Domain 1 Answers and Explanations

1. D. Most automated attacks assume that a Windows system still contains a default account named Administrator and try to exploit that account. Changing the name makes it less likely that these attacks will stumble upon the account.
2. D. In a domain hijacking attack, the attacker changes the registration of a domain with the registrar. DNS and ARP poisoning attacks may redirect web traffic, but they would do so by providing bogus address information, not by hijacking the domain. Network eavesdropping could theoretically be used to steal credentials that are used to alter information with a registrar, but this is unlikely. The most likely source of a domain hijacking attack is using social engineering with the registrar to gain access to the account being used to manage registration information.
3. A. Cross-site scripting relies upon embedding HTML tags in stored or reflected input. The < and > characters are used to denote HTML tags and should be carefully managed when seen in user input.
4. B. The fact that the legitimate server responds to requests made by an IP address indicates that the attacker is not performing IP spoofing or ARP spoofing. There is no indication that the URL is incorrect, so Darren can rule out typosquatting. The most likely attack in this scenario is DNS poisoning. Darren can verify this by manually changing the system to a different DNS server, clearing the system's DNS cache, and attempting to resolve the name again.
5. B. Pixie Dust attacks are a specialized attack that's used to retrieve the Wi-Fi Protected Setup (WPS) PIN code for a network. Pixie Dust attacks will not work if WPS is not enabled on the network.
6. A. The two major categories of attack against device drivers are shimming and refactoring. In a shimming attack, the attacker wraps his or her own malicious code around the legitimate driver. Shimming attacks do not require access to the driver's source code. In a refactoring attack, such as this one, the attacker actually modifies the original driver's source code.
7. D. Discovery scans are designed to identify systems on the network and can be used to detect undocumented assets that are the result of system sprawl.
8. D. The Data Encryption Standard (DES) is an outdated, insecure algorithm that should not be used in modern applications. Triple DES (3DES) is a secure alternative that uses three rounds of DES encryption. The Advanced Encryption Standard (AES) and Elliptic Curve Cryptosystem (ECC) are also modern, secure cipher suites.
9. A. Social engineering is an active technique because it involves interaction with the target organization. Attackers may conduct open source intelligence gathering, including domain name searches, using only external resources that will not alert the target organization. Wireless network eavesdropping may also be conducted from a location outside of the organization's facilities without alerting the organization to their presence or interacting with target systems.
10. B. This is an example of a watering hole attack. These attacks place malicious code on a website frequented by members of the target audience. There is not sufficient information to determine whether the malicious code was spyware or a Trojan horse, or whether it delivered a denial of service payload.
11. C. The social engineer is using the Microsoft header in an attempt to exploit the trust that the recipient has for Microsoft. This attack also exploits the principles of authority, familiarity, and urgency. There is no note of scarcity or consensus in the message. The attacker is indeed trying to intimidate the recipient, but the intimidation is contained within the virus hoax message, not the Microsoft header.
12. C. The root cause of this issue is that FTP is an insecure protocol and Kristen can resolve this problem by replacing it with a secure alternative, such as SFTP. Requiring strong passwords or multifactor authentication would not resolve this problem as an attacker could still eavesdrop on those connections and obtain user passwords. Discontinuing the file transfer service would resolve the vulnerability, but it is not a good solution because it would unnecessarily disrupt whatever business processes take place on this server.
13. B. Social engineering attacks depend on user error, and training can dramatically reduce the success rate of these attacks. Buffer overflow attacks, denial of service attacks, and ARP poisoning attacks are not generally preventable by end users and, therefore, training the sales team would not be an effective defense against them.
14. A. A memory leak is a software flaw and, since this is an internally developed application, the developer is the person who's the most likely to be able to correct it. If the issue were in a commercially purchased application, a system administrator may be able to correct the issue by applying a patch, but that is not the case in this scenario.
15. B. This is a clear example of a distributed denial of service (DDoS) attack. The system is flooding the target with connection requests, hoping to overwhelm it. The port and IP address are not changing, so this is not indicative of a scanning attack. There is no indication that the connection is completed, so it cannot be a SQL injection attack.
16. C. All of the controls mentioned in this question would improve the security of this scenario. However, the best way to handle sensitive information is to not retain it in the first place. It is unlikely that there is a valid business reason for storing copies of records containing customer credit card information. Therefore, the most appropriate solution would be to modify the business process to avoid this inappropriate data retention.
17. A. DNS poisoning works by injecting false information into a user's local DNS servers. Adding redundant or off-site DNS servers would not reduce the likelihood of a successful attack. Blocking DNS traffic with firewall rules would disrupt the service for legitimate users. The DNSSEC protocol adds a verification layer to ensure that DNS updates come from trusted sources, reducing the likelihood of a successful DNS poisoning attack.
18. B. This is an example of a SQL injection attack because the attacker is inserting his or her own commands into a SQL database query. This particular example is slowing down responses when the answer is correct to ferret out the characters of a password, one by one. That is an example of a timing-based SQL injection attack.
19. A. All of the possible answers have the effect of blocking some DNS requests. The most effective technique to prevent DNS amplification is to disable open resolution so that external users may not make arbitrary recursive requests against the server. Blocking internal requests would have no effect on the attack. Blocking all external requests or blocking port 53 at the firewall would prevent all external requests, preventing the server from fulfilling its purpose as a public DNS server.
20. A. DNS amplification is a denial of service technique that sends small queries with spoofed source addresses to DNS servers, generating much larger, amplified responses back to the spoofed address. The purpose is to consume all of the bandwidth available to the target system, resulting in a resource exhaustion denial of service attack.
21. A. This attack is a DLL injection attack. In a DLL injection, the attacker forces an existing process to load a dynamically linked library that contains unauthorized code.
22. C. Advanced persistent threats (APTs) are characterized by a high level of sophistication and significant financial and technical resources. Other attackers, including script kiddies, criminals, and hacktivists, are not likely to have anywhere near the same sophistication as an APT attacker (such as a national government).
23. D. In a black box attack, the attacker does not have access to any information about the target environment before beginning the attack. In a grey box attack, the attacker has limited information. In a white box attack, the attacker has full knowledge of the target environment before beginning the attack.
24. A. In a man-in-the-browser attack, the attacker manages to gain a foothold inside the user's browser, normally by exploiting a browser extension. This gives him or her access to all of the information that's accessed with the browser, regardless of whether the site uses strong authentication or transport encryption (such as TLS). Certificate pinning is a technique that's used to protect against inauthentic digital certificates and would not protect against a man-in-the-browser attack.
25. D. A web application firewall (WAF), if present, would likely block SQL injection attack attempts, making SQL injection vulnerabilities invisible to a vulnerability scanner. A data loss prevention system (DLP) does not protect against web application vulnerabilities such as SQL injection. An intrusion detection system (IDS) might identify a SQL injection exploit attempt, but it is not able to block the attack. Transport layer security (TLS) encrypts web content but encryption would not prevent an attacker from engaging in SQL injection attacks.
26. B. The key to this question is focusing on the encryption algorithms used by each option. Three of the four options use AES 256-bit encryption, which provides strong cryptography. One uses RC4 encryption, which is a weak implementation of cryptography and should be avoided.
27. B. The use of self-signed certificates is not, by itself, cause for alarm. It is acceptable to use self-signed certificates for internal use. Val should conduct a risk assessment to identify whether this use is appropriate and replace any certificates used by external users.
28. A. The MX record identifies the mail server for a domain. A records are used to identify domain names associated with IP addresses, while CNAMES are used to create aliases. Start of Authority (SOA) records contain information about the authoritative servers for a DNS zone.
29. A. These vulnerabilities both relate to the encryption of the service running on port 3389, which is used by the Remote Desktop Protocol (RDP). Upgrading this encryption should resolve these vulnerabilities. There is no indication that an HTTPS service is running on this device. Disabling the network port would disrupt the service. Gina should take action because this is an easily corrected vulnerability.
30. D. This is most likely a straightforward phishing attack. The message is generic and not targeted at a specific user, as you would find in a spear phishing attack. Although the user is an executive, there is no indication that the message was specifically sent to this user because of his status as an executive, so it is not likely to be a whaling attack. The attack was sent over email, not the telephone, so it is not an example of vishing.
31. C. If Dan's organization used a security information and event management (SIEM) solution, Dan would not need to gather information from this wide variety of sources. Instead, the SIEM would collect and correlate this information, providing Dan with a single place to review correlated data.
32. D. Address space layout randomization (ASLR) is a security technique that randomizes the location of objects in memory, making a buffer overflow attack less likely to succeed. Virtual private networks (VPN) provide transport encryption and data loss prevention (DLP) systems provide protection against data exfiltration. Neither would be effective against buffer overflow attacks. Intrusion detection systems (IDS) may identify a buffer overflow attack but would not prevent it from succeeding.
33. A. The message shown in the capture is a deauthentication message. These messages are often used in disassociation attacks, where the attacker attempts to force the disconnection of a client from a legitimate access point. IV attacks use cryptanalysis on the initialization vectors (IVs) that are used in establishing a Wi-Fi session. Replay attacks attempt to reuse credentials captured during a legitimate session to establish unauthorized wireless connections. Bluesnarfing attacks leverage Bluetooth technology, which is not in use in this scenario.
34. B. Phishing is a form of social engineering, and its effectiveness depends upon the susceptibility of users to this type of attack. While some technical controls, such as email content filtering, may be useful against phishing attacks, the most effective defense is user awareness training.
35. B. In a MAC spoofing attack, the local switch is normally fooled into believing the spoofed address and will route reply traffic back to the device spoofing an address. IP spoofing and email spoofing work at the application layer and, in most cases, the attacker will not receive any responses to spoofed messages. RFID spoofing is not a common type of attack.
36. D. Disassociation attacks intentionally disconnect a wireless user from their access point to force a reauthentication that the attacker may collect with a wireless eavesdropping tool. Brute force attacks, rainbow table attacks, and replay attacks do not gather network traffic and, therefore, would not be useful in this scenario.
37. C. Joe is a script kiddie because he does not leverage his own knowledge but merely applies tools written by others. Advanced persistent threats or elite hackers (31337 h4x0r) use sophisticated, customized tools. Joe is not a penetration tester because he does not have authorization to perform the scans.
38. D. Nmap, Nessus, and Metasploit are all active reconnaissance tools that interact with their target environments. Aircrack-ng may be used to passively gather information about a wireless network and crack a pre-shared key.
39. B. Jake may safely share the CRT file, which contains a copy of the organization's public X.509 certificate. The KEY and PEM files contain copies of the organization's private keys, which must be kept secret and secure. The CSR file is a certificate signing request, which is sent to the CA when requesting a signed digital certificate. There is no need to share this file publicly.
40. B. Rootkits are specialized attack tools that allow an attacker to escalate privileges. They exploit system vulnerabilities to leverage a normal user account to gain administrative privileges on the system.
41. B. This is a very low priority vulnerability. The report shows that it has a severity of one on a five-point scale, placing it into the category of informational messages. There are likely hundreds or thousands of similar issues elsewhere on the network. Therefore, there is no need for Paul to take any action.
42. A. In this case, Gary should use an offline bruteforce attack against the password file. An online attack would not leverage the password file that he obtained and would likely be slower and attract attention. A dictionary attack is not effective against a site with a strong password complexity policy. A rainbow table attack suffers the same deficiency as a dictionary attack with the added problem that the site uses salted hashes, rendering the rainbow table ineffective.
43. B. This is a clear example of a distributed denial of service (DDoS) attack. The half-open connections indicate the use of a denial of service attack. The fact that the requests came from all over the world makes it clear that it is more than a standard denial of service attack. There is no indication that there was a web application flaw, such as cross-site request forgery or cross-site scripting.
44. C. In a bluesnarfing attack, the attacker establishes a Bluetooth connection to a target device and then retrieves information from that device. Bluejacking attacks only allow the attacker to display a message on the device. Blueballing attacks allow an attacker to break an existing Bluetooth connection between two devices. Bluefeeding attacks do not exist.
45. D. While any of these actions may result from a buffer overflow attack, they are all the result of the more general arbitrary command's execution capability. After a successful buffer overflow, the attacker can typically execute any commands they would like on the system. This effectively gives the attacker full control of the device.
46. D. Open source intelligence (OSINT) includes the use of any publicly available information. This includes domain registration records found in WHOIS entries, the contents of public websites, and the use of Google searches. Vulnerability scans are an active reconnaissance technique and are not considered OSINT.
47. A. System sprawl may lead to undocumented systems that are running without the knowledge of the IT organization. These systems may serve no useful purpose, contributing to excess costs. They may also have no assigned IT support personnel, leading to unpatched systems and security vulnerabilities. Input validation is an application security technique and system sprawl would not necessarily lead to increased failures to perform proper input validation.
48. B. Session tokens, or session IDs, are used to prevent an eavesdropper from stealing authentication credentials and reusing them in a different session in what is known as a replay attack. The use of session IDs would not prevent an attacker from carrying out an application layer attack, such as a buffer overflow or injection. It also would not be effective against a man-in-the-middle attack, as the attacker could simply establish a secure session with the server and would, therefore, have access to the session ID.
49. A. This website defacement attack has a clear political message, making the attacker a hacktivist. It is unlikely that an advanced persistent threat or organized crime ring conducted this attack because there is no obvious non-activist motive. There is not enough information to conclude that the attack was waged by a script kiddie because we do not know how the site was compromised.
50. C. Insider attacks are particularly dangerous because they involve internal employees, contractors, or other individuals with access to systems and knowledge of business processes. Other attackers are less likely to have access to this information.
51. A. Enabling safe checks tells the scanner to only use scan plugins that are non-intrusive. The other settings would not change the plugins that are used by the scanner. Configuring the scanner to stop scanning hosts that become unresponsive implies that the scan has already disrupted the host. Changing the order or speed of the scan would not change the tests that are performed.
52. C. This is not likely to be a spoofing attack because there is no evidence that an attacker is falsifying address information in network traffic. However, it is quite possible that an attacker is attempting to steal a domain registration using a domain hijacking attack. Frank should contact the registrar and cancel the request. He should also consider locking the domain to prevent any future unauthorized transfer.
53. C. In a rainbow table attack, the attacker computes the hash values of common passwords and then searches the password file for those values. Adding a random salt to the password eliminates the performance benefit of this attack. Brute force attacks (online or offline) would not be more or less effective either way. The use of salting does not decrease the likelihood of a collision.
54. C. In this attack, the perpetrator created a false wireless network, otherwise known as an evil twin. Although the attacker boosted the power of the signal to make the evil twin signal stronger than other signals, there is no indication of attempts to jam signals from legitimate access points. There is no indication in the scenario that Bluetooth or WPS technology was involved.
55. D. Advanced persistent threat (APT) attackers are sophisticated attackers who generally have the support of a nation-state or other large organization that provides them with significant financial resources and sophisticated tools. They often pursue their targets very patiently until they are able to exploit a vulnerability. APT attackers operate stealthily and would avoid using brute force techniques.
56. C. Zero-day attacks are attacks that are not previously known to the security community. Therefore, signature-based controls, such as vulnerability scans, antivirus software, and intrusion prevention systems, are not effective against these attacks. Application control software may use whitelisting to limit software running on a system to a list of known good applications. This technique may prevent zero-day malware from running on the protected system.
57. A. The attacker entered the building wearing a uniform, which is a sign of authority. He threatened the receptionist (intimidation) with an impending network outage (urgency). There is no indication that he tried to build consensus.
58. C. While all of these concerns are legitimate, the lack of access to vendor patches should be Ann's primary security concern. Most vendors require a valid support agreement to obtain firmware updates and devices without those updates may have serious security vulnerabilities. Ann should consider pursuing a less costly support agreement that does not include the expensive hardware replacement feature but does provide access to security updates.
59. D. Patching operating systems will address security vulnerabilities that may allow privilege escalation attacks. Host intrusion prevention systems (HIPS) may detect and block privilege escalation attempts. Data Execution Prevention (DEP) prevents the system from executing unauthorized code that could result in privilege escalation. Firewalls do not offer an effective defense because an attacker attempting privilege escalation already has a foothold on the system.
60. C. Warren is using a rootkit to attempt to gain administrative privileges on the server. This is an example of an escalation of privilege attack.
61. A. SQL injection, cross-site scripting, and buffer overflow attacks all occur when applications do not properly screen user-provided input for potentially malicious content. DDoS attacks use botnets of compromised systems to conduct a brute force resource exhaustion attack against a common target.
62. A. ARP poisoning attacks work by broadcasting false MAC address information on the local area network (LAN). ARP traffic does not travel over the internet or across broadcast domains, so the attacker must have access to the local network segment to carry out an ARP poisoning attack. The attacker does not need access to the target system or any network devices, including firewalls.
63. A. A birthday attack is used to find collisions in a hash function. If successful, a birthday attack may be used to find substitute content that matches a digital signature. It takes its name from the mathematical birthday problem, which states that it only takes 70 people in a room to have a 99.9% probability that two will share the same birthday.
64. A. The image shows an example of a replay attack, where Mal obtains a copy of Alice's hashed password by sniffing a network connection and then reuses that hash to log in to the server. Changing Alice's password or the hash algorithm would prevent Mal from using the hash he already captured, but he could just repeat the attack to obtain the new hash. Using a shadow password file is good practice but it would not be effective against this attack because Mal is not accessing a password store on the server. Using TLS encryption to protect the session would prevent Mal from sniffing the hashed password.
65. A. While any of these issues may exist, the pressing issue that Charlie must resolve is the fact that the computers are running Windows XP, an end-of-life operating system. Microsoft no longer releases security patches for the OS, and this may cause a critical security issue. If Charlie cannot upgrade the operating system, he should implement other compensating controls, such as placing these systems on an isolated network.
66. C. This is a serious error, indicating that the name on the certificate does not match the name on the server and that the certificate was not issued by a trusted CA. It is very possible that a man-in-the-middle attack is taking place and that the certificate is being presented by an attacker. Patty should warn the user not to visit the site and investigate further.
67. C. The RC4 cipher has inherent security vulnerabilities and is not considered secure, regardless of the key length. Therefore, Terry should include a recommendation in his report that the cipher is replaced with a secure alternative.
68. B. This is a tricky question because any of the answers other than chosen ciphertext could be correct. We can rule out that answer because Joan cannot choose her own ciphertext. She can, however, choose the plaintext that's used to create the ciphertext. When she does choose her own plaintext, she must, therefore, have knowledge of the plaintext. Once she encrypts the message, she also has access to the ciphertext. However, the best term to describe this attack is a chosen plaintext attack because it is the most specific of the three names. Every chosen plaintext attack is also a known plaintext and a known ciphertext attack.
69. B. While all of these are reliable troubleshooting tools, changing the Wi-Fi channel is the best way to detect intentional interference. If Kristen changes the channel and the interference initially goes away but later reappears, it is possible that an attacker is intentionally jamming her network.
70. A. The code shown here is a clear example of an LDAP injection attack. The attacker is attempting to bypass the password security controls of the application by modifying the LDAP query to accept any password provided by the attacker as authentic.
71. D. The Secure attribute instructs the browser to only transmit the cookie via an encrypted HTTPS connection. The HttpOnly attribute does not affect encryption but rather restricts scripts from accessing the cookie via DOM objects. The SameSite attribute prevents the cookie from being shared with other domains, while the Expire attribute sets an expiration date for the cookie.
72. B. Ken is at the pivot stage of the attack. He has gained a foothold in one system and is now attempting to use that access to pivot, or gain access to, other systems.
73. D. The symptoms described here are the classic symptoms of a memory leak. The system is slowly depleting memory as it runs until it finally runs out of available memory, resulting in errors. When Rob reboots the system, it clears out available memory and begins the cycle anew.
74. C. Files 1 and 3 have identical hash values but different content. This is a security issue known as a collision and indicates that the hash function is not secure. There is no syntax error as the hashes were computed properly. Hash functions produce message digests. They do not perform encryption or decryption.
75. D. Port 23 is used by telnet, an insecure protocol for administrative connections to a server. This service should be disabled and replaced with SSH, which uses port 22. Ports 80 and 443 are commonly open on a web server.
76. B. POODLE is a downgrading attack that forces sites using SSL to revert to insecure cipher suites, rendering their communications susceptible to eavesdropping attacks.
77. C. While any type of malware could be responsible for the symptoms described by the user, the compelling piece of evidence in this scenario is that Vince discovered an unusual hardware device attached to the keyboard. This is most likely a keylogger.
78. B. This is a common and reasonable architecture for a dynamic web application where the web server initiates a connection to the database server. However, the connection should not take place with an administrative account. Instead, the database administrator should create a limited privilege service account that restricts the activity performed by the web application. This limits the impact of an attack that compromises the web server and takes over the database connection.
79. C. Bluesnarfing attacks use Bluetooth connections to steal information stored on the target device. Bluejacking attacks also exploit Bluetooth connections but they only allow people to send messages to the device and do not allow the theft of information. Evil twin attacks set up false SSIDs but do not necessarily directly connect the attacker to the target device. Session hijacking attacks do not necessarily take place over a wireless connection and involve a third-party website rather than a direct connection.
80. D. This is a clear example of familiarity and liking. The attacker built up a relationship over time with the employee until they had a strong bond. He then leveraged that relationship to slowly extract information from the target.
81. A. This is an example of a spear phishing attack that was designed specifically for someone in the Accounts Payable department of this firm. It is not a whaling attack because it is targeting a clerk, not a senior executive. It was not conducted by telephone or SMS, so it is not a vishing or smishing attack.
82. C. Pass-the-hash attacks exploit a vulnerability in the NTLM authentication protocol that's used by Windows systems. The attack is not possible against non-Windows systems.
83. C. Web application firewalls are capable of detecting and filtering SQL injection attack attempts and would be an effective control. Stored procedures and parameterized queries both limit the information sent from the web application to the database and also serve as an effective control against SQL injection attacks. Indexes are used to enhance database performance and would not prevent an injection attack.
84. B. Data loss prevention (DLP) systems are designed to detect and block the exfiltration of sensitive information. While an intrusion prevention system (IPS) or firewall may be able to reduce the likelihood of a successful attack, they are not designed for this purpose. The use of TLS encryption would not prevent an attack as it protects data while in transit but not at rest.
85. A. Implementing credentialed scanning would improve the quality of the information provided to the scanner and, therefore, would lower the false positive rate. Decreasing the scan's sensitivity would lower the threshold for an alert and increase the false positive rate. Disabling safe checks and increasing the size of the target network would both increase the number of scan tests performed and, absent of any other change, would have the effect of increasing the number of false positive reports.
86. D. This is an example of a radio frequency identification (RFID) transmitter. RFID is a form of near-field communication (NFC) that is used to communicate over short distances. This device could be used to track the physical presence of the executive when within range of a receiver.
87. D. These tweets are an example of botnet command and control traffic. The Twitter account is directing the infected system to engage in distributed denial of service attacks.
88. B. During a black box test, the attacker should not have access to any non-public information. It is reasonable to assume that any member of the public could conduct an external vulnerability scan, and so there is no harm in expediting the penetration test by providing Rick with the results of an external scan. However, he should not have access to scans that would require additional access. These include credentialed scans, agent-based scans, and internal scans.
89. C. A false positive error occurs when a security system reports a condition that does not actually exist. In this case, the vulnerability scanner reported a missing patch, but that report was in error and, therefore, a false positive report.
90. B. This issue means that the web server will provide detailed error messages when an error condition occurs. These error messages may disclose information about the structure of the web application and supporting databases to an attacker that the attacker could then use to wage an attack.
91. B. The fact that the traffic is exceeding normal baselines and that the responses are much larger than the queries indicates that a DNS amplification attack may be underway. In this type of attack, the attacker sends spoofed DNS queries, asking for large amounts of information. The source address on those queries is the IP address of the target system, which then becomes overwhelmed by the response packets.
92. A. This is an example of a logic bomb, that is, code that remains dormant until certain logical conditions are met and then releases its payload. In this case, the logic bomb was configured to release if the developer was no longer employed by the organization.
93. A. Whois queries provide information about the registered owners of domain names and are a useful open source intelligence tool. The nslookup and dig commands perform standard DNS queries and can determine the IP addresses associated with domain names but do not normally reveal registration information. The ping command is used to test network connectivity.
94. D. Including security team members in the project management process allows them to review and comment on proposed system designs and architectures before a project is implemented. This increases the likelihood that the design will be secure. Technical controls, such as firewalls and intrusion prevention systems, may not protect against architectural weaknesses. Design flaws are generally not caused by employee malfeasance, so background checks would not be an effective control.
95. D. This type of attack, which causes a user's browser to execute a script, is known as a cross-site scripting (XSS) attack. This particular variant stores the script on the server (in the form of a message board posting) and, therefore, is a stored XSS attack.
96. B. Zero-day attacks occur when an attacker exploits a vulnerability for which there is no security patch, leaving users defenseless. As Mal's organization is the only entity aware of the attack, there is no security update from the vendor to resolve the problem. Therefore, she is in a position to conduct a zero-day attack. The question does not provide enough information about the vulnerability to determine whether it would allow SQL injection, man-in-the-browser, or spoofing attacks.
97. C. Man-in-the-middle (MITM) attacks occur when an interloper is able to trick both client and server systems into establishing a connection with the interloper but believing that they are actually communicating with each other. SSL and TLS may be used to protect the contents of communications with encryption but they do not, by themselves, offer protection against MITM attacks. If the parties use digital certificates signed by a trusted certificate authority, this provides an added degree of trust and protects against MITM attacks. Input validation is a useful control to protect against application layer attacks but is not helpful against MITM attacks.
98. C. The third log entry shows clear signs of a SQL injection attack. Notice that the parameters passed to the web page include an appended SQL command: UNION SELECT 1,2,3,4,5. This is designed to retrieve the first five columns from the database table and will likely succeed if the web application is not performing proper input validation.
99. D. Race conditions occur when a security issue exists that allows an attacker to exploit the timing of commands to obtain unauthorized access. A time-of-check/time-of-use (TOC/TOU) attack exploits a time lag between when an application verifies authorization and then allows the use of privileges. Therefore, this timing-based attack exploits a race condition.
100. D. A Wi-Fi pineapple is a device specifically designed to carry out rogue AP attacks against wireless networks. The pineapple functions by forcing clients to disassociate from their current access points and connect to a network run by the pineapple.
101. D. Generally speaking, IoT deployments do not typically require multifactor authentication. They do, however, call for maintenance of the embedded operating systems, network segmentation, and the encryption of sensitive information.
102. C. The core issue underlying these vulnerabilities is that SSL is no longer considered secure and that TLS version 1.0 is also insecure. Therefore, the most expedient way to address this problem is to upgrade to TLS 1.2 and make that the only transport encryption protocol supported by the server.
103. A. The main limitation of IP spoofing over the internet is that the attacker will not be able to receive responses to their requests because they will be routed to a different network location. If Mal controls her own network, she will be able to bypass any local firewall egress filters that would prevent her from sending the spoofed packets, which she can create with any packet generation tool. IP spoofing is commonly used in denial of service attacks.
104. C. Answering this question doesn't require any knowledge of the specific vulnerability described in MS08-067. Instead, the key is that the worm was spreading overnight while nobody was in the office. The key characteristic of a worm is that it spreads on its own power, without user intervention.
105. A. From the description provided, we have sufficient information to identify this as a Trojan horse. Trojans are a type of malware that disguise themselves as a benign application, such as a game, but then carry a malicious payload.