QSA Questions 4.

11

Domain 01 - Gather the Data

54. What does ICMP Type 3/Code 13 mean? A. Host Unreachable B. Administratively Blocked C. Port Unreachable D. Protocol Unreachable

54

84. Which of the following is the most important aspect of a penetration test? A. Perform attacks over intermediary networks to reach the clients intranet B. Use dial-up connections to simulate Internet connectivity C. Minimize the impact on production D. Only perform attacks from within the clients intranet 80. All of the following are commonly used to define the rules of engagement EXCEPT? A. Depth of the assessment drives the length of the project B. Forbidding of social engineering against client staff C. Assessments should take place during normal business hours on M F D. Attack can take place locally, wirelessly, over VPN, and over dial-up 72. What is the first step in a Qualified Security Analysts testing methodology? A. Reconnaissance B. Data analysis C. Intrusive target search D. Organize the project 91. All of the following types of information can be directly discovered by examining the header of an e-mail received from the target client, EXCEPT? A. SMTP server in use B. MAC address C. Client e-mail application D. Usernames 92. Which of the following Internet resources is likely to have the LEAST amount of valuable information about your target client? A. USENET B. The Way Back Machine C. Netcraft D. Snopes

95. Which of the following nmap commands will discover a TFTP server running on its default port? A. nmap sU v sV 192.168.1.6 p 69 B. nmap sT v O 192.168.1.6 p 69 C. nmap UDP v 192.168.1.6 p 0-1024 D. nmap U v 192.168.1.6 p 3889-65000 71. The following are valid reasons for using a testing methodology EXCEPT? A. Use a single method of testing for each potential vulnerability. B. Implement security controls in order to conform to a standard of due care accepted by similar well-run companies. C. Through research, testing, and analysis discover exposures and recommend corrections. D. The opportunity to improve the security posture of their networked computers. 97. What command line tool can be used to obtain zone information from an authoritative source? A. whois B. nslookup C. traceroute D. ifconfig 101. Which of the following activities will most likely result in the identification of an e-mail servers product name and version? A. nmap -sT v O 192.168.5.4 p 25 B. nc l n vv p 25 C. telnet 192.168.5.4 25 D. nmap sU sV 192.168.5.4 p 25 6. Using netcat and connecting to port 80 on a web server to issue the command GET / HTTP/1.0 is an example of what? Domain 01 - Gather the Data A. passive reconnaissance B. passive enumeration C. script analysis D. banner grabbing 96. What is required by nmap to perform an active operating system identification? Domain 01 - Gather the Data A. a UDP scan B. a target with a non-private IP address C. the P0 syntax parameter D. one open port, one closed port

112. Which of the following commands will display current routing tables? Domain 01 - Gather the Data A. route CHANGE B. netstat r C. nbtstat n D. systeminfo /r 113. What is the preferred output from any tool used during a security assessment? Domain 01 - Gather the Data A. binary B. text C. graphical D. hexadecima 1. Simplifying risk includes identifying risk itself, asset value, vulnerability and: Domain 01 - Gather the Data A. Cost of Impact B. Backup Solutions C. Perceived Threat D. Managerial Functions 98. Which of the following is a tool or technique that can be used to locate firewalls? Domain 01 - Gather the Data A. IDLE scan B. traceroute C. Cain & Abel D. ping sweeps 99. Which of the following tools is best suited for interacting with remote hosts over NetBIOS? Domain 01 - Gather the Data A. traceroute B. nbtstat C. nslookup D. nmap 100. When examining a NetBIOS name table cache, which 16th character represents a username? Domain 01 - Gather the Data A. <03> B. <20> C. <1D> D. <00> 102. Both non-intrusive and intrusive target search has been performed as well as port scanning and banner grabbing. What is the next step in the security analysis methodology? Domain 01 - Gather the Data A. vulnerability identification B. exploitation C. data analysis D. document findings of penetration

119. What is the primary distinction between scanning for discovery versus scanning for confirmation? Domain 01 - Gather the Data A. One can determine open ports B. One can determine filtered ports C. One can be detected D. One verifies information learned during non-intrusive target search 64. You are conducting an assessment of a web server. You manually connect to port 80 to grab the banner and you notice that to retrieve the information you have to press enter 4 times. You know from previous recon work that the organization you are testing is a Windows shop. What is your guess at the Web Server version that the site is running? Domain 01 - Gather the Data A. IIS 5 B. IIS 4 C. IIS 6 D. IIS 6.5 65. What is the expected response to the following command if there are no services running on the target port? Domain 01 - Gather the Data nmap sU 192.168.4.2 p 80 A. SYN/ACK packet B. ICMP type 3 C. No response D. RST 66. Who is a potential threat to the security of an organization? Domain 01 - Gather the Data A. disgruntled employees B. professional hackers C. script kiddies D. everyone 109. Which of the following statements should be adopted as a methodology guideline? Domain 01 - Gather the Data A. Employ a single tool per task B. Use new tools as soon as they are available on the Internet C. Thoroughly test all tools D. Use well-known tools even if you have not fully mastered how to use it 67. What security posture can be described as having a default rule of deny all, then allow by exception? A. Promiscuous B. Permissive

C. Prudent D. Paranoid 68. What method of security testing uses automated tools with databases of exploits and has a goal of finding possible weaknesses? Domain 01 - Gather the Data A. Security audit B. Accreditation C. Vulnerability assessment D. Penetration testing 69. The level of confidence that one can have in a vulnerability assessment is directly related to the _______________ that has been spent conducting the vulnerability assessment. Domain 01 - Gather the Data A. budgetary funds B. time and effort C. internal political capital D. senior management trust 70. The following statements are true EXCEPT? Domain 01 - Gather the Data A. No testing or assessment methodology can guarantee that a system is 100% free of vulnerabilities. B. It is only possible to test what you and your tools know. C. Penetration tests should be performed before vulnerability scanning. D. A vulnerability assessment is a systematic and comprehensive method of identifying and reporting vulnerabilities in networked systems that could result in the compromise of those systems from remote hosts.

73. After the first step of a Qualified Security Analysts testing methodology is performed, what is the next or second step? Domain 01 - Gather the Data A. Organize the project B. Non-intrusive target search C. Remote target assessment D. Data analysis 74. All of the following are benefits of the testing methodology EXCEPT? Domain 01 - Gather the Data A. Computing operations are at minimal risk of disruption. B. The methodology can be tailored to suite the specific needs of the client. C. Data and programs are at a reduced risk for loss of integrity. D. All steps or actions are predefined before testing starts 78. All of the following are important guidelines for the security analyst except? Domain 01 - Gather the Data A. Avoid the use of encryption to prevent data loss.

B. Avoid accidentally crossing the line between determining that a vulnerability exists and exploiting the vulnerability. C. Know boundaries set by the client ahead of time. D. Attention to detail and self-restraint are required 79. A client expects all of the following from a security analyst EXCEPT? Domain 01 - Gather the Data A. Be evasive about the tools and techniques to be employed. B. Clearly define what you are going to do. C. Distinctly indicate what is not going to occur. D. Keep lines of communication open. 81. A hacker needs to discover _______________ in order to compromise a system, while a security analyst need to discover _______________ in order to protect a system. Domain 01 - Gather the Data A. one vulnerability, one weakness B. one weakness, all vulnerabilities C. all vulnerabilities, all weaknesses D. all weaknesses, one vulnerability 82. Which of the following is most commonly permitted by a client within the rules of engagement? Domain 01 - Gather the Data A. release of malicious code B. social engineering C. denial of service D. insider attack simulation 83. What is the most often overlooked aspect of security when a client hires a security analyst to perform a penetration test? Domain 01 - Gather the Data A. social engineering threats B. external attacks over the Internet C. physical weaknesses D. lack of updates and patches 75. A security analyst should use a variety of tools even if they perform the same functions or scans, due to the following reasons, EXCEPT? Domain 01 - Gather the Data A. Tools are getting better and easier to use B. No single tool checks for all possible vulnerabilities C. Some tools work better on, from, or against one platform than another D. Multiple confirmations increases the validity of information 90. Which of these statements is poor practice for a security analyst? Domain 01 - Gather the Data A. Assume the target database is exhaustive. B. Check the target database against client-provided data. C. Use multiple tools to confirm the target list. D. Repeatedly re-confirm the contents of the target database throughout the analysis process.

2. The four typical network security policies can be classified as prudent, permissive, promiscuous and: Domain 01 - Gather the Data A. Prominent B. Pervasive C. Paranoid D. Pre-emptive 3. What is the definition of a grey hat? Domain 01 - Gather the Data A. Reformed Black Hat B. A former network administrator C. A white hat who at certain times breaks ethics for his/her own agenda D. A person who is tries to exploit weaknesses in systems who is not technically sophisticated 47. You are trying to locate Microsoft Outlook Web Access Default Portal using Google search on the Internet. What search string will you use to locate them? Domain 01 - Gather the Data A. outlook:search B. intitle:exchange server C. allinurl:exchange/1ogon.asp D. locate:logon page 85. What percentage of the total budget should be set aside as a contingency fund just in case the unexpected happens? Domain 01 - Gather the Data A. 2% B. 10% C. 25% D. 50% 107. When a port scanner reveals that UDP port 161 and 162 are open, what tool should be used to interact with the service(s) behind these ports? Domain 01 - Gather the Data A. nmap B. hping2 C. SNMP management console D. Remote Desktop Connection 86. All of the following are limiting factors to the number of targets that are assessed, EXCEPT? Domain 01 - Gather the Data A. Scope defined by client B. Time allotted C. Staff availability D. Platform types 87. How much of the overall time and effort is to be put into organizing the project? Domain 01 - Gather the Data A. 10%

B. 20% C. 35% D. 50% 88. What form of target search or assessment will have the least impact on the clients infrastructure? Domain 01 - Gather the Data A. intrusive target search B. remote target assessment C. non-intrusive target search D. local target assessment 89. Why is it important to collect the IP address and the MAC address of every discovered target? Domain 01 - Gather the Data A. To identify the operating system B. To load balance the scanning effort C. To bypass routing protocols D. To determine if a single computer is using multiple logical addresses 31. Jessica works as a systems administrator for a large electronics firm. She wants to scan her network quickly to detect live hosts by using ICMP ECHO Requests. What type of scan is Jessica going to perform? Domain 01 - Gather the Data A. Tracert B. Smurf scan C. Ping trace D. ICMP ping sweep 93. Which of the following tools or resources is not used to gain information about registration of Internet resolution information? Domain 01 - Gather the Data A. nslookup B. whois C. nmap D. arin.net 94. In order to discover the types of operating systems and applications used by a client organization while maintaining a stealthy assessment approach, which of the following resources should be employed? Domain 01 - Gather the Data A. Web site ripper B. nmap C. Job postings D. social engineering 45. Why are Linux/Unix-based computers better to use than Windows computers for idle scanning? Domain 01 - Gather the Data A. Linux/Unix computers are constantly talking

B. Windows computers will not respond to die scans C. Linux/Unix computers are easier to compromise D. Windows computers are constantly talking 56. Kim is studying to be an IT security analyst at a vocational school in her town. The school offers many different programming as well as networking languages. What networking protocol language should she learn that routers utilize? Domain 01 - Gather the Data A. OSPF B. BPG C. UDP D. ATM 10. The OSSTMM is best described as what? Domain 01 - Gather the Data A. passive information gathering source B. a hacking guide C. a methodology D. a reporting structure after penetration testing 40. The objective of this act was to protect consumers personal financial information held by financial institutions and their service providers: Domain 01 - Gather the Data A. Sarbanes-Oxley 2002 B. Gramm-Leach-Bliiley Act C. HIPAA D. California SB 1386

Domain 02 - Penetrate the Network

28

20. To test your website for vulnerabilities, you type a quotation mark () into the username field. After you click OK, you receive the following error message window: Microsoft OLE DB Provider for ODCB drivers Error 80040e14 [Microsoft] [ODCB Microsoft Access Driver] extra (in query expression userid=3306) or (a=a AND Password=.)/_users/loginmain.asp, line 41 What can you infer from the error window? Domain 02 - Penetrate the Network A. () is a valid username? B. SQL injection is not possible C. SQL injection is possible D. The user for line 3306 in the SQL database has a weak password 27. Harold is a security analyst who has just run the rdisk/s command to grab the backup SAM file on a computer. Where should Harold navigate on the computer to find the file? Domain 02 - Penetrate the Network A. %system$root%\repair B. %systemroom%\system32\drivers\etc

C. %systemroot%\system32\LSA D. %systemroot%\LSA 35. Tom works as Unix systems administrator for Jacob and Co. He needs to run brute force attacks on the passwords of his users to ensure that they are abiding by the corporate password policy. Where can Tom find these passwords? Domain 02 - Penetrate the Network A. /drivers/etc/shadow B. /etc/pwd C. /etc/passwd D. /root/hidden 106. What does the following command do? net use \\192.168.69.42\IPC$ /u: Domain 02 - Penetrate the Network A. Reverses a command shell B. Opens a null session mapped to a local drive letter C. Performs a IPC network mapping of the target D. Conducts a password guessing attack against a network share 7. Which of the following protocols can traffic be tunneled through? Domain 02 - Penetrate the Network A. SSH B. ICMP C. SSL D. All of the above 32. You have compromised a lower-level administrator account on an Active Directory network of a small company in Dallas, Texas. You discover Domain Controllers through enumeration. You connect to one of the Domain Controllers on port 389 using ldp.exe. What are you trying to accomplish here? Domain 02 Penetrate the Network A. Enumerate MX and A records from DNS B. Establish a remote connection to the Domain Controller Poison the DNS records with false records Enumerate domain user accounts and built-in groups 33. George is performing security analysis for Hammond and Sons LLC. He is testing security vulnerabilities of their wireless network. He plans on remaining as stealthy as possible during the scan. Why would a scanner like Nessus not be recommended in this situation? Domain 02 - Penetrate the Network A. Nessus is too loud B. There are no ways of performing a stealthy wireless scan C. Nessus is not a network scanner D. Nessus cannot perform wireless testing 8. Which of the following is a technique with which an attacker modifies a user-defined URL string that he/she knows will be processed by a backend SQL server?

Domain 02 - Penetrate the Network A. SQL command overflow B. SQL record spoofing C. SQL injection D. SQL formatting string 48. Jennifer works at a small law firm in Chicago. Jennifers work duties take up about three hours of her day, so the rest of the day she spends on the Internet. One of Jennifers favorite sites is Myspace. One day, Jennifer comes into work and tries to access the Myspace page but is met with a This site has been restricted message. Jennifer is upset because she really wants to keep using Myspace to stay in touch with her friends. What service could Jennifer possibly use to get around the block on Myspace at her company? Domain 02 - Penetrate the Network A. Hping2 B. HTTrack C. Anonymizer D. FTP proxy 103. What is a popular open-source vulnerability assessment tool that can automatically probe numerous targets simultaneously with a wide range of exploitation simulations? Domain 02 - Penetrate the Network A. Metasploit Framework B. Nessus C. Nmap D. Snort 104. Before using the results of an automated vulnerability assessment engine, all of the following tasks must be performed and verified EXCEPT? Domain 02 - Penetrate the Network A. Update the engine and exploit database B. Perform manual exploitation of each discovered vulnerability C. Verify the remediation recommendations using third-party vulnerability research sources D. Confirm the ownership of the targets 105. Both nmap and nessus can export their findings, results, and reports to an external file. What is the preferred file type for the content of this file? Domain 03 - Analyze the Results A. Binary output B. XML C. comma delimited text D. Excel spreadsheet layout 16. You are a security analyst working for a private company out of France. Your current assignment is to obtain credit card information from a Swiss bank owned by that company. After initial reconnaissance, you discover that the banks security defenses are too strong and would take too long to penetrate. You decide to get the information by monitoring the traffic between the bank and one of its subsidiaries in London. After monitoring some of the traffic, you notice a lot of FTP packets back and forth. You want to sniff the traffic and extract user names and passwords. What tool could you use to obtain this information? Domain 02 - Penetrate the Network

A. Airsnort B. Ettercap C. Snort D. Raid Sniff 108. A client has requested that you perform DoS testing against their systems. However, they have asked that you discover vulnerabilities that could be targeted by DoS attacks rather than actually demonstrating the compromise. All of the following actions should be performed EXCEPT? Domain 02 - Penetrate the Network A. Grab a new DoS tool off the Internet B. Perform the testing against portions of the environment, rather than the whole environment C. Obtain written consent to perform DoS testing or simulation D. Use a trusted vulnerability assessment engine 9. Which of the following best describes a type of attack that involves the mass distribution of spoofed email messages with return addresses, links, and brandings that appear to come from legitimate companies or personnel? Domain 02 - Penetrate the Network A. Phreaking B. Phishing C. Social Engineering D. Passive Enumeration 4. In Unix operating systems, a penetration tester should be able to identify three valid file permissions including: read, write, and: Domain 02 - Penetrate the Network A. locked B. execute C. empty D. owner 36. What is the smallest possible Windows shellcode? Domain 02 - Penetrate the Network A. 800 bytes B. 1000 bytes C. 600 bytes D. 100 bytes 50. What will the following command accomplish? c:\> nmap -v -sS -Po 172.16.28.251 data_length 66000 --packet_trace Domain 02 - Penetrate the Network A. Test the ability of a router to handle under-sized packets B. Test ability of a router to handle over-sized packets C. Test the ability of a WLAN to handle fragmented packets D. Test the ability of a router to handle fragmented packets 51. Bill is the accounting manager for Grummon and Sons LLC. On a regular basis, he needs to send PDF documents containing sensitive information outside his company through email. Bill protects the PDF documents with a password and sends them to their intended recipients. When the

IT manager of Bills company discovers that Bill is only using the password protect feature in Adobe Acrobat, he tells Bill that the PDF password does not offer enough protection. Why is this? Domain 02 - Penetrate the Network A. PDF passwords are not considered safe by Sarbanes-Oxley B. When sent in email, PDF passwords are stripped from the document completely C. PDF passwords are converted to clear text when sent in email D. PDF passwords can easily be cracked by software brute force tools 46. You are an IT security consultant attempting to gain access to the state of New Hampshires network. After trying numerous routes of attack, you are still unsuccessful. You decide to perform a Google search for ftp.nh.st.us to see if the New Hampshires network utilized an FTP site. You find information about their FTP site and from there you are able to perform a thorough scan of the New Hampshire state network. What type of scan have you just performed? Domain 02 - Penetrate the Network A. FTP backdoor scan B. RPC scan C. FTP bounce scan D. SYN scan

11. A shadow file is best described as what? Domain 02 - Penetrate the Network A. a hidden file in the windows operating system that contains hashed passwords B. a executable file in linux that can be used to exploit a system C. a type of password file D. a hidden Novell Netware password file 14. Social Engineering is referred to as the art of: Domain 02 - Penetrate the Network A. Engaging in after hours parties with business partners B. Applied interaction with skilled engineers C. Tricking people into revealing sensitive information D. Coordination of engineering personnel 15. Which of the following is the most common attack? Domain 02 - Penetrate the Network A. Heap Overflows B. String Formatting Flaws C. Buffer Overflows D. Protocol Flaws 43. Terri works for a security consulting firm that is currently performing a penetration test on a financial institution. Terris duties include bypassing the firewalls and switches to gain access to the network. From an outside address, Terri sends an IP packet to one of the companys switches with the ACK bit and the source address of her machine. What is Terri trying to accomplish by sending this IP packet? Domain 02 - Penetrate the Network A. Crash the switch with a DoS attack since ACK bits cannot be sent by computers, only switches B. Poison the switchs MAC address table by flooding it with ACK bits

C. Trick the switch into thinking it already has a session with Terris computer D. Enable tunneling feature on the switch 44. After attending a CEH security seminar on the state of network security, you make a list of changes you would like to perform on your network to increase its security. One of the first things you change is to switch the RestrictAnonymous setting from 0 to 1 on your servers. This, as you were told, would prevent anonymous users from establishing a null session on the server. Using a utility mentioned at the seminar, Userinfo, you attempt to establish a null session with one of the servers, and are successful. Why is that? Domain 02 - Penetrate the Network A. There is no way to always prevent an anonymous null session from establishing B. RestrictAnonymous must be set to 3 for complete security C. RestrictAnonymous must be set to 10 for complete security D. RestrictAnonymous must be set to 2 for complete security 39. Paul's company is in the process of undergoing a complete security audit including logical and physical security testing. After all logical tests were performed, it is now time for the physical round to begin. None of the employees are made aware of this round of testing. The security auditing firm sends in a technician dressed as an electrician. He waits out in the lobby for some employees to get to work and follows in behind them when they access the restricted areas. After entering the main office, he is able to get into the server room, telling the IT manager that there is a problem with the outlets in that room. What type of attack has the technician performed? Domain 02 - Penetrate the Network A. Tailgating B. Man trap attack C. Fuzzing D. Backtrapping

Domain 03 - Analyze the Results

33

21. You are running through a series of tests on your network to test for vulnerabilities. After normal working hours, you initiate a DoS attack on your external firewall. The firewall quickly freezes up and becomes unusable. You then initiate FTP connection from an external IP into your internal network. The connection is successful even though you have blocked FTP at the external firewall. What happened? Domain 03 - Analyze the Results A. The firewall failed-open B. The firewalls ACL has been purged C. The firewall fail-closed D. The firewall failed-bypass 24. You are carrying out the last round of testing for your new website before it goes live. The website has many dynamic pages and connects to a SQL backend that accesses your product inventory in a database. You come across a web security site that recommends inputting the following code into a search field on web pages to check for vulnerabilities: <script>alert(This is a test.)</script>

What is the result of this test? Domain 03 - Analyze the Results A. Your website is vulnerable to CSS B. Your website is not vulnerable C. Your website is vulnerable to SQL injection D. Your website is vulnerable to web bugs 62. In exhibit B what is the protocol type being represented? Domain 03 - Analyze the Results A. TCP B. ICMP C. UDP D. IGRP 121. Which of the following countermeasures allows for a detecting agent to modify firewall ACLs in real time? Domain 03 - Analyze the Results A. Snort running in in-line mode B. NMap with the R (react enabled) switch C. Statistical Intrusion Prevention Systems D. Active packet filter firewall 26. You are the network administrator for a small bank in Dallas, Texas. To ensure security, you enact a security policy that requires all users to have 14 character passwords. After giving your users 2 weeks notice, you change the Group Policy to force 14 character passwords. A week later you dump the SAM database from the stand-alone server and run a password-cracking tool against it. Over 99% of the passwords are broken within an hour. Why are these passwords cracked so easily? Domain 03 - Analyze the Results . The passwords that were cracked are local accounts on the Domain Controller B. Networks using Active Directory never use SAM databases so the SAM database pulled was empty C. A password Group Policy change takes at least 3 weeks to completely replicate throughout a network D. Passwords of 14 characters or less are broken up into two, 7-character hashes 60. Observe exhibit A, what is the type of protocol that the trace is representing? Domain 03 - Analyze the Results A. TCP B. ICMP C. UDP D. IGRP

58. Your company uses Cisco routers exclusively throughout the network. After securing the routers to the best of your knowledge, an outside security firm is brought in to asses the network security, Although they found very few issues, they were able to enumerate the model, OS version, and capabilities for all your Cisco routers with very little effort. By turning off what feature would eliminate the ability to easily enumerate this information on your Cisco routers? Domain 03 - Analyze the Results

A. Simple Network Management Protocol B. Border Gateway Protocol C. Broadcast System Protocol D. Cisco Discovery Protocol 57. You are working on a thesis for your doctorate degree in Computer Science. Your thesis is based on HTML, DHTML, and other web-based languages and how they have evolved over the years. You navigate to archive.org and view the HTML code of news.com from three years ago. You then navigate to the current news.com website and copy over the source code. While searching through the code, you come across something abnormal: <img src=http://coolwebsearch.com/ads/pixel.news .com width=1 height=1 border=0> Domain 03 - Analyze the Results What have you found? A. Blind bug B. Web bug C. CCI code D. Trojan.downloader 120. When using a hierarchal PKI, which service can assist with the vetting of identities but cannot sign certificates? Domain 03 - Analyze the Results A. CRL B. RA C. CA D. Subordinate CA 59. In a virtual test environment, Michael is testing the strength and security or BGP using multiple routers to mimic the backbone of the Internet. This project will help him write his doctoral thesis on bringing down the Internet. Without sniffing the traffic between the routers, Michael sends millions of RESET packets to the routers in an attempt to shut one or all of them down. After a few hours, one of the routers finally shuts itself down. What will the other routers communicate between themselves? Domain 03 - Analyze the Results A. RESTART packets to the affected router to get it to power back up B. More RESET packets to the affected router to get it to power back up C. The change in the routing fabric to bypass the affected router D. STOP packets to all other routers warning of where the attack originated 61. In exhibit A, what is the size of the header represented? Domain 03 - Analyze the Results A. 10 bytes B. 20 bytes C. 30 bytes D. 40 bytes 63. In exhibit C, identify the highlighted section of the packet received: Domain 03 - Analyze the Results A. FPA B. SF C. SA

D. RA 28. Frank is working on a vulnerability assessment for a company on the West coast. The company hired Frank to assess its network security through scanning, pen tests, and vulnerability assessments. After discovering numerous known vulnerabilities detected by temporary IDS he set up, he notices a number of items that show up as unknown but questionable in his logs. He looks up the behavior on the Internet, but cannot find anything related. What organization should Frank submit the log to find out if it is a new vulnerability or not? Domain 03 - Analyze the Results A. RIPE B. APIPA C. CVE D. IANA 29. For security reasons and to conserve the number of public IP addresses owned by his company, Jason uses NAT to translate the private IPs on his internal network to a private IP. Jason decides to use 192.169.0.0 through 192.169.255.255 for his internal IPs. Jasons company decides to pay for a security audit. Why would the security audit company recommend that Jason change his internal IP address scheme? Domain 03 - Analyze the Results A. His IP scheme includes too many Class C networks B. His IP scheme does not fall under RFC 1918 C. His IP scheme does not fall under RFC 19872 D. His IP scheme includes too many class B networks 30. After undergoing an external IT audit, George realizes his network is vulnerable to DDoS attacks. What countermeasures could he take to prevent DDoS attacks? Domain 03 - Analyze the Results A. Disable direct broadcasts B. Enable direct broadcasts C. Disable BGP D. Enable BGP 22. Software firewalls work at which level of the OSI model? Domain 03 - Analyze the Results A. Network B. Transport C. Data Link D. Application 34. After attending a security class, William decides to set up a dual-homed proxy for the network of his small business. He installs an extra network card on his computer, creates ACL rules, and enables packet forwarding. William also turns a sniffer to monitor traffic on his new proxy. He quickly notices source IPs he added to his ACL are still able to send to his network and through his proxy. Why is William seeing this result? Domain 03 - Analyze the Results A. Only one network card should be used for a dual-homed proxy B. Packet forwarding should be disabled C. Dual-homed proxies need at least three network cards, two for functionality and one for monitoring D. ACL rules should not be used with a proxy

42. Paulette works for an IT security consulting company that is currently performing an audit for the company ACE Unlimited. Paulettes duties include logging in to all the companys network equipment to ensure the lOS versions are up to date and all the other security settings are as stringent as possible. Paulette presents the following screenshot to her boss so he can inform the client that changes need to be made. From the screenshot, what changes should the client company make? Domain 03 - Analyze the Results A. Remove any identifying numbers, names, or version information B. The banner should not state that only authorized IT personnel may proceed C. The banner should have more detail on the version numbers for the network equipment D. The banner should include the Cisco tech support contact information as well 37. Why would a Web administrator remove the .htr extension from the list of application extensions on IIS? Domain 03 - Analyze the Results A. Disallow users from changing their passwords through a web page B. Prevent users from accessing server side includes which are a security threat C. Prevent users from printing documents through Internet printers D. Prevent users from bypassing access control lists on the Web server 38. Software firewalls work at which layer of the OSI model? Domain 03 - Analyze the Results A. Application B. Network C. Transport D. Data Link 23. When setting up a wireless network with multiple access points, why is it important for each access point be on a different channel? Domain 03 - Analyze the Results A. So that the access points will work on different frequencies B. Multiple access points can be set up on the same channel without issues C. Avoid cross talk D. Avoid over saturation of wireless signals 25. When you are running a vulnerability scan on a network and the IDS cuts off your connection, what type of IDS is being used? Domain 03 - Analyze the Results A. NIPS B. Active IDS C. Progressive IDS D. Passive IDS 17. Why is a static packet filter firewall not as secure as other types of firewalls? Domain 03 - Analyze the Results A. They cannot look into the packet at all B. They cannot restrict IP packets based on their destination C. They do not look into the packet past header information D. They cannot restrict IP packets based on source

18. What will the following command produce on a websites login page: SELECT email, psswd, login_id, full_name FROM members WHERE email= someone@somewhere.com; DROP TABLE members; -- Domain 03 - Analyze the Results A. Deletes the entire members table B. This command will not produce anything since the syntax is incorrect C. Insert the someone@somewhere.com email address into the members table D. Retrieves the password for the first member in the members table 19. After passing her CEH exam, Carol wants to ensure that her entire network is completely secure. She implements a DMZ statefull firewall, NAT, IPSEC and packet filtering firewall. Since all of the security measures were taken, none of the hosts on her network can reach the internet. Why is that? Domain 03 - Analyze the Results A. Statefull firewalls do not work with packet filtering firewalls B. IPSEC does not work with packet filtering firewalls C. NAT does not work with statefull firewalls D. NAT does not work with IPSEC very well, and is complex to setup! 55. What is a good security method to prevent unauthorized users from tailgating? Domain 03 - Analyze the Results A. Man trap B. Electronic combination locks C. Electronic key systems D. Pick-resistant locks 110. Password cracking can be eliminated as a serious threat using which of the following techniques? Domain 03 - Analyze the Results A. Using 4 different types of characters in each password: uppercase, lowercase, numbers, symbols B. multifactor authentication C. Using a different password on every system D. Using longer passwords 111. The most common mistake made by users in regards to passwords is? Domain 03 - Analyze the Results A. using passwords longer than 15 characters B. using only 3 different types of characters C. changing passwords every 90 days D. reusing the same password on multiple systems 12. Preparation, Detection, Containment, Eradication, Recovery and Followup are steps referred to in which incident response methodology? Domain 03 - Analyze the Results A. FRECDP B. PDCERF C. PCDERF D. FEDRESP 52. Why is a static packet filter firewall not as secure as other types of firewalls? Domain 03 - Analyze the Results

A. They do not look into the packet past the header information B. They cannot look into the packet at all C. They cannot restrict IP packets based on their source D. They cannot restrict IP packets based on their destination 53. What are the security risks of running a repair installation for Windows XP? Domain 03 - Analyze the Results A. Pressing Shift+F1 gives the user administrative rights B. Pressing Shift+F10 gives the user administrative rights C. Pressing Ctrl+F10 gives the user administrative rights D. There are no security risks when running the repair installation for Windows XP

Domain 04 - Write the Report

116. All of the following are important aspects to consider when delivering a findings briefing EXCEPT? Domain 04 - Write the Report A. Who is the target audience B. What is an appropriate level of detail C. What is the expected time frame D. What type of slide transitions and animations should be used 114. All of the following should be included in a final report EXCEPT? Domain 04 - Write the Report A. Discovered weaknesses B. Assumed oversights C. Confirmed secure implementations and configurations D. Calculated likelihood of compromise 76. A security analyst will produce a custom findings report instead of relying upon the output of a scanning and reporting engine for all of the following reasons EXCEPT? Domain 04 - Write the Report A. Recommended fixes are not always accurate or current. B. There may be false positives and false negatives not properly addressed in the automated report. C. The automated reporting engines often generate massive amounts of raw information that is hard to digest. D. Updated scanning engines can save time and focus efforts on identifiable concerns. 77. The information collected about a client during security analysis should not be? Domain 04 - Write the Report A. Transmitted securely using PGP. B. Stored on a USB drive. C. Isolated from all other data. D. Secured on a hard drive using TrueCrypt. 115. The supporting evidence for each finding in a final report should be located where?

Domain 04 - Write the Report A. In a separate text document provided to the client through a Web site B. In the main body of the report as the text for each finding C. In Appendixes D. In graphical form in a slide presentation 117. Which of the following is likely to cause a findings briefing to fail or be perceived as unprofessional? Domain 04 - Write the Report A. Providing full color handouts B. Allotting sufficient time to handle questions C. Employing graphics to represent findings D. Including exhaustive technical detail

Total

121 (25)