests may be used to create an effective denial-of-service (DoS) attack against the LDAP server, preventing it from responding to normal requests. Answers B and C are incorrect because they are associated with SSL certificate vulnerabilities. Malformed certificates may be used to exploit the parsing libraries used by SSL agents. SSL certificates may also be used to establish links vulnerable to packet sniffing by using compromised self-signed or expired certificates. Other exploits include the use of small key sizes, outdated certificate revocation lists, and other mechanisms intended to provide weak or compromised SSL certificates.
16. Answer: B, C. FTP servers provide user access to upload or download files between client systems and a networked FTP server. FTP servers include many potential security issues, including anonymous file access and unencrypted authentication. Answers A and D are incorrect because they are associated with programming errors. Buffer-overflow vulnerabilities may be used to enact arbitrary commands on a server. Format string vulnerabilities may result in unauthorized access to enact commands on a server or impair its normal operation. Improperly formatted requests may be used to create an effective denial-of-service (DoS) attack against the server, preventing it from responding to normal requests.
17. Answer: A. FTPS (FTP over SSL) using TCP port 21. Answer B is incorrect because HTTP operates over port 80. Answer C is incorrect. A more secure version of FTP (S/FTP) has been developed, including SSL encapsulation. This is referred to as FTP over SSH using the Secure Shell (SSH) TCP port 22. Answer D is incorrect because port 81 is used as an alternate port for hosting a website.
18. Answer: A, B, C. Attackers develop viral malware capable of spreading through contact lists within IM clients. Others focus on capturing IM traffic and cached logs of past conversations, in an attempt to obtain useful or harmful information. The file-transfer and desktop-sharing capabilities of many clients present challenges against unauthorized data sharing, while creative attackers make use of the audio and video capabilities to directly “tap” unwary IM users. Answer D is incorrect. Improperly formatted requests may be used to create an effective denial-of-service (DoS) attack against servers, preventing them from responding to normal requests.
19. Answer: A, C. CGI scripts may be exploited to leak information, including details about running server processes and daemons. Samples included in some default installations are not intended for security and include well-known exploits, and buffer overflows may allow arbitrary commands to be executed on the server. Answer B is incorrect because anonymous file access is associated with FTP servers. Answer D is incorrect because CGI scripts do not run on the client system.
20. Answer: D. When a website redirects the client’s browser to attack yet another site, this is referred to as cross-site scripting. Answer A is incorrect because unencrypted authentication is associated with FTP servers. Answer B is incorrect because a session hijack occurs when an attacker causes the client’s browser to establish a secure connection to a compromised web server acting as a proxy or redirecting traffic to a secure target site, exposing traffic as it passes through the compromised system. Answer C is incorrect because a buffer overflow occurs when data input exceeds the memory space allocated and injects unanticipated data or programmatic code into executable memory.
21. Answer: B. An early exploit of JavaScript allowed access to files located on the client’s system if the name and path were known. Answers A and D are incorrect because JavaScript, not Java, can be used to execute arbitrary instructions on the server, send email as the user, and allow access to cache information. Answer C is incorrect because Java, not JavaScript, can continue running even after the applet has been closed.
22. Answer: A. Exploits may allow the identification of configuration details of the server that may be helpful to later unauthorized access attempts, a process often referred to as profiling. Answer B is incorrect because reporting portrays information collected in a particular area. Answer C is incorrect because abstracting is used to understand and solve problems. Answer D is incorrect because hyperlinking is associated with web pages.
23. Answer: B. The danger to maintaining session information is that sites may access cookies stored in the browser’s cache that may contain details on the user’s e-commerce shopping habits, along with many user details that could possibly include sensitive information identifying the user or allowing access to secured sites. Answers A and C are incorrect because these actions prove helpful for the client. Answer D is incorrect because this action is associated with Java.
24. Answer: A, C. Browser-based vulnerabilities include session hijacking, buffer overflows, cross-site scripting, and add-in vulnerabilities. Answer B is incorrect because SQL injection is associated with SQL database servers. Answer D is incorrect because social engineering is taking advantage of human nature.
25. Answer: C. The common BitTorrent file-sharing application is an example of a resource-sharing peer-to-peer (P2P) solution, allowing users to transport files between remote clients without passing through a central server for access. This presents difficulties for access restriction because any two clients may negotiate connections using random ports and protocols, bypassing traffic analysis and access control restrictions. Answer A is incorrect; it describes a vulnerability exploitation of Java, CGI scripts, and LDAP. Answer B is incorrect; anonymous file upload is associated with FTP servers. Answer D is incorrect because it describes a CGI script exploit.

Objective 3.6: Analyze and differentiate among types of mitigation and deterrent techniques.

1. Answer: B. Unsecured equipment is vulnerable to social-engineering attacks. It is much easier for an attacker to walk into a reception area, say she is here to do some work on the server, and get server access than to get into a physically secured area with a guest sign-in and sign-out sheet. Brute-force attacks, malware, and rootkits can be installed or launched without physical access. Therefore, answers A, C, and D are incorrect.
2. Answer: C. The goal of a physical security policy is to allow only trusted use of resources via positive identification that the entity accessing the systems is someone or something that has permission to do so based on the security model the organization has chosen. Answers A, B, and D are incorrect because only allowing officers, only what is deemed to be credible users is discretionary, whereas allowing all visitors will create an unsecure environment.
3. Answer: B, C. In very high-security areas, frosted or painted glass can be used to eliminate direct visual observation of user actions, and very high-security scenarios may mandate the use of electromagnetic shielding to prevent remote monitoring of emissions generated by video monitors, network switching, and system operation. Answers A and D are incorrect; picket and chain-link fencing should not be used in high-security areas.
4. Answer: A. Buildings that house sensitive information and systems usually have an area of cleared land surrounding them. This area is referred to as no-man’s land. The purpose of this area is to eliminate the possibility of an intruder hiding in the bushes or behind another building. Answer B is incorrect because it increases the chances of an intruder hiding. Answer C is incorrect; it describes a mantrap. Answer D is incorrect because it describes a wireless lock entry.
5. Answer: C. A mantrap is a holding area between two entry points that gives security personnel time to view a person before allowing him into the internal building. Answer A is incorrect because it describes no-man’s land. The purpose of this area is to eliminate the possibility of an intruder hiding in the bushes or behind another building. Answer B is incorrect because it increases the chances of an intruder hiding. Answer D is incorrect because it describes a wireless lock entry.
6. Answer: D. A cipher lock has a punch code entry system. A wireless lock is opened by a receiver mechanism that reads the card when it is held close to the receiver. Based on this information, answers A, B, and C are incorrect.
7. Answer: A. Video or CCTV cameras should be posted in key locations so that the entire area is covered. Place cameras near entrances and exits to capture each visitor who comes in and out of the parking lot. Place cameras strategically so that every area of the parking lot can be seen by a camera’s field of vision. Answer B is incorrect. If the parking lot covers a large area, security guard coverage may not be enough. Answer C is incorrect because a keycard entry point can easily be compromised. Answer D incorrect because motion detection is not feasible for a parking lot.
8. Answer: A, B, D. External motion detectors can be based on light, sound, infrared, or ultrasonic technology. Answer C is incorrect because radio-frequency identification (RFID) is an automatic identification method.
9. Answer: A. Mandatory physical access controls are commonly found in government facilities and military installations, where users are closely monitored and very restricted. Because they are being monitored by security personnel and devices, users cannot modify entry methods or let others in. Answer B is incorrect. In role-based access methods for physical control, groups of people who have common access needs are predetermined, and access to different locations is allowed with the same key or swipe card. Answer C is incorrect. Discretionary physical control to a building or room is delegated to parties responsible for that building or room. Answer D is incorrect. Allowing access based on individual needs is both costly and causes extensive administrative overhead.
10. Answer: B. In role-based access methods for physical control, groups of people who have common access needs are predetermined, and access to different locations is allowed with the same key or swipe card. Answer A is incorrect. Mandatory physical access controls are commonly found in government facilities and military installations, where users are closely monitored and very restricted. Because they are being monitored by security personnel and devices, users cannot modify entry methods or let others in. Answer C is incorrect. Discretionary physical control to a building or room is delegated to parties responsible for that building or room. Answer D is incorrect. Allowing access based on individual needs is both costly and causes extensive administrative overhead.
11. Answer: A, B, D. Buildings that house sensitive information and systems usually have an area of cleared land surrounding them. This area is referred to as no-man’s land. A building that houses top-secret info would need also require a mantrap and door access system in addition to a no-man’s land. Answer C is incorrect because a wooden fence provides little protection.
12. Answer: D. Video surveillance such as closed-circuit television (CCTV) is the most common method of surveillance. The picture is viewed or recorded, but not broadcast. It was originally developed as a means of security for banks. Answer A is incorrect because a mantrap is a holding area between two entry points that gives security personnel time to view a person before allowing him into the internal building. Answer B is incorrect because security dogs are not a good solution for a bank. Answer C is incorrect because painted glass is used a method of obscuring views. This it is not a sufficient method of security for a bank.
13. Answer: C. Motion detectors can alert security personnel of intruders or suspicious activity on the company’s premises. They can be based on light, sound, infrared, or ultrasonic technology. These devices must be properly configured because they are extremely sensitive and can issue false alarms if set too stringently. Answers A and B are incorrect because they are false statements. Answer D is incorrect; although motion detectors may be a more expensive solution, the question asks for the main security concern.
14. Answer: A. The quickest way to tell which ports are open and which services are running is to do a netstat operation on the machine. Answer B is incorrect; nbtstat is designed to help troubleshoot NetBIOS name resolution problems. Answer C is incorrect; ipconfig is used to troubleshoot IP address configuration. Answer D is incorrect; msconfig is used to configure startup services and on Windows computers.
15. Answer: D. SNMP is used for monitoring the health of network equipment, computer equipment, and devices like uninterruptible power supplies (UPS). Answer A is incorrect because SubNetwork Access Protocol (SNAP) defines how data is formatted for transmission and how access to the network is controlled. Answer B is incorrect because SMTP is used for email. Answer C is incorrect because the Synchronous Data Link Control (SDLC) protocol was developed by IBM to be used as the Layer 2 of the SNA hierarchical network.
16. Answer: B, C. The best way to protect the network infrastructure from attacks aimed at antiquated or unused ports and protocols is to remove any unnecessary protocols and create Access Control Lists to allow traffic on necessary ports only. By doing so, you eliminate the possibility of unused and antiquated protocols being exploited, and you minimize the threat of an attack. Answer A is incorrect. It is not always necessary to keep protocols installed by default. Answer D is incorrect. Users should never control what goes in and out of the network.
17. Answer: C. To improve server performance, logs should be stored on a nonsystem striped or striped/mirrored disk volume. Answer A is incorrect. Storing the log files in the DMZ is poor practice because the servers located here are generally more vulnerable. Answers B and D are incorrect; storing the log files on the local machine will not improve performance.
18. Answer: D. Log files should be stored in a centralized repository of an offline volume or on a standalone computer. Answer A is incorrect; storing the log files on the local machine will not improve security. Answer B is incorrect. Storing the log files on the intranet is poor practice as the information is visible and more vulnerable. Answer C is incorrect. Storing the log files in the DMZ is poor practice because the servers located here are generally more vulnerable.
19. Answer: C. When implementing an application logging strategy, look for a solution that uses standard protocols and formats so that analysis is simpler. Therefore, answers A, B, and D are incorrect.
20. Answer: A, B, D. IIS logs may include information about site visitors and their viewing habits. They can be used to assess content, identify bottlenecks, or investigate attacks. Answer C is incorrect. Task Manager is a tool that you can use to end processes.
21. Answer: D. DNS logging may cause performance degradation on the server. It should be used only for troubleshooting purposes. By enabling DNS debug logging, you can log all DNS-related information. Based on this information, answers A, B, and C are incorrect.
22. Answer: D. In UNIX- or Linux-based systems, programs send log entries to the system logging daemon, syslogd. Answer A is incorrect because mtools.conf is a configuration file for all the operations. Answers B and C are incorrect; both Msconfig and Event Viewer are tools used on Windows-based systems.
23. Answer: B, C. You should employ strict access controls on all logging servers. If allowable, encrypt the log files and store log files on a standalone system. Answer A is incorrect; it is not good practice to store log files in plain text. Answer D is incorrect; log files should not be stored on data partitions of individual systems.
24. Answer: B. Task Manager is a tool that you can use to end processes or applications that get hung up or cause the operating system to become unstable, without having to reboot the machine. It also gives you an instant view of CPU and memory usage. Answer A is incorrect because Network Monitor is used to capture network traffic and generate statistics for creating reports. Answer C is incorrect because Event Viewer enables you to view certain events that occur on the system. Event Viewer maintains three log files: one for system processes, one for security information, and one for applications. Answer D is incorrect because Microsoft’s Performance console is used for tracking and viewing the utilization of system resources.
25. Answer: C. Authentication and accounting logging is particularly useful for troubleshooting remote-access policy issues. Answer A is incorrect because Internet Information Services (IIS) logging is designed to be more detailed than the event-logging or performance-monitoring features of Windows Server operating systems. The IIS logs can include information such as who has visited your site, what they viewed, and when the information was viewed last. Answer B is incorrect because critical and error level logging is one of the eight logging levels available for Cisco logging devices. Answer D is incorrect because authentication and accounting logging information is used to track remote-access usage and authentication attempts. This logging is separate from the events recorded in the system event log.
26. Answer: A, C, D. Antivirus software, just like other software applications, usually contains a folder within the application for logging events such as updates, quarantined viruses, and update history. Answer B is incorrect. Dropped packets are normally found in router logs.
27. Answer: B. Routing and remote access logging information is used to track remote-access usage and authentication attempts. This logging is separate from the events recorded in the system event log. Therefore, Answer D is incorrect. Answer A is incorrect; firewall logging will not log remote access and authentication. Answer C is incorrect; IIS logging will not log remote access and authentication.
28. Answer: C. Auditing is the process of tracking users and their actions on the network. Answer A is incorrect because it describes baselining. Answer B is incorrect because it describes logging. Answer D is incorrect because it describes monitoring.
29. Answer: A, B. Without proper planning and policies, you probably will quickly fill your log files and hard drives with useless or unused information. The more quickly you fill up your log files, the more frequently you need to check the logs; otherwise, important security events may get deleted unnoticed. Answer C is incorrect because log files should not be stored on user hard drives. Answer D is incorrect. When auditing is not clear-cut, the workload of the system administrator increases.
30. Answer: B, C. Auditing user privileges is generally a two-step process that involves enabling auditing within the operating system and then specifying the resources to be audited. Answer A is incorrect; auditing, not logging, needs to be enabled. Answer D is incorrect; the log file storage directory is specified, not the audit file directory.
31. Answer: D. Auditing of access use and rights changes should be implemented to prevent unauthorized or unintentional access for a guest or restricted user account access to sensitive or protected resources. Answer A is incorrect; group policy controls access to resources. Answer B is incorrect; retention policies concern data, not user access. Answer C is incorrect; DHCP deals with the issuing of IP addresses not access to accounts.
32. Answer: C. It is equally important to audit both failed and successful events because both may reveal unauthorized access or an unexpected escalation of access rights. Answers A and B are incorrect because it is important to audit both types of events. Answer D is incorrect because auditing is an important part of securing the network.
33. Answer: B. Logging is the process of collecting data to be used for monitoring and reviewing purposes. Auditing is the process of verification that normally involves going through log files; therefore, answer A is incorrect. Answer C is incorrect. Baselining is measuring and rating the performance of a network. Typically, the log files are frequently inspected, and inspection is not the process of collecting the data; therefore, answer D is incorrect.
34. Answer: D. Turning on all audit counters for all objects could significantly impact server performance. Answer A is incorrect; auditing is done in the background and does not affect user productivity. Answer B is incorrect; if the I/O activity were affected at all, it would be increased. Answer C is incorrect; as with I/O activity, if there were change, it would be an increase, not a decrease.
35. Answer: B. In Group Policy, the settings that will actually be applied to an object will be a combination of all the settings that can affect the object. Answer A is incorrect because all group policies are applied to the object. Answer C is incorrect; in a universal group, the policies may be applied from different domains. Answer D is incorrect; this would apply only if there was not a domain environment.
36. Answer: B. You can use gpresult to see what policy is in effect and to troubleshoot problems. Answer A is incorrect; you can use gpupdate to refresh policy immediately and to specify certain options at the command line. Answer C is incorrect; the Resultant Set of Policy (RSoP) tool is used to determine the effective settings on the computer that you are working from or any other computer in a Windows Server 2008 Active Directory domain. Answer D is incorrect; the Group Policy object is used to create group policies.
37. Answer: A. You can use the Resultant Set of Policy (RSoP) tool to determine the effective settings on the computer that you are working from or any other computer in a Windows Server 2008 Active Directory domain. Answer B is incorrect; the Group Policy object is used to create group policies. Answer C is incorrect; you can use gpupdate to refresh policy immediately and to specify certain options at the command line. Answer D is incorrect; the local security settings are used on the local machine only.
38. Answer: C. Auditing success events in the account management event category can be used to verify changes that were made to account properties and group properties. Answer A is incorrect. Auditing success events in the policy change event category will record success and failure events in the system events. Answer B is incorrect. Auditing success events in the policy change event category on domain controllers indicates someone has changed the local security authority (LSA). Answer D is incorrect; auditing success events in the logon event category records when each user logs on to or logs off from the computer.
39. Answer: D. Auditing success events in the logon event category records when each user logs on to or logs off from the computer. Answer A is incorrect. Auditing success events in the policy change event category will record success and failure events in the system events. Answer B is incorrect. Auditing success events in the policy change event category on domain controllers indicates someone has changed the local security authority (LSA). Answer C is incorrect; auditing success events in the account management event category is used to verify changes that were made to account properties and group properties.
40. Answer: C. Auditing success events in the account logon event category on domain controllers is used to verify when users log on to or log off from the domain. Answer A is incorrect. Auditing success events in the policy change event category will record success and failure events in the system events. Answer B is incorrect. Auditing success events in the policy change event category on domain controllers indicates someone has changed the local security authority (LSA). Answer D is incorrect; auditing success events in the logon event category records when each user logs on to or logs off from the computer.

Objective 3.7: Implement assessment tools and techniques to discover security threats and vulnerabilities.

1. Answer: A. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services.
2. Answer: D. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications.
3. Answer: C. A protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services.
4. Answer: B. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses testing for the presence of known vulnerabilities in software configuration and accessible services.
5. Answer: D. Open Vulnerability Assessment Language (OVAL) is intended as an international language for representing vulnerability information using an XML schema for expression, allowing tools to be developed to test for identified vulnerabilities in the OVAL repository. Answer A is incorrect because it describes the Open Systems Interconnection reference model (OSI model). Answer B is incorrect because it describes IEEE 802 standards. Answer C is incorrect because it describes the International Organization for Standardization (ISO).
6. Answer: A. Within U.S. governmental agencies, vulnerability may be discussed using the Open Vulnerability Assessment Language (OVAL) sponsored by the Department of Homeland Security’s National Cyber Security Division (NCSD). Answer B is incorrect because IEEE refers to a family of IEEE standards dealing with local area networks and metropolitan area networks. Answer C is incorrect because the International Organization for Standardization, widely known as ISO, is an international-standard-setting body composed of representatives from various national standards organizations. Answer D is incorrect because the Information Systems Security Association is a security-focused group.
7. Answer: A. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Port scanners are useful in creating an inventory of services hosted on networked systems. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services.
8. Answer: C. A protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Individual protocols, specific endpoints, or sequential access attempts may be identified using this utility, which is often referred to as a packet sniffer. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services.
9. Answer: D. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. Unlike port scanners, which test only for the availability of services, vulnerability scanners may check for the particular version or patch level of a service to determine its level of vulnerability. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications.
10. Answer: B. Code reviews are typically conducted using automated software programs designed to check code, as well as manual human checks, in which someone not associated with development combs through the code. Answer A is incorrect because an architecture review is an assessment of system architecture that considers the entire system. It provides the ability to identify faulty components and interaction between various elements. Answer C is incorrect because design review refers more specifically to the components of the architecture at a more micro level. A review of design will consider various elements such as compatibility, modularity, reusability, and, of course, security. Answer D is incorrect. The attack surface refers to the amount of running code, services, and user-interaction fields and interfaces.
11. Answer: D. The attack surface refers to the amount of running code, services, and user-interaction fields and interfaces. Answer A is incorrect because an architecture review is an assessment of system architecture that considers the entire system. It provides the ability to identify faulty components and interaction between various elements. Answer B is incorrect. Code reviews are typically conducted using automated software programs designed to check code, as well as manual human checks, in which someone not associated with development combs through the code. Answer C is incorrect because design review refers more specifically to the components of the architecture at a more micro level. A review of design will consider various elements such as compatibility, modularity, reusability, and, of course, security.
12. Answer: A. An architecture review is an assessment of system architecture that considers the entire system. It provides the ability to identify faulty components and interaction between various elements. Answer B is incorrect. Code reviews are typically conducted using automated software programs designed to check code, as well as manual human checks, in which someone not associated with development combs through the code. Answer C is incorrect because design review refers more specifically to the components of the architecture at a more micro level. A review of design will consider various elements such as compatibility, modularity, reusability, and, of course, security. Answer D is incorrect. The attack surface refers to the amount of running code, services, and user-interaction fields and interfaces.
13. Answer: D. Password crackers should provide only the relative strength of a password, rather than the password itself, to avoid weakening logon responsibility under evidentiary discovery actions. Answers A, B, and C are incorrect because password crackers should not provide the password itself to avoid disclosure under e-discovery proceedings.
14. Answer: B. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. This information can be used to identify single points of failure, conduct a network inventory, and create graphical details suitable for reporting on network configurations. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services.
15. Answer: C. A protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Individual protocols, specific endpoints, or sequential access attempts may be identified using this utility, which is often referred to as a packet sniffer. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer B is incorrect. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services.

Objective 3.8: Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning.

1. Answer: B. Friendly attacks against a network test the security measures put into place. Such attacks are referred to as penetration tests or simply “pen tests.” Answer A and C are incorrect because a vulnerability assessment or a security assessment are not directed efforts to exploit vulnerabilities in an attempt to gain access to networked resources. Answer D is incorrect because a compliance test has nothing to do with penetration testing.
2. Answer: A, C. Penetration tests may cause some disruption to network operations as a result of the actual penetration efforts conducted. Penetration tests can also make legitimate attacks by generating false data in intrusion detection systems/intrusion prevention systems (IDS/IPS). Answers B and D are incorrect; although internal and external users may be affected, these are not the most serious downsides of penetration testing.
3. Answer: B, C. Some systems administrators may perform amateur pen tests against networks in an attempt to prove a particular vulnerability exists or to evaluate the overall security exposure of a network. This is a bad practice because it generates false intrusion data, may weaken the network’s security level, and may be a violation of privacy laws, regulatory mandates, or business entity guidelines. Answers A and D are incorrect because the statements are contrary to the correct answers.
4. Answer: D. Vulnerability assessments may be complemented by directed efforts to exploit vulnerabilities in an attempt to gain access to networked resources. Penetration testing includes all of the process in vulnerability assessment plus an important extra step, which is to exploit the vulnerabilities found in the discovery phase. Based in the previous information, answers A, B, and C are incorrect.
5. Answer: A. Penetration tests can also make legitimate attacks by generating false data in IDS systems, concealing aggression that is otherwise unrelated to the officially sanctioned penetration test. Answers B and C are incorrect; although they are both concerns, they are not the main security risk. Answer D is incorrect; penetration testing itself does not weaken the network’s security level; however, amateur pen testing can.
6. Answer: A. A black box test is conducted with the assessor having no information or knowledge about the inner workings of the system or knowledge of the source code, for example. Answer B is incorrect because white box testing, also called clear box or glass box, provides more transparency. White box techniques are often tests to see if programming constructs are placed correctly and carry out the required actions or not. Answer C is incorrect because gray box testing uses a combination of both white and black box techniques. This can be more easily thought of as being translucent. Answer D is incorrect because green box testing is a testing process that takes multiple integrated systems that have passed system testing as input and tests their required interactions.
7. Answer: B. White box testing, also called clear box or glass box, provides transparency. White box techniques are often tests to see if programming constructs are placed correctly and carry out the required actions or not. Answer A is incorrect because black box testing is conducted with the assessor having no information or knowledge about the inner workings of the system or knowledge of the source code for example. Answer C is incorrect because gray box testing uses a combination of both white and black box techniques. This can be more easily thought of as being translucent. Answer D is incorrect because green box testing is a testing process that takes multiple integrated systems that have passed system testing as input and tests their required interactions.
8. Answer: B. A network mapper is a software utility used to conduct network assessments over a range of IP addresses. The network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. Answer A is incorrect. A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service ports. Answer C is incorrect because a protocol analyzer is a software utility used on a hub, a switch supervisory port, or in line with network connectivity to allow the analysis of network communications. Answer D is incorrect. A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services.
9. Answer: C. A password cracker is a software utility that allows direct testing of user logon password strength by conducting a brute-force password test using dictionary terms, specialized lexicons, or mandatory complexity guidelines. Answer A is incorrect. Password Locker is a commercial program that lets you save passwords, recover passwords, and manage and form-fill all your usernames and passwords. Answer B is incorrect because a password generator creates random passwords. Answer D is incorrect. A password keychain, most commonly found on Apple computers, keeps track of your passwords for any type of account.
10. Answer: A. Unlike port scanners, which test only for the availability of services, vulnerability scanners may check for the particular version or patch level of a service to determine its level of vulnerability. Answers B, C, and D are incorrect because they do not accurately describe port scanners or vulnerability scanners.