20 terms

Chapter 7 Practice Questions

STUDY
PLAY

Terms in this set (...)

An IDS alerts on increased traffic. Upon investigation, you realize it is due to a spike in network
traffic from several sources. Assuming this is malicious, what is the MOST likely explanation?
A. A smurf attack
B. A flood guard attack
C. A DoS attack
D. A DDoS attack
D. A distributed denial-of-service (DDoS) attack causes spikes in network traffic as multiple
systems attempt to connect to a server and deplete the target's resources. A smurf attack is an attack
using directed broadcasts, and this might be a smurf attack if routers aren't blocking directed
broadcasts, but it could also be another type of DDoS attack. Flood guards protect against SYN flood
attacks, and flood guards are not an attack method. A DoS attack comes from a single system.
A network administrator needs to ensure the company's network is protected against smurf attacks.
What should the network administrator do?
A. Install flood guards.
B. Use salting techniques.
C. Verify border routers block directed broadcasts.
D. Ensure protocols use timestamps and sequence numbers.
C. Smurf attacks are blocked by preventing routers from passing directed broadcasts, especially
border routers with direct access to the Internet. Flood guards protect against SYN (synchronize)
flood attacks. Salting techniques add additional characters to passwords to thwart brute force attacks.
Timestamps and sequence numbers are useful to protect against replay attacks, but not smurf attacks.
Some protocols include timestamps and sequence numbers. These components help protect against
what type of attacks?
A. Smurf
B. Replay
C. Flood guards
D. Salting
B. Timestamps and sequence numbers act as countermeasures against replay attacks. Blocking
directed broadcasts prevents smurf attacks. Flood guards protect against SYN (synchronize) attacks.
Salting protects against brute force attacks on passwords.
Which of the following is the BEST method to protect against someone trying to guess the correct
PIN to withdraw money from an ATM?
A. Account lockout
B. Rainbow table
C. Salting
D. Input validation
A. Account lockout policies help prevent brute force attacks by locking the account after an
incorrect password or personal identification number (PIN) is entered too many times. This prevents
someone from hacking into an account by guessing. A rainbow table is a type of attack. Salting
passwords prevents some offline brute force attacks by adding characters to passwords before
hashing them. Input validation prevents attacks such as buffer overflow and cross-site scripting, but
wouldn't help here because an attacker guessing PINs is entering valid data.
An application stores user passwords in a hashed format. Which of the following can decrease the
likelihood that attackers can discover these passwords?
A. Rainbow tables
B. MD5
C. Salt
D. Smurf
C. A password salt is additional random characters added to a password before hashing the
password, and it decreases the success of password attacks. Rainbow tables are used by attackers
and contain precomputed hashes. Message digest 5 (MD5) is a hashing algorithm that creates hashes,
but the scenario already states that passwords are hashed. Smurf is a type of attack using a directed
broadcast and is not related to passwords.
A user complains that his system is no longer able to access the blogs.getcertifiedgetahead.com
site. Instead, his browser goes to a different site. After investigation, you notice the following entries
in the user's hosts file: 127.0.0.1 localhost
72.52.230.233 blogs.getcertifiedgetahead.com
What is the BEST explanation for this entry?
A. A pharming attack
B. A whaling attack
C. Session hijacking
D. A phishing attack
A. A pharming attack attempts to redirect users from one web site to another web site. Although
this is often done using DNS poisoning, it can also be done by rewriting the hosts file in a user's
system. The 127.0.0.1 localhost entry is the default entry in the hosts file, and the second entry
redirects the user to a different site. Whaling is a phishing attack that targets high-level executives. In
session hijacking, an attacker records a user's credentials and uses them to impersonate the user.
Phishing is the practice of sending email to users with the purpose of tricking them into revealing
personal information (such as bank account information).
Security analysts recently discovered that users in your organization are inadvertently installing
malware on their systems after visiting the comptai.org web site. Users have a legitimate requirement
to visit the comptia.org web site. What is the MOST likely explanation for this activity?
A. Smurf
B. Typo squatting
C. Fuzzing
D. Replay
B. Typo squatting (or URL hijacking) uses a similar domain name to redirect traffic. In this
scenario, the last two letters in CompTIA are swapped in the malicious domain name, and that site is
attempting to download malware onto the user systems. A smurf attack is unrelated to web sites.
Fuzzing tests an application's ability to handle random data. A replay attack attempts to replay data
with the intent of impersonating one of the parties.
An attacker recently attacked a web server hosted by your company. After investigation, security
professionals determined that the attacker used a previously unknown application exploit. Which of
the following BEST identifies this attack?
A. Buffer overflow
B. Zero-day attack
C. Fuzzing
D. Session hijacking
B. A zero-day attack takes advantage of an undocumented exploit or an exploit that is unknown to
the public. A buffer overflow attack sends unexpected data to a system to access system memory or
cause it to crash. Although some buffer overflow attacks are unknown, others are known. If the server
isn't kept up to date with patches, it can be attacked with a known buffer overflow attack. Fuzzing
sends random data to a system and can detect buffer overflows and zero-day attack methods, but the
scenario doesn't indicate the user is sending random data. Session hijacking takes over a user's
session and isn't related to an attack on a server.
Which of the following developer techniques results in significant security vulnerabilities for
online web site applications?
A. Buffer overflow
B. XSRF
C. Poor input validation
D. Hardening
C. Poor input validation often causes security vulnerabilities and can lead to major losses when
exploited. Buffer overflow and cross-site request forgery (XSRF) are attacks that can be mitigated by
input validation. They are not techniques used by developers. Hardening both operating systems and
applications helps make them more secure from security vulnerabilities.
An attacker is bypassing client-side input validation by intercepting and modifying data within the
HTTP POST command. Which of the following does the attacker use in this attack?
A. Command injection
B. Flash cookie
C. Proxy
D. Exception handling
C. An attacker can use a web proxy to intercept the HTTP POST command. The attacker then
modifies the data in the command and sends it to the web site. Command injection is a type of clientside
injection attack that input validation thwarts. Flash cookies are used by Adobe Flash applets, but
are not used to bypass input validation. Exception handling catches errors, allowing applications to
handle them gracefully.
Web developers are implementing error and exception handling in a web site application. Which
of the following represents a best practice for this?
A. Displaying a detailed error message but logging generic information on the error
B. Displaying a generic error message but logging detailed information on the error
C. Displaying a generic error message and logging generic information on the error
D. Displaying a detailed error message and logging detailed information on the error
B. You should display a generic error message but log detailed information on the error. Detailed
error messages to the user are often confusing to them and give attackers information they can use
against the system. Logging generic information makes it more difficult to troubleshoot the problem
later.
While reviewing logs for a web application, a developer notices that it has crashed several times
reporting a memory error. Shortly after it crashes, the logs show malicious code that isn't part of a
known application. What is MOST likely occurring?
A. Buffer overflow
B. XSS
C. Cross-site scripting
D. XML injection
A. Buffer overflow attacks often cause an application to crash and expose system memory.
Attackers then write malicious code into the exposed memory and use different techniques to get the
system to run this code. None of the other attacks inserts malicious code into memory. Attackers
attempt to embed HTML or JavaScript code in cross-site scripting (XSS) attacks, often to read
cookies on a user's system. Extensible Markup Language (XML) injection attacks attempt to access or
modify XML formatted data.
An application on one of your database servers has crashed several times recently. Examining
detailed debugging logs, you discover that just prior to crashing, the database application is receiving
a long series of x90 characters. What is MOST likely occurring?
A. SQL injection
B. Buffer overflow
C. XML injection
D. Zero-day
B. Buffer overflow attacks include a series of no operation (NOP) commands, such as
hexadecimal 90 (x90). When successful, they can crash applications and expose memory, allowing
attackers to run malicious code on the system. SQL injection attacks and Extensible Markup Language
(XML) injection attacks do not use NOP commands. Zero-day attacks are unknown or undocumented,
but attacks using NOP commands are known.
Attackers have attacked an online web server using a SQL injection attack. Which of the
following BEST describes this?
A. The attacker is attempting to overload the system with unexpected data and access memory
locations.
B. The attacker is attempting to impersonate a user using HTML code.
C. The attacker is sending random data into a program to see if the application will crash.
D. The attacker is attempting to pass commands to a back-end database server to access data.
D. In a SQL injection attack, an attacker attempts to inject SQL commands into a query to access
or manipulate data on a back-end database. A buffer overflow attack attempts to overload a system
with too much data or unexpected data in an attempt to access system memory. A cross-site request
forgery (XSRF) attack attempts to impersonate a user with HTML code. Fuzzing is a testing technique
that sends random data into an application to see if the application can handle it.
While creating a web application, a developer adds code to limit data provided by users. The
code prevents users from entering special characters. Which of the following attacks will this code
MOST likely prevent?
A. Sniffing
B. Spoofing
C. XSS
D. Pharming
C. A cross-site scripting (XSS) attack can be blocked by using input validation techniques to
filter special characters such as the < and > characters used in HTML code. None of the other
attackers requires the use of special characters. Sniffing captures data with a protocol analyzer.
Spoofing hides the identity of the original entity. Pharming redirects a user from one web site to
another web site.
Homer recently received an email thanking him for a purchase that he did not make. He asked an
administrator about it and the administrator noticed a pop-up window, which included the following
code: <body onload="document.getElementByID('myform').submit()">
<form id="myForm" action="gcgapremium.com/purchase.php" method="post"
<input name="Buy Now" value="Buy Now" />
</form>
</body>
What is the MOST likely explanation?
A. XSRF
B. Buffer overflow
C. SQL injection
D. Fuzzing
A. A cross-site request forgery attack (XSRF) causes users to perform actions without their
knowledge. This scenario indicates the user visited a web site, most likely through a malicious link,
and the link initiated a purchase. None of the other attacks cause unsuspecting users to make
purchases. A buffer overflow attacks a web site and attempts to access system memory. A SQL
injection attack attempts to access data on a database server. Fuzzing sends random data to an
application to test its ability to handle the random data.
Which of the following is an attack against servers hosting a directory service?
A. XSS
B. LDAP injection
C. XSRF
D. Fuzzing
B. A Lightweight Directory Application Protocol (LDAP) injection attack attempts to access data
on servers hosting a directory service, such as a Microsoft domain controller hosting Active
Directory. Cross-site scripting (XSS) and cross-site request forgery (XSRF) attacks attack web
servers, not directory service servers. Fuzzing sends random data to see if the application can handle
it, but it doesn't necessarily target servers hosting a directory service.
Your organization hosts a web site within a DMZ and the web site accesses a database server in
the internal network. ACLs on firewalls prevent any connections to the database server except from
the web server. Database fields holding customer data are encrypted and all data in transit between
the web site server and the database server are encrypted. Which of the following represents the
GREATEST risk to the data on the server?
A. Theft of the database server
B. XML injection
C. SQL injection
D. Sniffing
C. A SQL injection attack allows an attacker to send commands to the database server to access
data. Encryption protects it on the server and in transit, but the web server can decrypt it. Because the
data in the database server is encrypted, theft of the server isn't a significant risk. There aren't any
indications that the database server is replying with Extensible Markup Language (XML) data, so an
XML injection attack isn't a risk. Because data is encrypted while in transit, sniffing isn't a
significant risk.
A security tester is sending random data to a program. What does this describe?
A. Fuzzing
B. Buffer overflow
C. Integer overflow
D. Command injection
A. Fuzz testing, or fuzzing, sends sending random data to an application with the purpose of
testing the application's ability to handle the random data. In some cases, fuzzing can discover buffer
overflow and integer overflow vulnerabilities, but just sending random data doesn't necessary cause
buffer overflows or integer overflows. Command injection attacks send specific commands, not
random data.
Your organization is preparing to deploy a web-based application, which will accept user input.
Which of the following will test the reliability of this application to maintain availability and data
integrity?
A. Secure coding
B. Input validation
C. Error handling
D. Fuzzing
D. Fuzzing can test the application's ability to maintain availability and data integrity for some
scenarios. Fuzzing sends random data to an application to verify the random data doesn't crash the
application or expose the system to a data breach. Secure coding practices such as input validation
and error-and exception-handling techniques protect applications, but do not test them.