1.
What is the purpose of a demilitarized zone on a network?
Correct Answer
A. To only provide direct access to the nodes within the DMZ and protect the network behind it
Explanation
A demilitarized zone (DMZ) on a network serves the purpose of providing direct access to the nodes within the DMZ while also protecting the network behind it. It acts as a buffer zone between the internal network and the external network, allowing for controlled access to certain resources. By placing servers or services that need to be accessed by external entities in the DMZ, the internal network is shielded from potential threats. This setup ensures that any malicious activity originating from the DMZ does not directly impact the internal network, enhancing overall network security.
2.
You need a tool that can do network intrusion prevention and intrusion detection, function as a network sniffer, and record network activity. What tool would you most likely select?
Correct Answer
A. Snort
Explanation
Snort would be the most likely tool to select because it is a versatile network security tool that can perform network intrusion prevention and intrusion detection. It can also function as a network sniffer, capturing and analyzing network traffic. Additionally, Snort has the capability to record network activity, making it a comprehensive tool for network security monitoring and analysis.
3.
In which of the following password protection technique, random strings of characters are added to the password before calculating their hashes?
Correct Answer
C. Salting
Explanation
Salting is a password protection technique where random strings of characters are added to the password before calculating their hashes. This adds an extra layer of security by making it difficult for attackers to guess the password through methods like rainbow table attacks. The salted password is then stored in the database, along with the salt value used. When a user tries to authenticate, the entered password is salted with the same value and compared with the stored salted password. If they match, the user is granted access.
4.
Which is the first step followed by Vulnerability Scanners for scanning a network?
Correct Answer
A. Checking if the remote host is alive
Explanation
Vulnerability scanners start by checking if the remote host is alive before proceeding with any other scans. This step is important because if the host is not active or accessible, further scanning will be pointless. By checking the host's availability, the vulnerability scanner ensures that it can establish a connection and communicate with the target system before continuing with more extensive network scanning activities.
5.
Assume a business-crucial web-site of some company that is used to sell handsets to the customers worldwide. All the developed components are reviewed by the security team on a monthly basis. In order to drive business further, the web-site developers decided to add some 3rd party marketing tools on it. The tools are written in Javascript and can track the customers’ activity on the site. These tools are located on the servers of the marketing company. What is the main security risk associated with this scenario?
Correct Answer
C. External script contents could be maliciously modified without the security team knowledge
Explanation
The main security risk associated with this scenario is that the external script contents could be maliciously modified without the security team's knowledge. Since the marketing tools are located on the servers of the marketing company, the web-site developers have no control over the scripts. This leaves the possibility for attackers to modify the scripts and inject malicious code, potentially leading to data breaches or other security vulnerabilities. The security team's monthly reviews may not be sufficient to detect such modifications, making it a significant risk.
6.
What type of analysis is performed when an attacker has partial knowledge of inner-workings of the application?
Correct Answer
A. Grey-box
Explanation
Grey-box analysis is performed when an attacker has partial knowledge of the inner-workings of the application. In this type of analysis, the attacker has some limited information about the system, such as access to the application's interface or documentation. This allows them to gain a deeper understanding of the application's behavior and vulnerabilities, which can be used to exploit and compromise the system. Grey-box analysis combines elements of both black-box (no knowledge) and white-box (full knowledge) analysis, making it a valuable technique for attackers seeking to exploit vulnerabilities in a targeted application.
7.
A hacker named Jack is trying to compromise a bank’s computer system. He needs to know the operating system of that computer to launch further attacks. What process would help him?
Correct Answer
B. Banner Grabbing
Explanation
Banner grabbing is a process that would help the hacker named Jack to determine the operating system of the bank's computer system. By analyzing the banners, which are information sent by the operating system, Jack can identify the specific operating system being used. This knowledge will enable him to launch further attacks targeted towards the vulnerabilities of that operating system.
8.
Which of the following provides a security professional with most information about the system's security posture?
Correct Answer
C. Port scanning, banner grabbing, service identification
Explanation
Port scanning, banner grabbing, and service identification provide a security professional with the most information about the system's security posture. Port scanning involves scanning a system's network ports to identify open ports and potential vulnerabilities. Banner grabbing involves collecting information from network services such as web servers to gather details about the system. Service identification involves determining the specific services running on a system, which can help identify potential vulnerabilities or misconfigurations. These techniques provide valuable information for assessing and improving the security of a system.
9.
You are attempting to run an Nmap port scan on a web server. Which of the following commands would result in a scan of common ports with the least amount of noise in order to evade IDS?
Correct Answer
A. Nmap -sT -O -T0
Explanation
The command "nmap -sT -O -T0" would result in a scan of common ports with the least amount of noise in order to evade IDS. The "-sT" flag specifies a TCP connect scan, which is less likely to be detected by IDS compared to other scan types. The "-O" flag enables OS detection, which can provide additional information about the target system without generating additional noise. The "-T0" flag sets the timing template to the slowest possible value, reducing the likelihood of detection by IDS.
10.
Which of the following is an adaptive SQL injection testing technique used to discover coding errors by inputting massive amounts of random data and observing the changes in the output?
Correct Answer
C. Fuzzing Testing
Explanation
Fuzzing testing is an adaptive SQL injection testing technique that involves inputting large amounts of random data to identify coding errors. By observing the changes in the output, developers can discover vulnerabilities and potential security flaws in the system. This technique helps to simulate real-world scenarios and test the resilience of the system against unexpected inputs. Fuzzing testing is an effective method to identify and fix coding errors, ensuring the security and stability of the SQL application.
11.
Cross-site request forgery involves:
Correct Answer
A. A browser making a request to a server without the user’s knowledge
Explanation
Cross-site request forgery (CSRF) involves a browser making a request to a server without the user's knowledge. This means that an attacker can exploit the trust between a user and a website to perform unauthorized actions on behalf of the user. The attacker tricks the user's browser into making a request to a vulnerable website, which then executes the request as if it came from the user. This can lead to various malicious activities, such as changing account settings, making financial transactions, or deleting data, without the user's consent or knowledge.
12.
A tester has been hired to do a web application security test. The tester notices that the site is dynamic and must make use of a back end database. In order for the tester to see if SQL injection is possible, what is the first character that the tester should use to attempt breaking a valid SQL request?
Correct Answer
D. Single quote
Explanation
The tester should use a single quote as the first character to attempt breaking a valid SQL request. This is because SQL injection involves inserting malicious SQL code into input fields, and using a single quote can help the tester determine if the application is vulnerable to such attacks. By inputting a single quote, the tester can check if the application's response indicates a potential vulnerability, such as displaying error messages or returning unexpected results.
13.
A bank stores and processes sensitive privacy information related to home loans. However, auditing has never been enabled on the system. What is the first step that the bank should take before enabling the audit feature?
Correct Answer
D. Determine the impact of enabling the audit feature
Explanation
Before enabling the audit feature, the bank should first determine the impact of enabling it. This step is important as it allows the bank to assess the potential consequences of enabling the audit feature on their system. By understanding the impact, the bank can evaluate any potential risks, benefits, and requirements associated with enabling auditing. This will help them make an informed decision and take necessary precautions to ensure the security and privacy of the sensitive information stored and processed in relation to home loans.
14.
The following is a part of a log file taken from the machine on the network with the IP address of 192.168.0.110:
Time:June 16 17:30:15 Port:20 Source:192.168.0.105 Destination:192.168.0.110 Protocol:TCP Time:June 16 17:30:17 Port:21 Source:192.168.0.105 Destination:192.168.0.110 Protocol:TCP Time:June 16 17:30:19 Port:22 Source:192.168.0.105 Destination:192.168.0.110 Protocol:TCP Time:June 16 17:30:21 Port:23 Source:192.168.0.105 Destination:192.168.0.110 Protocol:TCP Time:June 16 17:30:22 Port:25 Source:192.168.0.105 Destination:192.168.0.110 Protocol:TCP Time:June 16 17:30:23 Port:80 Source:192.168.0.105 Destination:192.168.0.110 Protocol:TCP
What type of activity has been logged?
Correct Answer
C. Port scan targeting 192.168.0.110
Explanation
The log file shows a series of connections being made to different ports on the IP address 192.168.0.110. This indicates a port scan, which is an activity where an attacker systematically scans a target IP address for open ports. In this case, the source IP address is 192.168.0.105, suggesting that it is the one performing the port scan. Therefore, the correct answer is "Port scan targeting 192.168.0.110."
15.
Why is a penetration test considered to be more thorough than vulnerability scan?
Correct Answer
A. A penetration test actively exploits vulnerabilities in the targeted infrastructure, while a vulnerability scan does not typically involve active exploitation.
Explanation
A penetration test is considered to be more thorough than a vulnerability scan because it actively exploits vulnerabilities in the targeted infrastructure. This means that the penetration test goes beyond just identifying vulnerabilities, but also attempts to exploit them to assess the potential impact and consequences. On the other hand, a vulnerability scan typically only involves identifying vulnerabilities through host discovery and port scanning, without actively exploiting them. Additionally, penetration testing tools often have more comprehensive vulnerability databases, allowing for a more thorough assessment of the system's security.
16.
Tremp is an IT Security Manager, and he is planning to deploy an IDS in his small company. He is looking for an IDS with the following characteristics:- Verifies success or failure of an attack- Monitors System Activities- Detects attacks that a network based IDS fail to detect- Near real time detection and response- Does not require additional hardware- Lower entry cost Which type of IDS is best suited for Tremp's requirements?
Correct Answer
C. Host based IDS
Explanation
A host-based IDS is best suited for Tremp's requirements because it verifies the success or failure of an attack, monitors system activities, and detects attacks that a network-based IDS may fail to detect. Additionally, a host-based IDS provides near real-time detection and response, does not require additional hardware, and has a lower entry cost compared to other types of IDSs.
17.
Suppose your company has just passed a security risk assessment exercise. The results display that the risk of the breach in the main company application is 50%. Security staff has taken some measures and implemented the necessary controls. After that another security risk assessment was performed showing that risk has decreased to 10%.The risk threshold for the application is 20%. Which of the following risk decisions will be the best for the project in terms of its successful continuation with most business profit?
Correct Answer
C. Accept the risk
Explanation
Accepting the risk would be the best decision for the project in terms of its successful continuation with the most business profit. This is because the risk has decreased to 10%, which is below the risk threshold of 20%. Introducing more controls to bring the risk to 0% may not be cost-effective or necessary since the risk is already within an acceptable range. Mitigating the risk may also not be necessary as it is already below the risk threshold. Avoiding the risk may not be feasible or practical for the project.
18.
Darius is analysing logs from IDS. He want to understand what have triggered one alert and verify if it's true positive or false positive. Looking at the logs he copy and paste basic details like below: source IP: 192.168.21.100 source port: 80 destination IP: 192.168.10.23 destination port: 63221 What is the most proper answer:
Correct Answer
C. This is most probably false-positive, because an alert triggered on reversed traffic.
Explanation
The given answer suggests that the alert triggered on reversed traffic, which indicates that the source and destination IP addresses and ports are switched. This implies that the IDS detected suspicious activity from the destination IP and port (192.168.10.23:63221) towards the source IP and port (192.168.21.100:80), which is unusual and may be a false positive.
19.
Which of the following algorithms is used for Kerberos encryption?
Correct Answer
C. DES
Explanation
DES (Data Encryption Standard) is the correct answer for this question. DES is a symmetric encryption algorithm that is used in the Kerberos protocol for encrypting and decrypting data. It is a widely used encryption algorithm known for its security and efficiency. DES uses a 56-bit key to encrypt and decrypt data in blocks of 64 bits. It has been widely used in various applications, including network security protocols like Kerberos.
20.
Which of the following techniques are NOT relevant in preventing arp spoof attack?
Correct Answer
A. Kernel based patches
Explanation
Kernel based patches are not relevant in preventing ARP spoof attacks because they are not specifically designed to address this type of attack. Kernel based patches typically focus on fixing vulnerabilities and improving the performance of the operating system's kernel, but they do not directly deal with preventing ARP spoofing. Other techniques mentioned, such as static MAC entries, arpwatch, and secure ARP protocol, are more relevant in preventing ARP spoof attacks.
21.
Matthew, a black hat, has managed to open a meterpreter session to one of the kiosk machines in Evil Corp's lobby. He checks his current SID, which is S-1-5-21-1223352397-1872883824-861252104-501. What needs to happen before Matthew has full administrator access?
Correct Answer
D. He must perform privilege escalation.
Explanation
Before Matthew has full administrator access, he must perform privilege escalation. Although he already has admin privileges, as indicated by the "501" at the end of the SID, this does not grant him full administrator access. Privilege escalation is the process of gaining higher levels of access or privileges than originally granted, allowing Matthew to have complete control and unrestricted access to the system.
22.
The I.T. Helpdesk at XYZ Company has begun receiving several phone calls from concerned staff regarding a suspicious email they have received. One employee has forwarded a copy of the suspicous email to you for further investigation. Your manager is asking for immediate information to determine if this is a phishing attack. The email message looks like this: From: [email protected] To: [email protected] Date: 4/10/17 2:35pm Subject:New corporate HR sign up today! Priority: High You want to quickly determine who sent this email message so you look at the envelope headers and see this information: Received from unknown (209.85.213.50) by mail.xyzcompany.com id 2BqvU15YHBK; 10 Apr 2017 14:33:50 You perform a DNS query to determine more information about 209.85.213.50 but no record is found. What web site will allow you to quickly find out more information about 209.85.213.50 including the owner of the IP address?
Correct Answer
B. Https://whois.arin.net
Explanation
The correct answer is https://whois.arin.net. This website is a reliable source for performing a WHOIS query to find information about IP addresses. By entering 209.85.213.50 into the search field, you can quickly obtain details about the owner of the IP address, which will help in determining if the email is part of a phishing attack or not.
23.
Which utility will tell you in real time which ports are listening or in another state?
Correct Answer
A. Netstat
Explanation
Netstat is a utility that provides information about network connections and listening ports on a computer. It displays a list of active connections, including the protocol, local and remote IP addresses, and the state of each connection. By using Netstat, users can see which ports are open and actively listening for incoming connections, as well as identify any suspicious or unauthorized connections. This real-time information is useful for network troubleshooting, monitoring network activity, and ensuring the security of a computer or network. TCPView, Loki, and Nmap are also network monitoring tools, but Netstat specifically focuses on displaying real-time information about listening ports.
24.
When a security analyst prepares for the formal security assessment - what of the following should be done in order to determine inconsistencies in the secure assets database and verify that system is compliant to the minimum security baseline?
Correct Answer
A. Data items and vulnerability scanning
Explanation
To determine inconsistencies in the secure assets database and verify system compliance to the minimum security baseline, a security analyst should perform data items and vulnerability scanning. This involves analyzing the data items within the secure assets database to identify any inconsistencies or discrepancies. Additionally, vulnerability scanning helps to identify any potential weaknesses or vulnerabilities within the system that may pose a security risk. By conducting these assessments, the security analyst can ensure that the system is in line with the minimum security baseline and address any issues that may compromise its security.
25.
A Multihomed firewall has a minimum of how many network connections?
Correct Answer
C. 2
Explanation
A multihomed firewall is a firewall that is connected to multiple networks. In order to be considered multihomed, it must have at least two network connections. This allows the firewall to filter and control traffic between the different networks, providing an added layer of security. Therefore, the correct answer is 2.
26.
What does the -oX flag do in an Nmap scan?
Correct Answer
A. Output the results in XML format to a file
Explanation
The -oX flag in an Nmap scan is used to output the results in XML format to a file. This allows for easier parsing and analysis of the scan results using various tools. XML format provides a structured and standardized way to store and exchange data, making it a suitable choice for storing Nmap scan results. By using the -oX flag, the user can specify the name and location of the output file where the XML-formatted results will be saved.
27.
Although FTP traffic is not encrypted by default, which layer 3 protocol would allow for end-to-end encryption of the connection?
Correct Answer
C. IPsec
Explanation
IPsec is a layer 3 protocol that provides end-to-end encryption of the connection. It operates at the network layer of the OSI model and can be used to encrypt data at the IP packet level, ensuring that all traffic passing through the network is secure. While FTP does not provide encryption by default, IPsec can be implemented to encrypt the FTP traffic, providing a secure connection between the client and server.
28.
Email is transmitted across the Internet using the Simple Mail Transport Protocol. SMTP doesn't encrypt email, leaving the information in the message vulnerable to being read by an unauthorized person. SMTP can upgrade a connection between two mail servers to use TLS. Email transmitted by SMTP over TLS is encrypted. What is the name of the command used by SMTP to transmit email over TLS?
Correct Answer
B. STARTTLS
Explanation
SMTP uses the command "STARTTLS" to initiate a secure connection between two mail servers and transmit email over TLS. This command allows SMTP to upgrade the connection and encrypt the email, ensuring that the information in the message is protected and cannot be read by unauthorized individuals.
29.
You are performing a penetration test for a client, and have gained shell access to a Windows machine on the internal network. You intend to retrieve all DNS records for the internal domain. If the DNS server is at 192.168.10.2 and the domain name is abccorp.local, what command would you type at the nslookup prompt to attempt a zone transfer?
Correct Answer
C. Ls -d abccorp.local
Explanation
The command "ls -d abccorp.local" is used to attempt a zone transfer in nslookup. A zone transfer is a mechanism used to replicate DNS records from a primary DNS server to a secondary DNS server. By typing this command, the tester is requesting the DNS server at 192.168.10.2 to provide all DNS records for the abccorp.local domain, which can be useful for further analysis and exploitation during the penetration test.
30.
While scanning with Nmap, Patin found several hosts which have the IP ID sequence of incremental. He then decided to conduct: nmap -Pn -p- -sI kiosk.adobe.com www.riaa.com Whereas kiosk.adobe.com is the host with incremental IP ID sequence. What is the purpose of using "-sI" with Nmap?
Correct Answer
D. Conduct IDLE scan
Explanation
The purpose of using "-sI" with Nmap is to conduct an IDLE scan. IDLE scanning is a stealthy method of scanning that allows the attacker to use a third-party system as a proxy to scan a target network. By using a host with an incremental IP ID sequence (in this case, kiosk.adobe.com), the attacker can send spoofed packets to the target network, and the responses from the target network will be sent to the host with the incremental IP ID sequence. This allows the attacker to gather information about the target network without directly interacting with it, making it difficult to detect.
31.
Clara, a black hat, has connected her Linux laptop to an Ethernet jack in the E-Corp reception area. She types "ip route" at a terminal and receives the following output, realizing that she's still connected to a WiFi network across the street. If she were to attack a host at 192.168.100.250, out of which interface would the traffic exit?
default via 192.168.100.1 dev wlp5s0 src 192.168.100.156 metric 202 default via 192.168.96.1 dev enp5s0u1 src 192.168.100.54 metric 600 192.168.100.0/24 dev wlp5s0 proto kernel scope link src 192.168.100.156 metric 202 192.168.96.0/21 dev enp5s0u1 proto kernel scope link src 192.168.100.54 metric 600
Correct Answer
B. Wlp5s0
Explanation
The traffic would exit through the interface "wlp5s0" because it is the interface associated with the WiFi network that Clara is currently connected to. This can be determined from the "ip route" output where the line "default via 192.168.100.1 dev wlp5s0 src 192.168.100.156 metric 202" indicates that the default route for internet traffic is through the "wlp5s0" interface.
32.
What is the known plaintext attack used against DES which results in the result that encrypting plaintext with one DES key followed by encrypting it with a second DES key is no more secure than using a single key?
Correct Answer
D. Meet-in-the-middle attack
Explanation
A meet-in-the-middle attack is a known plaintext attack that exploits the vulnerability of using two DES keys in sequence. In this attack, the attacker encrypts the plaintext with one key and stores the intermediate result. Then, they decrypt the ciphertext with another key and stores the intermediate result. By comparing the two intermediate results, the attacker can find the matching pair of keys that produce the same result. This attack reduces the effective key size, making it no more secure than using a single key.
33.
An LDAP directory can be used to store information similar to a SQL database. LDAP uses a _____ database structure instead of SQL's _____ structure. Because of this, LDAP has difficulty representing many-to-one relationships.
Correct Answer
D. Hierarchical, Relational
Explanation
LDAP uses a hierarchical database structure instead of SQL's relational structure. In a hierarchical structure, data is organized in a tree-like format with parent-child relationships, where each entry can have multiple children but only one parent. This makes it suitable for representing one-to-many relationships. On the other hand, SQL databases use a relational structure where data is organized in tables with rows and columns, allowing for many-to-one relationships. Therefore, LDAP has difficulty representing many-to-one relationships due to its hierarchical database structure.
34.
Which of the following DoS tools is used to attack targets web applications by starvation of available sessions on the web server? The tool keeps sessions at halt using never-ending POST transmissions and sending an arbitrarily large content-length header value.
Correct Answer
C. R-U-Dead-Yet? (RUDY)
Explanation
R-U-Dead-Yet? (RUDY) is the correct answer because it is a Denial of Service (DoS) tool specifically designed to target web applications by starving the available sessions on the web server. It achieves this by keeping sessions at a halt using never-ending POST transmissions and sending an arbitrarily large content-length header value. This overwhelms the server and prevents it from serving legitimate user requests, effectively causing a denial of service.
35.
You have successfully logged on a Linux system. You want now to cover you tracks. Your login attempt may be logged on several files located in /var/log.
Which file does NOT belongs to the list:
Correct Answer
D. User.log
Explanation
The file "user.log" does not belong to the list because it is not a standard log file in Linux systems. The other files mentioned, such as "auth.log," "wtmp," and "btmp," are commonly used to log authentication and login activities. However, "user.log" is not a standard log file name and is not typically used for logging login attempts.
36.
Nedved is an IT Security Manager of a Bank in his country. One day, he found out that there is a security breach to his company's email server based on analysis of a suspicious connection from the email server to an unknown IP Address. What is the first thing that Nedved needs to do before contacting the incident response team?
Correct Answer
B. Leave it be and contacts the incident response team right away
Explanation
Nedved should leave the suspicious connection as it is and immediately contact the incident response team. This is because the incident response team is specialized in handling security breaches and will have the necessary expertise to investigate and mitigate the situation effectively. Disconnecting the email server or blocking the connection without proper analysis may hinder the investigation process and potentially cause further damage. Migrating the connection to the backup email server is not the immediate priority as resolving the security breach takes precedence.
37.
A pen tester is configuring a windows laptop for a test. In setting up Wireshark, what river and library are required to allow the NIC to work in promiscuous mode?
Correct Answer
D. Winpcap
Explanation
To allow the NIC to work in promiscuous mode while setting up Wireshark on a Windows laptop, the required river and library are Winpcap. Winpcap is a packet capture library that enables applications to capture and transmit network packets. It provides low-level access to network interfaces and allows Wireshark to capture all network traffic on the network interface, including packets not addressed to the laptop itself.
38.
Which Metasploit Framework tool can help penetration tester for evading Anti-virus Systems?
Correct Answer
A. Msfencode
Explanation
Msfencode is a Metasploit Framework tool that can help penetration testers evade anti-virus systems. It is used to encode payloads, making them undetectable by anti-virus software. By encoding the payload, it changes the signature of the file, bypassing the anti-virus detection and allowing the penetration tester to deliver the payload without being detected. This tool is commonly used in penetration testing to assess the effectiveness of an organization's anti-virus defenses.
39.
Trinity needs to scan all hosts on a /16 network for TCP port 445 only. What is the fastest way she can accomplish this with Nmap? Stealth is not a concern.
Correct Answer
B. Nmap -p 445 -n -T4 --open 10.1.0.0/16
Explanation
The fastest way for Trinity to scan all hosts on a /16 network for TCP port 445 only is by using the command "nmap -p 445 -n -T4 --open 10.1.0.0/16". This command specifies the port to be scanned (-p 445), disables DNS resolution (-n), sets the timing template to aggressive (-T4), and only shows open ports (--open).
40.
Darius just received a call: Unknown Caller: Hello, my name is Rashad and i'm security engineer from Microsoft Corporation. We have observed suspicious activity originating from your system and we would like to stop this threat. To do so I would ask you to install some updates on your system. Would you prefer to send me you link or an attachment within email? Darius: Hello, please send me an email with the attachment at [email protected] Unknow Caller: Thank you for your cooperation i'm sending instruction and all files. What Darius just faced?
Correct Answer
B. Social Engineering Attack
Explanation
Darius just faced a social engineering attack. In this scenario, the caller claimed to be a security engineer from Microsoft Corporation and manipulated Darius into believing that there was suspicious activity on his system. The caller then requested Darius to install updates by either sending a link or an attachment within an email. This is a typical example of social engineering, where the attacker deceives the victim into taking actions that compromise their security.
41.
You are analysing a traffic on the network with Wireshark. You want to routinely run a cron job which will run the capture against a specific set of IPs - 192.168.8.0/24. What command you would use?
Correct Answer
D. Wireshark --capture --local --masked 192.168.8.0 --range 24
Explanation
The correct answer is "wireshark --capture --local --masked 192.168.8.0 --range 24". This command will run a capture against a specific set of IPs, in this case, the IP range 192.168.8.0/24. The "--capture" flag indicates that a capture should be performed, the "--local" flag specifies that the capture should be performed on the local machine, the "--masked" flag specifies the IP range to capture, and the "--range" flag specifies the range of IPs to capture, in this case, 24.
42.
In IPv6 what is the major difference concerning application layer vulnerabilities compared to IPv4?
Correct Answer
C. Vulnerabilities in the application layer are independent of the network layer. Attacks and mitigation techniques are almost identical.
Explanation
The major difference concerning application layer vulnerabilities in IPv6 compared to IPv4 is that vulnerabilities in the application layer are independent of the network layer. This means that the vulnerabilities and the techniques used to mitigate them are almost identical in both IPv6 and IPv4. This implies that the security measures built into IPv6 do not necessarily address application layer vulnerabilities, and implementing IPv4 security in a dual-stack network can also provide protection from IPv6 attacks.
43.
User A is writing a sensitive email message to user B outside the local network. User A has chosen to use PKI to secure his message and ensure only user B can read the sensitive email. At what layer of the OSI layer does the encryption and decryption of the message take place?
Correct Answer
A. Application
Explanation
In the context of PKI (Public Key Infrastructure), the encryption and decryption of the sensitive email message take place at the Application layer of the OSI model. The Application layer is responsible for providing network services to the user and enables applications to access the network. In this case, the email application is utilizing PKI to secure the message, which involves encrypting the email at the sender's end and decrypting it at the receiver's end. This ensures that only user B, the intended recipient, can read the sensitive email.
44.
Which TCP scanning method is unlikely to set off network IDS?
Correct Answer
C. TCP SYN scan
Explanation
A TCP SYN scan is unlikely to set off network IDS because it only completes the TCP handshake process up to the SYN/ACK stage. It sends a SYN packet to the target host and waits for a response. If the port is open, the target host will respond with a SYN/ACK packet, indicating that the port is open and ready for a connection. However, the TCP SYN scan does not complete the handshake by sending an ACK packet, which is typically required to establish a full connection. This incomplete handshake makes it difficult for network IDS to detect the scan as it appears more like a normal connection attempt rather than a scan.
45.
At 2:05pm your log monitoring tool sends an alert to the InfoSec team that a special account named dba_admin was just used. While investigating this alert, at 2:30pm your database administrator calls with information that a database extract of ten thousand records occurred around 2pm. He says this is unusual because no data extract jobs were scheduled at that time. At 2:45pm your web proxy sends an alert to the InfoSec team that someone just tried to access the underground hacker site named Data4Sale.com. After consulting on the information available so far, the Manager of Information Security, the Director of Information Technology, and the Chief Information Security Officer declare an incident. During the Evidence Gathering and Handling phase of the incident response, what is the most important thing to do?
Correct Answer
A. Reviewing the evidence in careful detail to identify the attacking hosts.
Explanation
The most important thing to do during the Evidence Gathering and Handling phase of the incident response is to review the evidence in careful detail to identify the attacking hosts. This is crucial in order to determine the source of the attack and gather information about the attackers. By carefully examining the evidence, the InfoSec team can gather valuable insights that can help in understanding the nature of the incident and developing effective countermeasures to prevent future attacks.
46.
What does mean the line 7 of the traceroute : ark@debian-lxde:~$ traceroute -n 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 192.168.2.1 0.914 ms 1.000 ms 1.054 ms 2 192.168.1.1 2.364 ms 1.983 ms 2.126 ms 3 4 193.253.85.230 2.313 ms 3.021 ms 2.848 ms 5 81.253.182.230 3.086 ms 2.868 ms 4.077 ms 6 81.253.184.82 10.248 ms 10.268 ms 10.085 ms 7 81.52.200.209 6.970 ms 81.52.200.217 6.454 ms 81.52.200.209 7.179 ms 8 81.52.186.142 6.766 ms 7.278 ms 7.206 ms 9 209.85.244.252 8.847 ms 8.644 ms 8.639 ms 10 8.8.8.8 9.289 ms 9.123 ms 9.024 ms ark@debian-lxde:~$
Correct Answer
A. Router 81.253.184.82 has two equivalent paths toward destination
47.
What is the process for allowing or blocking a specific port in the Windows firewall? (For example, TCP port 22 inbound)
Correct Answer
D. A rule matching these requirements can be created in "Windows Firewall with Advanced Security", located in the Control Panel.
Explanation
To allow or block a specific port in the Windows firewall, a rule that matches the requirements can be created in "Windows Firewall with Advanced Security", which is located in the Control Panel. This means that it is possible to configure the firewall settings directly within Windows without the need for third-party software. The "netsh" program on the command-line can also be used to implement specific rules, but the correct answer focuses on the option available in the Control Panel.
48.
OpenSSL on Linux servers includes a command line tool for testing TLS. What is the name of the tool and the correct syntax to connect to a web server?
Correct Answer
D. Openssl s_client -connect www.website.com:443
Explanation
The correct answer is "openssl s_client -connect www.website.com:443". OpenSSL on Linux servers includes the command line tool "s_client" which is used to test TLS connections. The "-connect" option is used to specify the server and port to connect to, in this case, www.website.com on port 443.
49.
Jim's company regularly performs backups of their critical servers. But the company can't afford to send backup tapes to an off-site vendor for long term storage and archiving. Instead Jim's company keeps the backup tapes in a safe in the office. Jim's company is audited each year, and the results from this year's audit show a risk because backup tapes aren't stored off-site. The Manager of Information Technology has a plan to take the backup tapes home with him and wants to know what two things he can do to secure the backup tapes while in transit?
Correct Answer
C. Encrypt the backup tapes and transport them in a lock box.
Explanation
The correct answer is to encrypt the backup tapes and transport them in a lock box. Encrypting the backup tapes ensures that even if they are lost or stolen during transit, the data on them cannot be accessed without the encryption key. Transporting them in a lock box adds an additional layer of physical security, preventing unauthorized access to the tapes. This combination of encryption and physical security helps to protect the sensitive data on the backup tapes while they are in transit.
50.
Security Policy is a definition of what it means to be secure for a system, organization or other entity. For Information Technologies, there are sub-policies like Computer Security Policy, Information Protection Policy, Information Security Policy, Network Security Policy, Physical Security Policy, Remote Access Policy, and User Account Policy.What is the main theme of the sub-policies for Information Technologies?
Correct Answer
A. Confidentiality, Integrity, Availability
Explanation
The main theme of the sub-policies for Information Technologies is Confidentiality, Integrity, and Availability. These three principles are fundamental in ensuring the security of a system, organization, or entity. Confidentiality ensures that sensitive information is protected from unauthorized access. Integrity ensures that data remains accurate, complete, and unaltered. Availability ensures that the system or information is accessible and usable when needed. By focusing on these three aspects, the sub-policies aim to establish a secure environment for information technologies.