Cybersecurity Threats and Defenses: Test Questions and Answers for 2024, Exams of Nursing

Download Cybersecurity Threats and Defenses: Test Questions and Answers for 2024 and more Exams Nursing in PDF only on Docsity! Chapter 1 Test Complet Question And Answers 2024 1. John is analyzing strange behavior on computers in his network. He believes there is malware on the machines. The symptoms include strange behavior that persists, even if he boots the machine to a Linux Live CD. What is the most likely cause? A. Ransomware B. Boot sector virus C. Rootkit D. Key logger - correct answers✅B. The correct answer is a boot sector virus, which is one that will affect the boot sector of the hard drive. Thus, what operating system you boot to is irrelevant. Option A is incorrect. There is no element of ransom in the description of this attack. Option C is incorrect. A rootkit can sometimes also affect the boot sector, but in this case the boot sector virus is the most accurate description. Option D is incorrect. Nothing in this description indicates key logging. 2. Ahmed is a sales manager with a major insurance company. He has received an email that is encouraging him to click on a link and fill out a survey. He is suspicious of the email, but it does mention a major insurance association, and that makes him think it might be Chapter 1 Test Complet Question And Answers 2024 legitimate. Which of the following best describes this attack? A. Phishing B. Social engineering C. Spear phishing D. Trojan horse - correct answers✅C. The correct answer is spear phishing. Spear phishing is targeted to a specific group, in this case insurance professionals. Attackers can find individuals from public sources to target. This is known as open source intelligence. Option A is incorrect because that is too broad a category. Option B is incorrect because, though social engineering is a part of every phishing attack, this is more than just social engineering. Option D is incorrect because this is not a Trojan horse. In fact, malware is not even part of the attack. 3. You are a security administrator for a medium-sized bank. You have discovered a piece of software on your bank's database server that is not supposed to be there. It appears that the software will begin deleting database files if a specific employee is terminated. What best describes this? A. Worm B. Logic bomb Chapter 1 Test Complet Question And Answers 2024 worried about cross-site scripting and SQL injection. Which of the following would best defend against these two specific attacks? A. Encrypted web traffic B. Filtering user input C. A firewall D. An IDS - correct answers✅B. The primary and best way to defend against the attacks mentioned is filtering user input. Option A is incorrect. Encrypting the web traffic will not have any effect on these two attacks. Option C is incorrect. A web application firewall (WAF) might mitigate these attacks, but it would be secondary to filtering user input. Option D is incorrect. An IDS will simply detect the attack—it won't stop it. 7. You are responsible for network security at Acme Company. Users have been reporting that personal data is being stolen when using the wireless network. They all insist they only connect to the corporate wireless access point (WAP). However, logs for the WAP show that these users have not connected to it. Which of the following could best explain this situation? A. Session hijacking B. Clickjacking Chapter 1 Test Complet Question And Answers 2024 C. Rogue access point D. Bluejacking - correct answers✅C. If users have been connecting but the WAP does not show them connecting, then they have been connecting to a rogue access point. This could be the cause of an architecture and design weakness such as a network without segmentation and control of devices connecting to the network. Option A is incorrect. Session hijacking involves taking over an already authenticated session. Most session hijacking attacks involve impersonation. The attacker attempts to gain access to another user's session by posing as that user. Option B is incorrect. Clickjacking involves causing visitors to a website to click on the wrong item. Option D is incorrect. Bluejacking is a Bluetooth attack. 8. What type of attack depends on the attacker entering JavaScript into a text area that is intended for users to enter text that will be viewed by other users? A. SQL injection B. Clickjacking C. Cross-site scripting Chapter 1 Test Complet Question And Answers 2024 D. Bluejacking - correct answers✅C. Cross-site scripting involves entering a script into text areas that other users will view. Option A is incorrect. SQL injection is not about entering scripts, but rather SQL commands. Option B is incorrect. Clickjacking is about tricking users into clicking on the wrong thing. Option D is incorrect. Bluejacking is a Bluetooth attack. 9. A sales manager at your company is complaining about slow performance on his computer. When you thoroughly investigate the issue, you find spyware on his computer. He insists that the only thing he has downloaded recently was a freeware stock trading application. What would best explain this situation? A. Logic bomb B. Trojan horse C. Rootkit D. Macro virus - correct answers✅B. A Trojan horse wraps a malicious program to a legitimate program. When the user downloads and installs the legitimate program, they get the malware. Option A is incorrect. A logic bomb is malware that does its misdeeds when some condition is met. Option C is incorrect. A rootkit is malware that gets administrative, or root access. Chapter 1 Test Complet Question And Answers 2024 12. Mike is a network administrator with a small financial services company. He has received a popup window that states his files are now encrypted and he must pay .5 bitcoins to get them decrypted. He tries to check the files in question, but their extensions have changed, and he cannot open them. What best describes this situation? A. Mike's machine has a rootkit. B. Mike's machine has ransomware. C. Mike's machine has a logic bomb. D. Mike's machine has been the target of whaling. - correct answers✅B. This is a classic example of ransomware. Option A is incorrect. A rootkit provides access to administrator/root privileges. Option C is incorrect. A logic bomb executes its malicious activity when some condition is met. Option D is incorrect. This scenario does not describe whaling. 13. Terrance is examining logs for the company e-commerce web server. He discovers a number of redirects that cannot be explained. After carefully examining the website, he finds some attacker performed a watering hole attack by placing JavaScript in the website and is redirecting users to a phishing website. Which of the following techniques would be best Chapter 1 Test Complet Question And Answers 2024 at preventing this in the future? A. An SPI firewall B. An active IDS/IPS C. Checking buffer boundaries D. Checking user input - correct answers✅D. The primary method for stopping both cross-site scripting and SQL injection is to check or filter user input. Option A is incorrect. A web application firewall might help, but a basic SPI firewall won't prevent this. Option B is incorrect. Most IDSs/IPSs won't detect cross-site scripting, and even if one will, option A is still the best way to prevent cross-site scripting. Option C is incorrect. This is not a buffer overflow, and checking buffer boundaries won't help. 14. What type of attack is based on sending more data to a target variable than the data can actually hold? A. Bluesnarfing B. Buffer overflow C. Bluejacking D. DDoS - correct answers✅B. This is the description of a buffer overflow. Chapter 1 Test Complet Question And Answers 2024 Option A is incorrect. Bluesnarfing is a Bluetooth attack. Option C is incorrect. Bluejacking is a Bluetooth attack. Option D is incorrect. This is not a distributed denial of service. 15. You have been asked to test your company network for security issues. The specific test you are conducting involves primarily using automated and semiautomated tools to look for known vulnerabilities with the various systems on your network. Which of the following best describes this type of test? A. Vulnerability scan B. Penetration test C. Security audit D. Security test - correct answers✅A. Vulnerability scan uses automated tools such as Nessus and Microsoft Baseline Security Analyzer to find known vulnerabilities. Option B is incorrect. Penetration tests seek to actually exploit the vulnerabilities and break into systems. Option C is incorrect. Security audits usually focus on checking policies, incident reports, and other documents. Option D is incorrect. Security test is a generic term for any sort of test. Chapter 1 Test Complet Question And Answers 2024 address, which would explain why there were no entries. Option A is incorrect. A backdoor would not explain that the log entries were sent, but not received. Option B is incorrect. A buffer overflow would not explain that the log entries were sent but not received. Option D is incorrect. An IDS would not stop log entries even if it was malfunctioning. 19. Coleen is the web security administrator for an online auction website. A small number of users are complaining that when they visit the website and log in, they are told the service is down and to try again later. Coleen checks and she can visit the site without any problem, even from computers outside the network. She also checks the web server log and there is no record of those users ever connecting. Which of the following might best explain this? A. Typosquatting B. SQL injection C. Cross-site scripting D. Cross-site request forgery - correct answers✅A. From the description it appears that they are not logging into the real web server but Chapter 1 Test Complet Question And Answers 2024 rather a fake server. That indicates typosquatting: have a URL that is named very similarly to a real site so that when users mistype the real site's URL they will go to the fake site. Options B, C, and D are all incorrect. These are all methods of attacking a website, but in this case, the actual website was not attacked. Instead, some users are visiting a fake site 20. Mahmoud is responsible for managing security at a large university. He has just performed a threat analysis for the network, and based on past incidents and studies of similar networks, he has determined that the most prevalent threat to his network is low-skilled attackers who wish to breach the system, simply to prove they can or for some low-level crime, such as changing a grade. Which term best describes this type of attacker? A. Hacktivist B. Amateur C. Insider D. Script kiddie - correct answers✅D. The term for low-skilled hackers is script kiddie. Option A is incorrect. Nothing indicates this is being done for ideological reasons. Chapter 1 Test Complet Question And Answers 2024 Option B is incorrect. "Amateur" may be an appropriate description, but the correct term is script kiddie. Option C is incorrect. Nothing in this scenario indicates an insider threat. 21. Which of the following best describes a collection of computers that have been compromised and are being controlled from one central point? A. Zombienet B. Botnet C. Nullnet D. Attacknet - correct answers✅B. The term for this is botnet, usually spelled as one word. Options A, C, and D are all incorrect. Although these terms might sound the same, they are simply not the terms used in the industry. 22. John is conducting a penetration test of a client's network. He is currently gathering information from sources such as archive.org, netcraft.com, social media, and information websites. What best describes this stage? A. Active reconnaissance B. Passive reconnaissance C. Initial exploitation Chapter 1 Test Complet Question And Answers 2024 A. White-box test B. External test C. Black-box test D. Threat test - correct answers✅C. A black-box test involves absolutely minimal information. Option A is incorrect. A white-box test involves very complete information being given to the tester. Option B is incorrect. This scenario is probably done from outside the network, but external test is not the correct terminology. Option D is incorrect. Threat test is not a term used in penetration testing. 26. You work for a security company that performs penetration testing for clients. You are conducting a test of an e-commerce company. You discover that after compromising the web server, you can use the web server to launch a second attack into the company's internal network. What best describes this? A. Internal attack B. White-box testing C. Black-box testing D. A pivot - correct answers✅D. A pivot occurs when you exploit one machine and use that as a basis to attack other Chapter 1 Test Complet Question And Answers 2024 systems. Option A is incorrect. Pivots can be done from internal or external tests. Options B and C are incorrect. These describe how much information the tester is given in advance, not how the tester performs the test. 27. While investigating a malware outbreak on your company network, you discover something very odd. There is a file that has the same name as a Windows system DLL, and even has the same API interface, but handles input very differently, in a manner to help compromise the system, and it appears that applications have been attaching to this file, rather than the real system DLL. What best describes this? A. Shimming B. Trojan horse C. Backdoor D. Refactoring - correct answers✅A. Shimming is when the attacker places some malware between an application and some other file, and intercepts the communication to that file (usually to a library or system API). Option B is incorrect. A Trojan horse might be used to get the shim onto the system, but that is not described in this scenario. Chapter 1 Test Complet Question And Answers 2024 Option C is incorrect. A backdoor is a means to circumvent system authorization and get direct access to the system. Option D is incorrect. Refactoring is the process of changing names of variables, functions, etc. in a program. 28. Your company has hired a penetration testing firm to test the network. For the test, you have given the company details on operating systems you use, applications you run, and network devices. What best describes this type of test? A. White-box test B. External test C. Black-box test D. Threat test - correct answers✅A. A white-box test involves providing extensive information, as described in this scenario. Option B is incorrect. A white-box test could be internal or external. Option C is incorrect. This is the opposite of a black-box test. Option D is incorrect. Threat test is not a term used in penetration testing. 29. Frank is a network administrator for a small college. He discovers that several machines on his network are infected with malware. That malware is sending a flood of packets to Chapter 1 Test Complet Question And Answers 2024 B. An active IDS/IPS C. Checking buffer boundaries D. Checking user input - correct answers✅C. You are concerned about buffer overflows, and thus checking buffer boundaries is the best defense. Options A and B are incorrect. While these technological solutions can always be a benefit for security, they are unlikely to address buffer overflow attacks effectively. Option D is incorrect. Checking user input helps defend against SQL injection and crosssite scripting. 33. You work for a large retail company that processes credit card purchases. You have been asked to test your company network for security issues. The specific test you are conducting involves primarily checking policies, documentation, and past incident reports. Which of the following best describes this type of test? A. Vulnerability scan B. Penetration test C. Security audit D. Security test - correct answers✅C. Security audits typically focus on checking policies, documents, and so forth. Option A is incorrect. Vulnerability scans use automated and semiautomated processes to Chapter 1 Test Complet Question And Answers 2024 check for known vulnerabilities. Option B is incorrect. Penetration tests attempt to actually exploit vulnerabilities and breach systems. Option D is incorrect. Security test is too general a term. 34. Maria is a salesperson with your company. After a recent sales trip, she discovers that many of her logins have been compromised. You carefully scan her laptop and cannot find any sign of any malware. You do notice that she had recently connected to a public WiFi at a coffee shop, and it is only since that connection that she noticed her logins had been compromised. What would most likely explain what has occurred? A. She connected to a rogue AP. B. She downloaded a Trojan horse. C. She downloaded spyware. D. She is the victim of a buffer overflow attack. - correct answers✅A. Although many things could explain what she is experiencing, the scenario most closely matches connecting to a rogue access point where her login credentials were stolen. Options B and C are incorrect. Both involve malware, and the scenario states no sign of malware was found. Chapter 1 Test Complet Question And Answers 2024 Option D is incorrect. This does not match the symptoms of a buffer overflow attack. 35. You are the manager for network operations at your company. One of the accountants sees you in the hall and thanks you for your team keeping his antivirus software up to date. When you ask him what he means, he mentions that one of your staff, named Mike, called him and remotely connected to update the antivirus. You don't have an employee named Mike. What has occurred? A. IP spoofing B. MAC spoofing C. Man-in-the-middle attack D. Social engineering - correct answers✅D. This is a classic example of an attacker using social engineering on the accountant, in order to gain access to his system. Options A and B are incorrect. This scenario does not describe either IP or MAC spoofing. Option C is incorrect. A man-in-the-middle attack would require an attacker to get in between a source and destination for some sort of electronic communication. That is not described in this scenario. Chapter 1 Test Complet Question And Answers 2024 39. Someone has been rummaging through your company's trash bins seeking to find documents, diagrams, or other sensitive information that has been thrown out. What is this called? A. Dumpster diving B. Trash diving C. Social engineering D. Trash engineering - correct answers✅A. This is the term for rummaging through the waste/trash. Options B and D are incorrect. These terms, though grammatically correct, are simply not the terms used in the industry. Option C is incorrect. Nothing in this scenario describes social engineering. 40. You have noticed that when in a crowded area, data from your cell phone is stolen. Later investigation shows a Bluetooth connection to your phone, one that you cannot explain. What describes this attack? A. Bluejacking B. Bluesnarfing C. Evil twin Chapter 1 Test Complet Question And Answers 2024 D. RAT - correct answers✅B. Bluesnarfing involves accessing data from a Bluetooth device when it is in range. Option A is incorrect. Bluejacking involves sending unsolicited messages to Bluetooth devices when they are in range. Option C is incorrect. Evil twin uses a rogue access point whose name is similar or identical to that of a legitimate access point. Option D is incorrect. A RAT is a remote-access Trojan. Nothing in this scenario points to a RAT being the cause of the stolen data. 41. Louis is investigating a malware incident on one of the computers on his network. He has discovered unknown software that seems to be opening a port, allowing someone to remotely connect to the computer. This software seems to have been installed at the same time as a small shareware application. Which of the following best describes this malware? A. RAT B. Backdoor C. Logic bomb D. Rootkit - correct answers✅A. This is a remote-access Trojan (RAT), malware that opens access for someone to remotely access the system. Chapter 1 Test Complet Question And Answers 2024 Option B is incorrect. A backdoor does provide access but it is usually in the system due to programmers putting it there, not due to malware on the system. Option C is incorrect. A logic bomb executes its misdeeds when some logical condition is met. Option D is incorrect. A rootkit provides root or administrative access to the system. 42. This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and privileges than what is required for the tasks the user needs to perform. What best describes this scenario? A. Excessive rights B. Excessive access C. Excessive permissions D. Excessive privileges - correct answers✅D. The term used in the industry is excessive privileges, and it is the opposite of good security practice, which states that each user should have least privileges (i.e., just enough privileges to do his or her job). Options A through C are incorrect. While these are grammatically correct, they are not the terms used in the industry. Chapter 1 Test Complet Question And Answers 2024 The WPS attack attempts to intercept that PIN in transmission, connect to the WAP, and then steal the WPA2 password. Options A and B are incorrect. Nothing in this scenario requires or describes a rogue access point/evil twin. Option C is incorrect. An IV attack is an obscure cryptographic attack. 46. Your wireless network has been breached. It appears the attacker modified a portion of data used with the stream cipher and utilized this to expose wirelessly encrypted data. What is this attack called? A. Evil twin B. Rogue WAP C. IV attack D. WPS Attack - correct answers✅C. Initialization vectors are used with stream ciphers. An IV attack attempts to exploit a flaw to use the IV to expose encrypted data. Options A and B are incorrect. Nothing in this scenario requires or describes a rogue access point/evil twin. Option D is incorrect. WiFi protected setup (WPS) uses a PIN to connect to the wireless access point (WAP). The WPS attack attempts to intercept that PIN in transmission, connect Chapter 1 Test Complet Question And Answers 2024 to the WAP, and then steal the WPA2 password. 47. John is concerned about disgruntled employees stealing company documents and exfiltrating them from the network. He is looking for a solution that will detect likely exfiltration and block it. What type of system is John looking for? A. IPS B. SIEM C. Honeypot D. Firewall - correct answers✅A. Any of these systems could help with detecting malicious activity by an insider, but the intrusion prevention system will block such activity, if detected. Option B is incorrect. SIEMs simply aggregate logs. Option C is incorrect. A honeypot can be useful in trapping a malicious actor but not in stopping data exfiltration. Option D is incorrect. Firewalls can block traffic, but normally data exfiltration looks like normal traffic and is hard for a firewall to block. 48. Some users on your network use Acme Bank for their personal banking. Those users have all recently been the victim of an attack, wherein they visited a fake Acme Bank website Chapter 1 Test Complet Question And Answers 2024 and their logins were compromised. They all visited the bank website from your network, and all of them insist they typed in the correct URL. What is the most likely explanation for this situation? A. Trojan horse B. IP spoofing C. Clickjacking D. DNS poisoning - correct answers✅D. This appears to be a situation where your network's DNS server is compromised and sending people to a fake site. Option A is incorrect. A Trojan horse is malware tied to a legitimate program. Option B is incorrect. IP spoofing would be using a fake IP address, but that is not described in this scenario. In fact, the users are not even typing in IP addresses—they are typing in URLs. Option C is incorrect. Clickjacking involves tricking users into clicking something other than what they intended. 49. Users are complaining that they cannot connect to the wireless network. You discover that the WAPs are being subjected to a wireless attack designed to block their WiFi signals. Which of the following is the best label for this attack? Chapter 1 Test Complet Question And Answers 2024 A. Session hijacking B. Cross-site request forgery C. Typosquatting D. Clickjacking - correct answers✅C. This is a classic example of typosquatting. The website is off by only one or two letters, hoping that when users to the real website mistype the URL they will go to the fake website. Option A is incorrect. Session hijacking is taking over an authenticated session. Option B is incorrect. Cross-site request forgery sends fake requests to a website that purport to be from a trusted, authenticated user. Option D is incorrect. Clickjacking attempts to trick users into clicking on something other than what they intended. 53. Frank has discovered that someone was able to get information from his smartphone using a Bluetooth connection. The attacker was able to get his contact list and some emails he had received. What is this type of attack called? A. Bluesnarfing B. Session hijacking C. Backdoor attack Chapter 1 Test Complet Question And Answers 2024 D. CSRF - correct answers✅A. Bluesnarfing uses Bluetooth to extract data from a Bluetooth device. Option B is incorrect. Session hijacking is taking over an authenticated session. Option C is incorrect. Backdoors are built-in methods to circumvent authentication. Option D is incorrect. Cross-site request forgery sends fake requests to a website that purport to be from a trusted, authenticated user. 54. Juanita is a network administrator for Acme Company. Some users complain that they keep getting dropped from the network. When Juanita checks the logs for the wireless access point (WAP), she finds that a deauthentication packet has been sent to the WAP from the users' IP addresses. What seems to be happening here? A. Problem with users' WiFi configuration B. Disassociation attack C. Session hijacking D. Backdoor attack - correct answers✅B. This is a classic example of a disassociation attack. The attacker tricks users into disassociating from the device. Option A is incorrect. Misconfiguration won't cause authenticated users to de-authenticate. Chapter 1 Test Complet Question And Answers 2024 Option C is incorrect. Session hijacking involves taking over an authenticated session. Option D is incorrect. Backdoors are built-in methods to circumvent authentication. 55. John has discovered that an attacker is trying to get network passwords by using software that attempts a number of passwords from a list of common passwords. What type of attack is this? A. Dictionary B. Rainbow table C. Brute force D. Session hijacking - correct answers✅A. This is an example of a dictionary attack. The attacker uses a list of words that are believed to be likely passwords. Option B is incorrect. A rainbow table is a precomputed table of hashes. Option C is incorrect. Brute force tries every possible random combination. If attacker has the original plaintext and ciphertext for a message, they can determine the key space used through brute force attempts targeting the keyspace. Option D is incorrect. Session hijacking is when the attacker takes over an authenticated session. Chapter 1 Test Complet Question And Answers 2024 of itself is unlikely to be an APT. Option B is incorrect. Brute force attempts every possible random combination to get the password or encryption key. Option D is incorrect. In a disassociation attack, the attacker attempts to force the victim into disassociating from a resource. 59. You are responsible for incident response at Acme Company. One of your jobs is to attempt to attribute attacks to a specific type of attacker. Which of the following would not be one of the attributes you consider in attributing the attack? A. Level of sophistication B. Resources/funding C. Intent/motivation D. Amount of data stolen - correct answers✅D. Whether the attacker is an organized criminal, hacktivist, nation-state attacker, or script kiddie, the amount of data stolen could be large or small. Options A, B, and C are all incorrect. These are exactly the attributes of an attack you do examine to determine the most likely attacker. 60. John is running an IDS on his network. Users sometimes report that the IDS flags legitimate Chapter 1 Test Complet Question And Answers 2024 traffic as an attack. What describes this? A. False positive B. False negative C. False trigger D. False flag - correct answers✅A. When an IDS or antivirus mistakes legitimate traffic for an attack, this is called a false positive. Option B is incorrect. A false negative is when the IDS mistakes an attack for legitimate traffic. It is the opposite of a false positive. Options C and D are both incorrect. While these may be grammatically correct, these are not the terms used in the industry. 61. You are performing a penetration test of your company's network. As part of the test, you will be given a login with minimal access and will attempt to gain administrative access with this account. What is this called? A. Privilege escalation B. Session hijacking C. Root grabbing D. Climbing - correct answers✅A. The term for attempting to gain any privileges beyond what you have is privilege escalation. Chapter 1 Test Complet Question And Answers 2024 Option B is incorrect. Session hijacking is taking over an authenticated session. Options C and D are incorrect. These are not terms used in the industry. 62. Mary has discovered that a web application used by her company does not always handle multithreading properly, particularly when multiple threads access the same variable. This could allow an attacker who discovered this vulnerability to exploit it and crash the server. What type of error has Mary discovered? A. Buffer overflow B. Logic bomb C. Race conditions D. Improper error handling - correct answers✅C. This is a classic definition of a race condition: when multiple threads in an application are using the same variable and the situation is not properly handled. Option A is incorrect. A buffer overflow is attempting to put more data in a buffer than it is designed to hold. Option B is incorrect. A logic bomb is malware that performs its misdeed when some logical condition is met. Chapter 1 Test Complet Question And Answers 2024 Option D is incorrect. A logic bomb is malware that performs its misdeed when some condition is met. 66. Which of the following best describes malware that will execute some malicious activity when a particular condition is met (i.e., if condition is met, then execute)? A. Boot sector virus B. Logic bomb C. Buffer overflow D. Sparse infector virus - correct answers✅B. This is the definition of a logic bomb. Option A is incorrect. A boot sector virus infects the boot sector of the hard drive. Option C is incorrect. A buffer overflow occurs when the attacker attempts to put more data in a variable than it can hold. Option D is incorrect. A sparse infector virus performs its malicious activity intermittently to make it harder to detect. 67. Gerald is a network administrator for Acme Company. Users are reporting odd behavior on their computers. He believes this may be due to malware, but the behavior is different on different computers. What might best explain this? Chapter 1 Test Complet Question And Answers 2024 A. It is not malware, but hardware failure. B. It is a boot sector virus. C. It is a macro virus. D. It is a polymorphic virus. - correct answers✅D. A polymorphic virus changes from time to time, and that would explain the different behavior on different computers. Option A is incorrect. The scenario is about malware. Option B is incorrect. A boot sector virus infects the boot sector of the hard drive. Option C is incorrect. A macro virus is embedded into a document as a macro. 68. Teresa is a security officer at ACME Inc. She has discovered an attack where the attacker sent multiple broadcast messages to the network routers, spoofing an IP address of one of the network servers. This caused the network to send a flood of packets to that server and it is no longer responding. What is this attack called? A. Smurf attack B. DDoS attack C. TCP hijacking attack D. TCP SYN flood attack - correct answers✅A. This is the definition of a Smurf attack. Option B is incorrect. The scenario does not state if this attack is coming from multiple Chapter 1 Test Complet Question And Answers 2024 sources, thus being distributed (i.e., distributed denial of service). Option C is incorrect. A hijacking attack attempts to take over an authenticated session. Option D is incorrect. The signature of a SYN flood is multiple half- open connections. 69. Which type of virus is able to alter its own code to avoid being detected by antivirus software? A. Boot sector B. Hoax C. Polymorphic D. Stealth - correct answers✅C. Polymorphic viruses periodically change their signature or even their code. Option A is incorrect. A boot sector virus infects the boot sector of the hard drive. Option B is incorrect. This is not a hoax—it is an actual virus. Option D is incorrect. The category of stealth virus is very broad and might include polymorphic as well as armored and sparse infectors, but the scenario is more specific, pointing to polymorphic. 70. Gerald is a network administrator for a small financial services company. Users are reporting odd behavior that appears to be caused by a virus on their machines. After isolating Chapter 1 Test Complet Question And Answers 2024 Option A is incorrect. Polymorphic viruses periodically change their signature or even their code. Option C is incorrect. Stealth viruses use one or more techniques to make them harder to find. Option D is incorrect. This is not an industry term for any sort of virus. 73. Your company has hired an outside security firm to perform various tests of your network. During the vulnerability scan you will provide that company with logins for various systems (i.e., database server, application server, web server, etc.) to aid in their scan. What best describes this? A. A white-box test B. A gray-box test C. A privileged scan D. An authenticated user scan - correct answers✅C. By giving the tester logins, you are allowing him to conduct a privileged scan (i.e., a scan with some privileges). Options A and B are incorrect. These describe the level of knowledge the tester is given of the network. A privilege scan cannot be a black-box test, but it could be either white-box Chapter 1 Test Complet Question And Answers 2024 or gray-box. Option D is incorrect. While this is grammatically correct, it is not the term used in the industry. 74. Which of the following is commonly used in a distributed denial of service (DDoS) attack? A. Phishing B. Adware C. Botnet D. Trojan - correct answers✅C. Botnets are often used to launch DDoS attacks, with the attack coming from all the computers in the botnet simultaneously. Option A is incorrect. Phishing attacks attempt to get the user to give up information, click on a link, or open an attachment. Option B is incorrect. Adware consists of unwanted pop-up ads. Option D is incorrect. A Trojan horse attaches malware to a legitimate program. 75. You are investigating a recent breach at Acme Company. You discover that the attacker used an old account of someone no longer at the company. The account was still active. Which of the following best describes what caused this vulnerability to exist? Chapter 1 Test Complet Question And Answers 2024 A. Improperly configured accounts B. Untrained users C. Using default configuration D. Failure to patch systems - correct answers✅A. Accounts should be configured to expire. If this had occurred, then the account would no longer be active. Option B is incorrect. While properly trained users are important, that is not what caused this issue. Options C and D are incorrect. These are unrelated to an old account still being active. 76. Juan is responsible for incident response at a large financial institution. He discovers that the company WiFi has been breached. The attacker used the same login credentials that ship with the wireless access point (WAP). The attacker was able to use those credentials to access the WAP administrative console and make changes. Which of the following best describes what caused this vulnerability to exist? A. Improperly configured accounts B. Untrained users C. Using default configuration D. Failure to patch systems - correct answers✅C. This is a classic example of the problem with default configurations. Chapter 1 Test Complet Question And Answers 2024 79. Frank has just taken over as CIO of a mid-sized insurance company. One of the first things he does is order a thorough inventory of all network equipment. He discovers two routers that are not documented. He is concerned that if they are not documented, they might not be securely configured, tested, and safe. What best describes this situation? A. Poor user training B. System sprawl C. Failure to patch systems D. Default configuration - correct answers✅B. System sprawl occurs when a system grows and there are devices on the system that are not documented. Options A, C, and D are all incorrect. While these are all serious security issues, they are unrelated to the scenario presented. 80. What is the primary difference between an intrusive and a nonintrusive vulnerability scan? A. An intrusive scan is a penetration test. B. A nonintrusive scan is just a document check. C. An intrusive scan could potentially disrupt operations. Chapter 1 Test Complet Question And Answers 2024 D. A nonintrusive scan won't find most vulnerabilities. - correct answers✅C. An intrusive scan could possibly cause some disruption of operations. For this reason, it should be conducted outside normal business hours. Option A is incorrect. A penetration test actually attempts to breach the network by exploiting vulnerabilities. Option B is incorrect. An audit is primarily a document check. Option D is incorrect. Both intrusive and nonintrusive vulnerability scans can be effective at finding vulnerabilities. 81. Daryl is investigating a recent breach of his company's web server. The attacker used sophisticated techniques and then defaced the website, leaving messages that were denouncing the company's public policies. He and his team are trying to determine the type of actor who most likely committed the breach. Based on the information provided, who was the most likely threat actor? A. A script B. A nation-state C. Organized crime D. Hacktivists - correct answers✅D. The fact that the website is defaced in a manner related to the company's public policies is the definition of hacktivism. Chapter 1 Test Complet Question And Answers 2024 Options A, B, and C are incorrect. None of these account for the statements adverse to the company's policies, which is why hacktivism is the real cause. 82. When investigating breaches and attempting to attribute them to specific threat actors, which of the following is not one of the indicators of an APT? A. Long-term access to the target B. Sophisticated attacks C. The attack comes from a foreign IP address. D. The attack is sustained over time. - correct answers✅C. While you might suppose that a nation-state attacker (the usual attacker behind an advanced persistent threat) would attack from a foreign IP address, they often use a compromised address in the target country as a base for attacks. Options A, B, and D are all incorrect. These are actually signs of an advanced persistent threat. 83. What type of attack uses a second wireless access point (WAP) that broadcasts the same SSID as a legitimate access point, in an attempt to get users to connect to the attacker's WAP? A. Evil twin Chapter 1 Test Complet Question And Answers 2024 A. A backdoor B. An APT C. DNS poisoning D. A Trojan horse - correct answers✅C. This is the definition of DNS poisoning. Option A is incorrect. A backdoor provides access to the system by circumventing normal authentication. Option B is incorrect. An APT is an advanced persistent threat. Option D is incorrect. A Trojan horse ties a malicious program to a legitimate program. 87. What best describes an attack that attaches some malware to a legitimate program so that when the user installs the legitimate program, they inadvertently install the malware? A. Backdoor B. Trojan horse C. RAT D. Polymorphic virus - correct answers✅B. This is, in fact, the definition of a Trojan horse. Options A, C, and D are incorrect. These are all possible attacks, but do not match what is described in the question scenario. Chapter 1 Test Complet Question And Answers 2024 88. Which of the following best describes software that will provide the attacker with remote access to the victim's machine, but that is wrapped with a legitimate program in an attempt to trick the victim into installing it? A. RAT B. Backdoor C. Trojan horse D. Macro virus - correct answers✅A. A remote access Trojan (RAT) is malware that gives the attacker remote access to the victim machine. Option B is incorrect. While a backdoor will give access, it is usually something in the system put there by programmers, not introduced by malware. Option C is incorrect. A RAT is a type of Trojan horse, but Trojan horse is more general than what is described in the scenario. Option D is incorrect. A macro virus is a virus embedded in a document. 89. Which of the following is an attack that seeks to attack a website, based on the website's trust of an authenticated user? A. XSS B. CSRF C. Buffer overflow Chapter 1 Test Complet Question And Answers 2024 D. RAT - correct answers✅B. Cross-site request forgery sends forged requests to a website, supposedly from a trusted user. Option A is incorrect. Cross-site scripting is the injection of scripts into a website to exploit the users. Option C is incorrect. A buffer overflow tries to put more data in a variable than the variable can hold. Option D is incorrect. A remote-access Trojan (RAT) is malware that gives the attacker access to the system. 90. John is analyzing what he believes is a malware outbreak on his network. Many users report their machines are behaving strangely. The anomalous behavior seems to occur sporadically and John cannot find a pattern. What is the most likely cause? A. APT B. Boot sector virus C. Sparse infector virus D. Key logger - correct answers✅C. Sparse infector viruses perform their malicious activity sporadically. Option A is incorrect. This does not describe an advanced persistent threat. Chapter 1 Test Complet Question And Answers 2024 are designed to be inserted into database queries? A. SQL injection B. Clickjacking C. Cross-site scripting D. Bluejacking - correct answers✅A. SQL injection places malformed SQL into text boxes. Option B is incorrect. Clickjacking attempts to trick the user into clicking on something other than what he or she intended. Option C is incorrect. Cross-site scripting puts scripts into text fields that will be viewed by other users. Option D is incorrect. Bluejacking is a Bluetooth attack. 94. Tyrell is responsible for selecting cryptographic products for his company. The company wants to encrypt the drives of all laptops. The product they have selected uses 128-bit AES encryption for full disk encryption, and users select a password to decrypt the drive. What, if any, would be the major weakness in this system? A. None; this is a good system. B. The 128-bit AES key is too short. C. The passwords users select are the weak link. Chapter 1 Test Complet Question And Answers 2024 D. The AES algorithm is the problem; they should use DES. - correct answers✅C. The user-selected password is always a weak link in hard drive encryption. Option A is incorrect. Yes, it is good system, but there is a weakness. Option B is incorrect. 128-bit AES is more than adequate for corporate purposes. Option D is incorrect. DES is outdated, and AES should be used. 95. Valerie is responsible for security testing applications in her company. She has discovered that a web application, under certain conditions, can generate a memory leak. What, type of attack would this leave the application vulnerable to? A. DoS B. Backdoor C. SQL injection D. Buffer overflow - correct answers✅A. If an attacker can induce the web application to generate the memory leak, then eventually the web application will consume all memory on the web server and the web server will freeze up. Option B is incorrect. Backdoors are not caused by memory leaks. Option C is incorrect. SQL injection places malformed SQL into text boxes. Option D is incorrect. A buffer overflow attempts to put more data in a variable than it Chapter 1 Test Complet Question And Answers 2024 can hold. 96. When a multithreaded application does not properly handle various threads accessing a common value, what flaw is this? A. Memory leak B. Buffer overflow C. Integer overflow D. Race condition - correct answers✅D. This is the definition of a race condition. Option A is incorrect. Memory leaks occur when memory is allocated, but not deallocated. Option B is incorrect. A buffer overflow is when more data is put into a variable than it can hold. Option C is incorrect. An integer overflow occurs when an attempt is made to put an integer that is too large into a variable, such as trying to put a 64- bit integer into a 32-bit variable. 97. Acme Company is using smart cards that use near-field communication (NFC) rather than needing to be swiped. This is meant to make physical access to secure areas more secure. Chapter 1 Test Complet Question And Answers 2024 sent it directly to the backend authentication service, bypassing the application. What type of attack is this? A. Hash spoofing B. Evil twin C. Shimming D. Pass the hash - correct answers✅D. This scenario is the definition of passing the hash. Option A is incorrect. A real hash was provided; it was not spoofed. Option B is incorrect. Evil twin is a wireless attack. Option C is incorrect. Shimming is inserting malicious code between an application and a library. 101. A user in your company reports that she received a call from someone claiming to be from the company technical support team. The caller stated that there was a virus spreading through the company and he needed immediate access to the employee's computer to stop it from being infected. What social-engineering principles did the caller use to try to trick the employee? A. Urgency and intimidation B. Urgency and authority Chapter 1 Test Complet Question And Answers 2024 C. Authority and trust D. Intimidation and authority - correct answers✅B. Claiming to be from tech support is claiming authority, and the story the caller gave indicates urgency. Option A is incorrect. Yes, this caller used urgency (the virus spread) but did not attempt intimidation. Option C is incorrect. Authority and trust are closely related, and in this case urgency was the second major factor. Option D is incorrect. This caller used urgency but not intimidation. 102. Ahmed has discovered that someone has manipulated tables in one of the company's switches. The manipulation has changed the tables so that data destined for one specific MAC address will now be routed elsewhere. What type of attack is this? A. ARP poisoning B. DNS poisoning C. Man-in-the-middle D. Backdoor - correct answers✅A. This is the definition of ARP poisoning. Option B is incorrect. In DNS poisoning domain name to IP address entries in a DNS Chapter 1 Test Complet Question And Answers 2024 server are altered. Option C is incorrect. This attack did not involve a man-in-the- middle. Option D is incorrect. A backdoor provides access to the attacker, which circumvents normal authentication. 103. You are investigating incidents at Acme Corporation and have discovered malware on several machines. It appears that this malware infects system files in the Windows/System32/ directory and also affects the boot sector. What type of malware is this? A. Multipartite B. Boot sector C. Macro virus D. Polymorphic virus - correct answers✅A. This is a classic multipartite virus. It infects the boot sector, as well as an operating system file. Option B is incorrect. This infects the boot sector, but also infects an operating system file as well. Option C is incorrect. A macro virus is embedded, as a macro, into a document. Option D is incorrect. A polymorphic virus changes periodically. Chapter 1 Test Complet Question And Answers 2024 107. What type of attack is it when the attacker attempts to get the victim's communication to abandon a high-quality/secure mode in favor of a lower-quality/less secure mode? A. Downgrade B. Brute force C. Rainbow table D. Bluesnarfing - correct answers✅A. A downgrade attack is often used against secure communications such as TLS in an attempt to get the user to shift to less secure modes. Option B is incorrect. A brute-force attack tries either all possible passwords or all possible cryptography keys to gain access. Option C is incorrect. A rainbow table is a table of precomputed hashes used to retrieve passwords. Option D is incorrect. Bluesnarfing is a Bluetooth attack on cell phones. 108. What type of penetration test is being done when the tester is given extensive knowledge of the target network? A. White-box B. Full disclosure C. Black-box Chapter 1 Test Complet Question And Answers 2024 D. Red team - correct answers✅A. In a white-box test, the tester is given extensive knowledge of the target network. Option B is incorrect. This is not a term used to describe testing. Option C is incorrect. Black-box testing involves only very minimal information being given to the tester. Option D is incorrect. A red team test simulates a particular type of attacker, such as a nation-state attacker, an insider, or other type of attacker. 109. Your company is instituting a new security awareness program. You are responsible for educating end users on a variety of threats, including social engineering. Which of the following best defines social engineering? A. Illegal copying of software B. Gathering information from discarded manuals and printouts C. Using people skills to obtain proprietary information D. Phishing emails - correct answers✅C. Social engineering is about using people skills to get information you would not otherwise have access to. Option A is incorrect. Despite the word engineering, this has nothing to do with technical means. Option B is incorrect. This would be dumpster diving. Chapter 1 Test Complet Question And Answers 2024 Option D is incorrect. Yes, phishing emails use some social engineering, but that is one example of social engineering, not a definition. 110. Which of the following attacks can be caused by a user being unaware of their physical surroundings? A. ARP poisoning B. Phishing C. Shoulder surfing D. Smurf attack - correct answers✅C. Shoulder surfing involves literally looking over someone's shoulder in a public place and gathering information, perhaps login passwords. Option A is incorrect. ARP poisoning alters the address resolution protocol tables in the switch. Option B is incorrect. Phishing is an attempt to gather information, often via email, or to convince a user to click a link to, and/or download, an attachment. Option D is incorrect. Smurf is a type of denial-of-service attack. 111. Francine is a network administrator for Acme Corporation. She has noticed that one of the servers is now unreachable. After carefully reviewing various logs, she discovers that a Chapter 1 Test Complet Question And Answers 2024 Option C is incorrect. DNS caching is a method of normal DNS operations. Option D is incorrect. A Smurf attack is a type of denial of service. 114. Tom is the network administrator for a small accounting firm. As soon as he comes in to work, users report to him that they cannot connect to the network. After investigating, Tom discovers that none of the workstations can connect to the network and all have an IP address in the form of 169.254.x.x. What has occurred? A. Smurf attack B. Man-in-the-middle attack C. DDoS D. DHCP starvation - correct answers✅D. IP addresses in the range of 169.254 are automatic private IP addresses (APIPA) and indicate the system could not get a dynamic IP address from the DHCP server. This is a typical symptom of DHCP starvation. Option A is incorrect. Smurf attacks involve sending spoofed broadcast messages to the target network's router. Option B is incorrect. Nothing in this scenario describes a man-in- the-middle attack. Option C is incorrect. Nothing in this scenario indicates a distributed denial-of-service attack. Chapter 1 Test Complet Question And Answers 2024 115. Which of the following would most likely use a group of bots to stop a web server from accepting new requests? A. DoS B. DDoS C. Buffer overflow D. Trojan horse - correct answers✅B. Distributed denial-of- service (DDoS) attacks often use bots in a botnet to perform the attack. Option A is incorrect. Denial of service (DoS) is too broad a category and does not adequately match the scenario description. Option C is incorrect. A buffer overflow attempts to put more data into a variable than it is designed to accept. Option D is incorrect. A Trojan horse links a malware program to a legitimate program. 116. Which of the following would a former employee most likely plant on a server before leaving to cause disruption to the network? A. Worm B. Logic bomb C. Trojan Chapter 1 Test Complet Question And Answers 2024 D. Virus - correct answers✅B. A logic bomb will perform its malicious activity when some condition is met, often a date or time. This is commonly done by disgruntled exiting employees. Options A, C, and D are all incorrect. It is certainly possible that any of these could be left by an exiting employee, but logic bombs are far more common. The reason is that the other three would execute their malicious activity immediately, making an obvious connection to the exiting employee. 117. A SYN flood is a DoS attack in which an attacker deliberately violates the three-way handshake and opens a large number of half-open TCP connections. The signature of a SYN flood attack is: A. The source and destination address having the same value B. The source and destination port numbers having the same value C. A large number of SYN packets appearing on a network without the corresponding ACK packets D. A large number of SYN packets appearing on a network with the corresponding reply RST - correct answers✅C. A correct three-way handshake involves the client sending a SYN packet, the server Chapter 1 Test Complet Question And Answers 2024 a recent incident and discovers that a server was breached using an authorized user's account. After investigating the incident further, Mary believes that the authorized user logged on, and then someone else took over their session. What best describes this attack? A. Man-in-the-middle B. Session hijacking C. Backdoor D. Smurf attack - correct answers✅B. This is the definition of session hijacking. Option A is incorrect. Man-in-the-middle involves having some process between the two ends of communication in order to compromise passwords or cryptography keys. Option C is incorrect. A backdoor is some means for accessing a system that circumvents normal authentication. Option D is incorrect. A Smurf attack is a specific type of denial-of- service attack. 121. Which of the following type of testing utilizes an automated process of proactively identifying vulnerabilities of the computing systems present on a network? A. Security audit B. Vulnerability scanning C. White-box test Chapter 1 Test Complet Question And Answers 2024 D. Black-box test - correct answers✅B. Vulnerability scans use automated and semiautomated processes to identify known vulnerabilities. Option A is incorrect. Audits usually involve document checks. Options C and D are incorrect. These are both types of penetration tests. 122. What type of attack is an NFC most susceptible to? A. Eavesdropping B. Man-in-the-middle C. Buffer overflow D. Smurf attack - correct answers✅A. Near-field communication (NFC) can be susceptible to eavesdropping. Smartphones with NFC can be used as payment methods and should utilize biometric/pin to avoid information being stolen. Option B is incorrect. Man-in-the-middle involves having some process between the two ends of communication in order to compromise passwords or cryptography keys. Option C is incorrect. A buffer overflow attack attempts to put more data in a variable than the variable is designed to hold. This is improper input handling is the root cause to many buffer overflow. Option D is incorrect. A Smurf attack is a type of denial of service. Chapter 1 Test Complet Question And Answers 2024 123. John has been asked to do a penetration test of a company. He has been given general information but no details about the network. What kind of test is this? A. Gray-box B. White-box C. Partial D. Masked - correct answers✅A. A gray-box test involves the tester being given partial information about the network. Option B is incorrect. A white-box test involves the tester being given full or nearly full information about the target network. Options C and D are incorrect. Neither of these is a testing term. 124. Under which type of attack does an attacker's system appear to be the server to the real client and appear to be the client to the real server? A. Denial of service B. Replay C. Eavesdropping D. Man-in-the-middle - correct answers✅D. In the man-in-the- middle attack, the attacker is between the client and the server, and to either end, the attacker appears like the legitimate other end. Chapter 1 Test Complet Question And Answers 2024 C. It may no longer be supported by the vendor. D. It may be easier to break into than newer software. - correct answers✅C. When a vendor no longer supports software, there won't be patches for vulnerabilities or other issues. Option A is incorrect. Although this may be true, it is not a security issue. Option B is incorrect. Again, this may be true, but this is not the primary risk. Option D is incorrect. This may or may not be true. 128. You are responsible for software testing at Acme Corporation. You want to check all software for bugs that might be used by an attacker to gain entrance into the software or your network. You have discovered a web application that would allow a user to attempt to put a 64-bit value into a 4-byte integer variable. What is this type of flaw? A. Memory overflow B. Buffer overflow C. Variable overflow D. Integer overflow - correct answers✅D. Placing a larger integer value into a smaller integer variable is an integer overflow. Option A is incorrect. Memory overflow is not a term used, and memory leak is about allocating memory and not deallocating it. Chapter 1 Test Complet Question And Answers 2024 Option B is incorrect. Buffer overflows usually involve arrays. Option C is incorrect. Variable overflow is not a term used in the industry. 129. Which type of virus is most difficult to analyze by reverse engineering? A. Polymorphic B. Macro C. Armored D. Boot sector - correct answers✅C. Armoring can be as simple as very trivial encryption, but any process that makes it difficult to reverse-engineer a virus is armoring. Option A is incorrect. A polymorphic virus periodically changes itself. Option B is incorrect. A macro virus is embedded, as a macro, into a document. Option D is incorrect. A boot sector virus infects the boot sector of a hard drive. 130. What type of attack attempts to deauthorize users from a resource, such as a wireless access point (WAP)? A. Disassociation B. Session hijacking C. Man-in-the-middle Chapter 1 Test Complet Question And Answers 2024 D. Smurf attack - correct answers✅A. Deauthorizing users from a resource is called disassociation. Option B is incorrect. Session hijacking involves taking over an authenticated session. Option C is incorrect. In the man-in-the-middle attack, the attacker is between the client and the server, and to either end, the attacker appears like the legitimate other end. Option D is incorrect. Smurf is a type of denial-of-service attack where the attacker attempts to exhaust the resources and prevent users from accessing necessary systems. 131. John is a network administrator for a large retail chain. He has discovered that his DNS server is being attacked. The attack involves false DNS requests from spoofed IP addresses. The requests are far larger than normal. What type of attack is this? A. Amplification B. DNS poisoning C. DNS spoofing D. Smurf attack - correct answers✅A. Sending fake DNS requests that are overly large is called an amplification attack. It is a highly specialized type of denial of service. Option B is incorrect. DNS poisoning seeks to put fake DNS records in a DNS server.