asd

CEH V6 Study Guide -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ 1. Jason is the network security administrator for Gunderson International, a global shipping company based out of New York City. Jason’s company utilizes many layers of security throughout its network such as network firewalls, application firewalls, vlans, operating system hardening, and so on. One thing in particular the company is concerned with is the trustworthiness of data and resources in terms of preventing improper and unauthorized changes. Since the company is global, information is sent constantly back and forth to all its employees all over the world. What in particular is Jason’s company concerned about? A. Jason’s company is particularly concerned about data integrity. * B. Authenticity is what the company is most concerned about. C. The confidentiality of the company’s data is the most important concern for Gunderson International. D. The availability of the data is paramount to any other concern of the company. 2. Yancey is a network security administrator for a large electric company. This company provides power for over 100,000 people in Las Vegas. Yancey has worked for his company for over 15 years and has become very successful. One day, Yancey comes in to work and finds out that the company will be downsizing and he will be out of a job in two weeks. Yancey is very angry and decides to place logic bombs, viruses, Trojans, and backdoors all over the network to take down the company once he has left. Yancey does not care if his actions land him in jail for 30 or more years, he just wants the company to pay for what they are doing to him. What would Yancey be considered? A. Yancey would be considered a Suicide Hacker. * B. Since he does not care about going to jail, he would be considered a Black Hat. C. Because Yancey works for the company currently; he would be a White Hat. D. Yancey is a Hacktivist Hacker since he is standing up to a company that is downsizing. 3. Heather is a hacktivist working for Green Peace International. She has broken into numerous oil and energy companies and exposed their confidential data to the public. Normally, Heather uses a combination of social engineering and DoS techniques to gain access to the companies’ networks. Heather has made over 50 fake ID cards and access badges to gain unauthorized access to companies to gain information as well. If Heather is caught by the federal government, what US law could she be prosecuted under? A. She could be prosecuted under US law 18 U.S.C § 1029 if caught. * B. Heather would be charged under 18 U.S.C § 2510, which entails the use of more than 15 counterfeit items. C. 18 U.S.C § 9914 is the US law that Heather would be prosecuted under since she used false pretenses to gain unauthorized access. D. Heather would serve prison time for her actions if prosecuted under US law 18 U.S.C § 2929. 4. Stephanie is the senior security analyst for her company, a manufacturing company in Detroit. Stephanie is in charge of maintaining network security throughout the entire company. A colleague of hers recently told her in confidence that he was able to see confidential corporate information on Stephanie’s external website. He was typing in URLs randomly on the company website and he found information that should not be public. Her friend said this happened about a month ago. Stephanie goes to the addresses he said the pages were at, but she finds nothing. She is very concerned about this, since someone should be held

accountable if there really was sensitive information posted on the website. Where can Stephanie go to see past versions and pages of a website? A. Stephanie can go to Archive.org to see past versions of the company website. * B. She should go to the web page Samspade.org to see web pages that might no longer be on the website. C. If Stephanie navigates to Search.com; she will see old versions of the company website. D. AddressPast.com would have any web pages that are no longer hosted on the company’s website. 5. You are the chief information officer for your company, a shipping company based out of Oklahoma City. You are responsible for network security throughout the home office and all branch offices. You have implemented numerous layers of security from logical to physical. As part of your procedures, you perform a yearly network assessment which includes vulnerability analysis, internal network scanning, and external penetration tests. Your main concern currently is the server in the DMZ which hosts a number of company websites. To see how the server appears to external users, you log onto a laptop at a Wi-‐Fi hotspot. Since you already know the IP address of the web server, you create a telnet session to that server and type in the command: HEAD /HTTP/1.0 After typing in this command, you are presented with the following screen: What are you trying to do here? A. You are trying to grab the banner of the web server. * B. You are attempting to send an html file over port 25 to the web server. C. You are trying to open a remote shell to the web server. D. By typing in the HEAD command, you are attempting to create a buffer overflow on the web server. 6. Kyle is a security consultant currently working under contract for a large financial firm based in San Francisco. Kyle has been asked by the company to perform any and all tests necessary to ensure that every point of the network is secure. Kyle first performs some passive footprinting. He finds the company’s website which he checks out thoroughly for information. Kyle sets up an account with the company and logs on to their website with his information. Kyle changes the URL to: This address produces a Page Cannot be Displayed error. Kyle then types in another URL: What is Kyle attempting here? A. Kyle is trying incremental substitution to navigate to other pages not normally available. * B. Kyle is using extension walking to gain access to other web pages.

C. He is using error walking to see what software is being used to host the financial institution’s website. D. By changing the address manually, Kyle is attempting ASP poisoning. 7. George is the senior security analyst for Tyler Manufacturing, a motorcycle manufacturing company in Seattle. George has been tasked by the president of the company to perform a complete network security audit. The president is most concerned about crackers breaking in through the company’s web server. This web server is vital to the company’s business since over one million dollars of product is sold online every year. The company’s web address is at: www.customchoppers.com. George decides to hire an external security auditor to try and break into the network through the web server. This external auditor types in the following Google search attempting to glean information from the web server: What is the auditor trying to accomplish here? A. He is trying to search for all web pages on the customchoppers site without extensions of html and htm. * B. The auditor is having Google retrieve all web pages on the Tyler Manufacturing website that either have the extension of html or htm. C. He is attempting to retrieve all web pages the might have a login page to the company’s backend database. D. The auditor that George has hired is trying to find pages with the extension of html or htm that link directly to customchoppers.com. 8. Jonathan is an IT security consultant working for Innovative Security, an IT auditing company in Houston. Jonathan has just been hired on to audit the network of a large law firm in downtown Houston. Jonathan starts his work by performing some initial passive scans and social engineering. He then uses Angry IP to scan for live hosts on the firm’s network. After finding some live IP addresses, he attempts some firewalking techniques to bypass the firewall using ICMP but the firewall blocks this traffic. Jonathan decides to use HPING2 to hopefully bypass the firewall this time. He types in the following command: What is Jonathan trying to accomplish by using HPING2? A. Jonathan is attempting to send spoofed SYN packets to the target via a trusted third party to port 81. * B. He is using HPING2 to send FIN packets to 10.0.1.24 over port 81. C. By using this command for HPING2, Jonathan is attempting to connect to the host at 10.0.1.24 through an SSH shell. D. This HPING2 command that Jonathan is using will attempt to connect to the 10.0.1.24 host over HTTP by tunneling through port 81. 9. Hayden is the network security administrator for her company, a large marking firm based in Miami. Hayden just got back from a security conference in Las Vegas where they talked about all kinds of old and new security threats; many of which she did not know of. Hayden is worried about the current security state of her company’s network so she decides to start scanning the network from an external IP address. To see how some of the hosts on her network react, she sends out SYN packets to an IP range. A number of IPs responds with a SYN/ACK response. Before the connection is established she sends RST packets to those hosts to stop the session. She has done this to see how her intrusion detection system will log the traffic. What type of scan is Hayden attempting here?

A. Hayden is using a half-‐open scan to find live hosts on her network. * B. Hayden is attempting to find live hosts on her company’s network by using an XMAS scan. C. She is utilizing a SYN scan to find live hosts that are listening on her network. D. This type of scan she is using is called a NULL scan. 10. Paul is the systems administrator for One-‐Time International, a computer manufacturing company. Paul is in charge of the company’s older PBX system as well as its workstations and servers. The company’s internal network is connected to the PBX phone system so that customized software applications used by employees can use the PBX to dial out to customers. Paul is concerned about crackers breaking into his network by way of the PBX. He is particularly worried about war dialing software that might try all of the company’s numbers to find a way in. What software utility can Paul use to notify him if any war dialing attempts are made on his PBX? A. Paul can use SandTrap which would notify him if anyone tries to break into the PBX.* B. If Paul uses ToneLoc, he will be notified by the software when and if anyone tries to crack into the PBX system. C. THC Scan would be the best software program for Paul to use if he wants to be notified of war dialer attacks. D. Paul needs to use Roadkil’s Detector software to tell if a hacker is trying to break into his phone system 11. You are the chief security information analyst for your company Utilize Incorporated. You are currently preparing for a future security audit that will be performed by a consulting company. This security audit is required by company policy. To prepare, you are performing vulnerability analysis, scanning, brute force, and many other techniques. Your network is comprised of Windows as well as Linux servers. From one of the client computers running Linux, you open a command shell and type in the following command: What are you trying to accomplish? A. You are attempting to establish a null session on the 192.168.2.121 host. * B. You are trying to connect to this host at the IPC share using the currently logged on user’s credentials. C. By typing in this command, you are attempting to connect to the SMB share on the host using an Anonymous connection. D. You are trying to connect to the localhost share of the client computer. 12. Lauren is a network security officer for her agency, a large state-‐run agency in California. Lauren has been asked by the IT manager of another state agency to perform a security audit on their network. This audit she has been asked to perform will be an external audit. The IT manager thought that Lauren would be a great candidate for this task since she does not work for the other agency but is an accomplished IT auditor. The first task that she has been asked to perform is to attempt to crack user passwords. Since Lauren knows that all state agency passwords must abide by the same password policy, she believes she can finish this particular task quickly. What would be the best password attack method for Lauren to use in this situation? A. Lauren should use a rule-‐based attack on the agency’s user passwords. * B. Lauren can produce the best and fastest results if she uses a dictionary attack. C. A hyberfil-‐based password attack would be the best method of password cracking in this scenario. D. She should utilize the reverse-‐encryption password cracking technique since she knows the password policy.

13. Simon is the network administrator for his company. Simon is also an IT security expert with over 10 security-‐related certifications. Simon has been asked by the company CIO to perform a comprehensive security audit of the entire network. After auditing the network at the home office without finding any issues, he travels to one of the company’s branch offices in New Orleans. The first task that Simon carries out is to set up traffic mirroring on the internal-‐facing port of that office’s firewall. On this port, he uses Wireshark to capture traffic. Alarmingly, he finds a huge number of UDP packets going both directions on ports 2140 and 3150. What is most likely occurring here? A. A client inside the network has been infected with the Deep Throat Trojan. * B. This type of traffic is indicative of the Netbus Trojan. C. Most likely, a computer inside the network is infected with the SQL Slammer worm. D. Seeing traffic on UDP ports 2140 and 3150 means that a computer is infected with the Bobax Trojan 14. Tyler is the senior security officer for WayUP Enterprises, an online retail company based out of Los Angeles. Tyler is currently performing a network security audit for the entire company. After seeing some odd traffic on the firewall going outbound to an IP address found to be in North Korea, Tyler decides to look further. Tyler traces the traffic back to the originating IP inside the network; which he finds to be a client running Windows XP. Tyler logs onto this client computer and types in the following command: What is Tyler trying to accomplish by using this command? A. Tyler is trying to find out all the ports that are listening on this computer. * B. Tyler is using this command to find all the host records that are stored on the local client computer. C. By using this command, Tyler is closing all open TCP and UDP sessions on the computer. D. This command will show Tyler if there are any Trojan programs installed on this computer. 15. Lyle is a systems security analyst for Gusteffson & Sons, a large law firm in Beverly Hills. Lyle’s responsibilities include network vulnerability scans, Antivirus monitoring, and IDS monitoring. Lyle receives a help desk call from a user in the Accounting department. This user reports that his computer is running very slow all day long and it sometimes gives him an error message that the hard drive is almost full. Lyle runs a scan on the computer with the company antivirus software and finds nothing. Lyle downloads another free antivirus application and scans the computer again. This time a virus is found on the computer. The infected files appear to be Microsoft Office files since they are in the same directory as that software. Lyle does some research and finds that this virus disguises itself as a genuine application on a computer to hide from antivirus software. What type of virus has Lyle found on this computer? A. Lyle has discovered a camouflage virus on the computer. * B. By using the free antivirus software, Lyle has found a tunneling virus on the computer. C. This type of virus that Lyle has found is called a cavity virus. D. Lyle has found a polymorphic virus on this computer. 16. Miles is a network administrator working for the University of Central Oklahoma. Miles’ responsibilities include monitoring all network traffic inside the network and traffic coming into the network. On the university’s IDS, Miles notices some odd traffic originating from some client computers inside the network. Miles decides to use Tcpdump to take a further look.

What is Miles going to accomplish by running this command? A. Miles is trying to capture all UDP traffic from client1 and the LAN except for traffic to client29. * B. He is trying to see all UDP traffic between client1 and client29 only. C. This command will capture all traffic on the internal network except for traffic originating from client1 and client29. D. Miles will be able to capture all traffic on the network originating from client1 and client29 except UDP traffic. 17. Neil is an IT security consultant working on contract for Davidson Avionics. Neil has been hired to audit the network of Davidson Avionics. He has been given permission to perform any tests necessary. Neil has created a fake company ID badge and uniform. Neil waits by one of the company’s entrance doors and follows an employee into the office after they use their valid access card to gain entrance. What type of social engineering attack has Neil employed here? A. Neil has used a tailgating social engineering attack to gain access to the offices. * B. He has used a piggybacking technique to gain unauthorized access. C. This type of social engineering attack is called man trapping. D. Neil is using the technique of reverse social engineering to gain access to the offices of Davidson Avionics. 18. Xavier is a network security specialist working for a federal agency in Washington DC. Xavier is responsible for maintaining agency security policies, teaching security awareness classes, and monitoring the overall health of the network. One of Xavier’s coworkers receives a help desk call from a user who is having issues navigating to certain sites on the Internet. Xavier’s coworker cannot figure out the issue so he hands it off to Xavier. He logs on to the user’s computer and goes to a couple of websites the user said were having issues. When Xavier types in www.Google.com, it takes him to Boogle.com instead. When Xavier types in Yahoo.com, it takes him to Yahooo.com instead. Xavier checks all the IP settings on the computer which are static and they appear to be correct. Xavier checks the local DNS settings as well as the DNS settings on the server and they are correct. Xavier opens a command window and types in: ipconfig /flushdns. When he navigates to the previous sites, he is still directed to the wrong ones. What issue is Xavier seeing here on the client computer? A. This client computer has had the hosts file poisoned. * B. From this behavior, it is evident that the client computer’s DNS cache has been poisoned. C. Xavier is seeing a computer that has been infected with an IRC bot Trojan. D. This computer has obviously been hit by a Smurf attack. 19. Javier is a network security consultant working on contract for a state agency in Texas. Javier has been asked to test the agency’s network security from every possible aspect. Javier decides to use the Reaper Exploit virus to see if he can exploit any weaknesses in the company’s email. He infects a couple of computers with the virus and waits for the users of those machines to use their email client. After a short amount of time, he receives numerous emails that were copied from those clients; this proving that the client computers are susceptible to the Reaper Exploit virus exploiting their email clients. What aspect of email clients does this exploit take advantage of? A. The Reaper Exploit uses the functionality of DHTML in Internet Explorer, used by Microsoft Outlook. * B. This exploit takes advantage of hidden form fields which are used by email clients such as Microsoft Outlook.

C. This Reaper Exploit virus takes advantage of the inherent insecurity in S/MIME used by email clients like Outlook. D. Email clients like Outlook are susceptible to this exploit because they utilize XML and XMLS. 20. You are an IT security consultant working on a six month contract with a large energy company based in Kansas City. The energy company has asked you to perform DoS attacks against its branch offices to see if their configurations and network hardening can handle the load. To perform this attack, you craft UDP packets that you know are too large for the routers and switches to handle. You also put confusing offset values in the second and later fragments to confuse the network if it tries to break up the large packets. What type of attack are you going to attempt on the company’s network? A. You are going to attempt a teardrop attack to see if their network can handle the packets. * B. This type of attack is referred to as a Ping of Death attack since the packets use confusing offset values. C. By changing the characteristics of the UDP packets in this manner, you are trying to use a Smurf attack against the company’s network. D. This attack is called a SYN attack since the UDP packets are manipulated. 21. Bill is an IT security consultant who has been hired on by an ISP that has recently been plagued by numerous DoS attacks. The ISP did not have the internal resources to prevent future attacks, so they hired Bill for his expertise. Bill looks through the company’s firewall logs and can see from the patterns that the attackers were using reflected DoS attacks. What measures can Bill take to help prevent future reflective DoS attacks against the ISP’s network? (Select 2) A. Bill should have the ISP block port 179 on their firewall to stop these DoS attacks. * B. He should have them configure their network equipment to recognize SYN source IP addresses that never complete their connections. * C. Bill needs to tell the ISP to block all UDP traffic coming in on port 1001 to prevent future reflective DoS attacks against their network. D. Bills should configure the ISP’s firewall so that it blocks FIN packets that are sent to the broadcast address of the company’s internal IP range. 22. Gerald is a certified ethical hacker working for a large financial institution in Oklahoma City. Gerald is currently performing an annual security audit of the company’s network. One of the company’s primary concerns is how the corporate data is transferred back and forth from the banks all over the city to the data warehouse at the company’s home office. To see what type of traffic is being passed back and forth and to see how secure that data really is, Gerald uses a session hijacking tool to intercept traffic between a server and a client. Gerald hijacks an HTML session between a client running a web application which connects to a SQL database at the home office. Gerald does not kill the client’s session; he simply monitors the traffic that passes between it and the server. What type of session attack is Gerald employing here? A. Gerald is using a passive application level hijack to monitor the client and server traffic. * B. He is utilizing a passive network level hijack to see the session traffic used to communicate between the two devices. C. This type of attack would be considered an active application attack since he is actively monitoring the traffic. D. This type of hijacking attack is called an active network attack. 23. Theresa is the chief information security officer for her company, a large shipping company based out of New York City. In the past, Theresa and her IT employees manually checked the status of client computers on the network to see if they had the most recent Microsoft updates. Now that the company has added

over 100 more clients to accommodate new departments, Theresa must find some kind of tool to see whether the clients are up-‐to-‐date or not. Theresa decides to use Qfecheck to monitor all client computers. When Theresa runs the tool, she is repeatedly told that the software does not have the proper permissions to scan. Theresa is worried that the operating system hardening that she performs on all clients is keeping the software from scanning the necessary registry keys on the client computers. What registry key permission should Theresa check to ensure that Qfecheck runs properly? A. She needs to check the permissions of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates registry key. * B. Theresa needs to look over the permissions of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Updates\Microsoft\Patches. C. In order for Qfecheck to run properly, it must have enough permission to read HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Microsoft\Updates. D. The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft must be checked. 24. Leonard is the senior security analyst for his company, Meyerson Incorporated. Leonard has recently finished writing security policies for the company that have just been signed off by management. Every employee has had to sign off on the policies, agreeing to abide by them or face disciplinary action. One policy in particular is being enforced; employees are not allowed to use web-‐based email clients such as Hotmail, Yahoo, and Gmail. This has been put in place because of virus infections that started with web-‐based email. While walking through the office one day, Leonard notices an employee using Hotmail. To prove a point, Leonard sends an email to this users Hotmail account with the following code. What will this code do on the employee’s computer once the email is opened? A. This code will create pop-‐up windows on the employee’s computer until its memory is exhausted. * B. This HTML code will force the computer to reboot immediately. C. Once the employee opens the email with this code, his computer will send out messages to the network with the title of “You are in trouble!”. D. This code will install a counter on the employee’s computer that will count every time that user opens web-‐based email. 25. Cheryl is a security analyst working for Shintel Enterprises, a publishing company in Boston. As well as monitoring the security state of the company’s network, she must ensure that the company’s external websites are up and running all the time. Cheryl performs some quick searches online and finds a utility that will display a window on her desktop showing the current uptime statistics of the websites she needs to watch. This tool works by periodically pinging the websites; showing the ping time as well as a small graph that allows Cheryl to view the recent monitoring history. What tool is Cheryl using to monitor the company’s external websites? A. She is using Emsa Web monitor to check on the status of the company’s websites. * B. Cheryl is utilizing AccessDiver to check on the websites’ status. C. To monitor her company’s websites, Cheryl is using Acunitex. D. Cheryl has chosen to use Burp to check on the status of the company’s websites. 26. James is an IT security consultant as well as a certified ethical hacker. James has been asked to audit the network security of Yerta Manufacturing, a tool manufacturing company in Phoenix. James performs some

initial external tests and then begins testing the security from inside the company’s network. James finds some big problems right away; a number of users that are working on Windows XP computers have saved their usernames and passwords used to connect to servers on the network. This way, those users do not have to type in their credentials every time they want access to a server. James tells the IT manager of Yerta Manufacturing about this, and the manager does not believe this is possible on Windows XP. To prove his point, James has a user logon to a computer and then James types in a command that brings up a window that says “Stored User Names and Passwords”. What command did James type in to get this window to come up? A. James had to type in “rundll32.exe keymgr.dll, KRShowKeyMgr” to get the window to pop up. * B. To bring up this stored user names and passwords window, James typed in “rundll32.exe storedpwd.dll, ShowWindow”. C. The command to bring up this window is “KRShowKeyMgr”. D. James typed in the command “rundll32.exe storedpwd.dll” to get the Stored User Names and Passwords window to come up. 27. Kevin is an IT security analyst working for Emerson Time Makers, a watch manufacturing company in Miami. Kevin and his girlfriend Katy recently broke up after a big fight. Kevin believes that she was seeing another person. Kevin, who has an online email account that he uses for most of his mail, knows that Katy has an account with that same company. Kevin logs into his email account online and gets the following URL after successfully logged in: http://www.youremailhere.com/mail.asp?mailbox=Kevin&Smith=121%22 Kevin changes the URL to: http://www.youremailhere.com/mail.asp?mailbox=Katy&Sanchez=121%22 Kevin is trying to access her email account to see if he can find out any information. What is Kevin attempting here to gain access to Katy’s mailbox? A. Kevin is trying to utilize query string manipulation to gain access to her email account. * B. This type of attempt is called URL obfuscation when someone manually changes a URL to try and gain unauthorized access. C. By changing the mailbox’s name in the URL, Kevin is attempting directory transversal. D. He is attempting a path-‐string attack to gain access to her mailbox. 28. Daryl is the network administrator for the North Carolina Lottery. Daryl is responsible for all network security as well as physical security. The lottery recently hired on a web developer to create their website and bring all services in house since the lottery’s website was previously hosted and supported by a third party company. After the developer creates the website, Daryl wants to check it to ensure it is as secure as possible. The developer created a logon page for lottery retailers to gain access to their financial information. Without knowing what any of the usernames and passwords are, Daryl tries to bypass the logon page and gain access to the backend. Daryl makes a number of attempts and he gets the following error message every time. What can Daryl deduce from this error message? A. He can tell that the site is susceptible to SQL injection. *

B. From this error, Daryl can see that the site is vulnerable to query string manipulation attacks. C. This particular error indicates that the page is vulnerable to buffer overflows. D. Daryl can deduce that the developer did not turn off friendly messages on the server. 29. Jeremy is web security consultant for Information Securitas. Jeremy has just been hired to perform contract work for a large state agency in Michigan. Jeremy’s first task is to scan all the company’s external websites. Jeremy comes upon a login page which appears to allow employees access to sensitive areas on the website. James types in the following statement in the username field: SELECT * from Users where username=’admin’ -‐-‐ AND password=’’ AND email like ‘%@testers.com%’ What will the following SQL statement accomplish? A. If the page is susceptible to SQL injection, it will look in the Users table for usernames of admin * B. This statement will look for users with the name of admin, blank passwords, and email addresses that end in @testers.com. C. This Select SQL statement will log James in if there are any users with NULL passwords. D. James will be able to see if there are any default sa user accounts in the SQL database. 30. David is the wireless security administrator for Simpson Audio Visual. David was hired on after the company was awarded a contract with 100 airports to install wireless networks. Since these networks will be used by both internal airport employees and visitors to the airports, David decided to go with the de facto standard of 802.11b. Every airport wants to use 802.11b with TCP error checking, even though David has said this will slow down the wireless network connection speeds. With this error checking, what will be the resulting speed of the wireless networks? A. Since TCP error checking will be utilized; the effective speed of the wireless networks can be up to 5.9 mbps. * B. The resulting speed of the wireless networks will be up to 7.1 mbps since error checking slows down the actual speed. C. Because TCP error checking has no effect on the actual speed, the airports’ wireless networks will function at up to 11 mbps. D. The resulting speed of the wireless networks for the airports will be up to 248 mbps. 31. Oliver is the network security administrator for Foodies Café, a chain of coffee shops in the Seattle metropolitan area. Oliver is performing his quarterly security audit of the entire company, including each coffee shop the company owns. Each café has a wireless hotspot that customers can utilize. The home office also has a wireless network which is used by employees. While walking around the outside of the corporate office, Oliver sees a drawing on the sidewalk right next to his building. What does this symbol signify? A. This symbol means that someone has found out that the company is using wireless networking with open access and restrictions. * B. This means that someone knows the corporate wireless network is utilizing a access points with MAC filtering and WPA encryption. C. This signifies a hacker has discovered that the company is using WEP encryption for its wireless network. D. This particular symbol is used to tell others that a nearby wireless access point is using weak encryption.

32. Jacob is the IT manager for Thompson & Sons, a bail bondsman company in Minneapolis. Jacob has been told by the company’s president to perform a logical and physical security audit for all the offices around the city. Jacob finds that a number of offices need more physical security. Jacob recommends that these offices add a cage that customers must pass through before entering the main office. This cage will allow employees in the office to verify the customer’s information before allowing them access into the building. What is Jacob recommending the offices install for added security? A. Jacob is recommending that the offices install mantraps at their locations. * B. He is recommending the offices install physical DMZ’s at their locations. C. This type of physical security measure is called a piggyback box. D. He has recommended that these locations install stop-‐gap cages as an added security measure. 33. Sydney is a certified ethical hacker working as the systems administrator for Galt Riderson International. Sydney is an expert in Linux systems and is utilizing IPTables to protect Linux clients as well as servers. After monitoring the firewall log files, Sydney has been fine tuning the firewall on many clients to adjust for the best security. Sydney types in the following command: iptables -‐A INPUT -‐s 0/0 -‐I eth1 -‐d 192.168.254.121 -‐p TCP -‐j ACCEPT What will this command accomplish for Sydney? A. This command will allow TCP packets coming in on interface eth1 from any IP address destined for 192.168.254.121. * B. By using this command, Sydney will block all TCP traffic coming in on interface eth1 to the IP address of 192.168.254.121. C. This command will block all TCP packets with NULL headers from reaching the IP address of 192.168.254.121. D. Sydney is using this command to allow all TCP traffic that is outbound from IP address 192.168.254.121. 34. Lonnie is the chief information officer for Ganderson Trailways, a railroad shipping company with offices all over the United States. Lonnie had all his systems administrators implement hardware and software firewalls last year to help ensure network security. On top of these, they implemented IDS/IPS systems throughout the network to check for and stop any bad traffic that may attempt to enter the network. Although Lonnie and his administrators believed they were secure, a hacker group was able to get into the network and modify files hosted on the company’s websites. After searching through firewall and server logs, no one could find how the hackers were able to get in. Lonnie decides that the entire network needs to be monitored for critical and essential file changes. This monitoring tool needs to alert administrators whenever a critical file is changed in any way. What utility could Lonnie and his systems administrators implement on the company’s network to accomplish this? A. Lonnie could use Tripwire to notify administrators whenever a critical file is changed.* B. They can implement Strataguard on the network which monitors critical system and registry files. C. SnortSam would be the best utility to implement since it keeps track of critical files as well as files it is told to monitor. D. Lonnie and his systems administrators need to use Loki to monitor specified files on the company’s network. 35. Neville is a network security analyst working for Fenderson Biomedics, a medical research company based out of London. Neville has been tasked by his supervisor to ensure that the company is as secure as possible. Neville first examines and hardens the OS for all company clients and servers. Neville wants to

check the performance and configuration of every firewall and network device to ensure they comply with company security policies. Neville has chosen to use Firewall Informer because it actively and safely tests devices with real-‐world exploits to determine their security state. What built-‐in technology used by Firewall Informer actively performs these exploit tests on network equipment? A. Firewall Informer uses Blade Software’s Simulated Attack For Evaluation (S.A.F.E.) technology to actively test network devices. * B. The built-‐in technology used by Firewall Informer is a graphical user interface version of Snort. C. The technology used to actively perform exploit checking in Firewall Informer is Blade Software’s Exploit Awareness Safety Yield (E.A.S.Y.). D. Firewall Informer utilizes a stripped down version of Loki to actively and safely check for possible exploits on network devices. 36. Ursula is a network security analyst as well as a web developer working on contract for a marketing firm in St. Louis. Ursula has been hired on to help streamline the company’s website and ensure it meets accessibility laws for that state. After completing all the work that was asked, the marketing firm terminates Ursula’s service and does not pay the rest of the money that is owed to her. Right before she is asked to leave, Ursula writes a small application with the following code inserted into it. What will this code accomplish? A. This code will create a buffer overflow if the application it resides in is run. * B. This code that Ursula has written will cause the computer it is run on to throw up a URI exception error; essentially crashing the machine. C. Because the code is written in this manner, it will create a buffer underflow if it is executed. D. This code Ursula has inserted into a program will create a format string bug if executed. 37. Nathan is the senior network administrator for Undulating Innovations, a software development company in Los Angeles. Nathan’s company typically develops secure email programs for state and local agencies. These programs allow these agencies to send and receive encrypted email using proprietary encryption and signing methods. An employee at one of the state agencies has been arrested on suspicion of leaking sensitive government information to third world countries for profit. When the US federal government steps in, they seize the employee’s computer and attempt to read email he sent but are not able to because of the encryption software he used. Nathan receives a call from an investigator working for the CIA on this particular case. The investigator tells Nathan that his company has to give up the encryption algorithms and keys to the government so they can read the email sent by the accused state employee. Under what right does this investigator have to ask for the encryption algorithms and keys? A. The federal government can obtain encryption keys from companies under the Government Access to Keys (GAK) rule. * B. The CIA investigator can obtain the proprietary keys and algorithms from Nathan’s company due to Eminent Domain laws. C. Since this has turned into a federal case, the government has the right to obtain proprietary information from Nathan’s company under Juris Prudence laws. D. The investigator can ask for and obtain the proprietary information due to Habeas Corpus laws. 38. Justine is the systems administrator for her company, an international shipping company with offices all over the world. Recent US regulations have forced the company to implement stronger and more secure

means of communication. Justine and other administrators have been put in charge of securing the company’s digital communication lines. After implementing email encryption, Justine now needs to implement robust digital signatures to ensure data authenticity and reliability. Justine has decided to implement digital signatures which are a variant of DSA and that operate on elliptical curve groups. These signatures are more efficient than DSA and are not vulnerable to a number field sieve attacks. What type of signature has Justine decided to implement? A. Justine has decided to use ECDSA signatures since they are more efficient than DSA signatures. * B. She has decided to implement ElGamal signatures since they offer more reliability than the typical DSA signatures. C. Justine is now utilizing SHA-‐1 with RSA signatures to help ensure data reliability. D. These types of signatures that Justine has decided to use are called RSA-‐PSS signatures. 39. Charlie is an IT security consultant that owns his own business in Denver. Charlie has recently been hired by Fleishman Robotics, a mechanical engineering company also in Denver. After signing service level agreements and other contract papers, Charlie asks to look over the current company security policies. Based on these policies, Charlie compares the policies against what is actually in place to secure the company’s network. From this information, Charlie is able to produce a report to give to company executives showing which areas the company is lacking in. This report then becomes the basis for all of Charlie’s remaining tests. What type of initial analysis has Charlie performed to show the company which areas it needs improvements in? A. This type of analysis is called GAP analysis. * B. This initial analysis performed by Charlie is called an Executive Summary. C. Charlie has performed a BREACH analysis; showing the company where its weak points are. D. This analysis would be considered a vulnerability analysis. 40. Zane is a network security specialist working for Fameton Automotive, a custom car manufacturing company in San Francisco. Zane is responsible for ensuring that the entire network is as secure as possible. Much of the company’s business is performed online by customers buying parts and entire cars through the company website. To streamline online purchases, the programming department has developed a new web application that will keep track of inventory and check items out online for customers. Since this application will be critical to the company, Zane wants to test it thoroughly for any security vulnerabilities. Zane primarily focuses on checking the time validity of session tokens, length of those tokens, and expiration of session tokens while translating from SSL to non-‐SSL resources. What type of web application testing is Zane primarily focusing on? A. He is most focused on testing the session management of the new web application. * B. Zane is putting most of his effort into component checking. C. By focusing on those specific areas, Zane’s testing is concentrated on input validation. D. He is testing the web application’s configuration verification. 41. Giles is the network administrator for his company, a graphics design company based in Dallas. Most of the network is comprised of Windows servers and workstations, except for some designers that prefer to use MACs. These MAC users are running on the MAC OS X operating system. These MAC users also utilize iChat to talk between each other. Tommy, one of these MAC users, calls Giles and says that his computer is running very slow. Giles then gets more calls from the other MAC users saying they are receiving instant messages from Tommy even when he says he is not on his computer. Giles immediately unplugs Tommy’s computer from the network to take a closer look. He opens iChat on Tommy’s computer and it says that it sent a file called latestpics.tgz to all the other MAC users. Tommy says he never sent those files. Giles also

sees that many of the computer’s applications appear to be altered. The path where the files should be has an altered file and the original application is stored in the file’s resource fork. What has Giles discovered on Tommy’s computer? A. Giles has found the OSX/Leap-‐A virus on Tommy’s computer. * B. This behavior is indicative of the OSX/Inqtana.A virus. C. He has discovered OSX/Chat-‐burner virus on Tommy’s computer. D. On Tommy’s computer, Giles has discovered an apparent infection of the OSX/Transmitter.B virus. 42. Paulette is the systems administrator for Newton Technologies. Paulette holds certifications in both Microsoft areas as well as security such as the CEH. Paulette is currently performing the yearly security audit for the company’s entire network which includes two branch offices. Paulette travels to one of the branch offices to perform an internal audit at that location. She uses Send ICMP Nasty Garbage (SING) to find all the routers in the network. All network equipment at the home office and branch offices are Cisco equipment. Paulette wants to check for a particular arbitrary administrative access vulnerability known in Cisco equipment when certain HTTP requests are made to those routers. If one of the router’s IP addresses is 172.16.28.110, what HTTP request could Paulette use to see if that router is vulnerable? A. Paulette could type in: http://172.16.28.110/level/22/exec/show/config/cr to check if the router is vulnerable. * B. If she typed in: http://172.16.28.110/level/121/exec/show/admin/config, she would be able to see if the router is vulnerable to arbitrary administrative access attacks. C. By typing in: http://172.16.28.255/level/99/exec/show/config/cr, Paulette will be able to see if the Cisco router is vulnerable. D. She needs to navigate to: http://172.16.28.110:2209 to check for its vulnerability. 43. Michael is an IT security consultant currently working under contract for a large state agency in New York. Michael has been given permission to perform any tests necessary against the agency’s network. The agency’s network has come under many DoS attacks in recent months, so the agency’s IT team has tried to take precautions to prevent any future DoS attacks. To test this, Michael attempts to gain unauthorized access or even overload one of the agency’s Cisco routers that is at IP address 192.168.254.97. Michael first creates a telnet session over port 23 to the router. He uses a random username and tries to input a very large password to see if that freezes up the router. This seems to have no affect on the router yet. What other command could Michael use to attempt to freeze up the router? A. Michael could use the command: ping -‐l 56550 192.168.254.97 -‐t. * B. If Michael used the command: ping -‐r 999 192.168.254.97 -‐t, he could freeze up the router and then attempt to gain access. C. The command: finger -‐l 9999 192.168.254.97 -‐m would force the router to freeze. D. Ping -‐l 254 192.168.254.97 would make the router freeze. 44. Cindy is a certified ethical hacker working on contract as an IT consultant for Dewdrop Enterprises, a computer manufacturing company based in Dallas. Dewdrop has many sales people that travel all over the state using Blackberry devices and laptops. These mobile devices are the company’s main concern as far as network security. About a year ago, one of the company laptops was stolen from a sales person and sensitive company information was stolen from it. Because of this, the company has hired on Cindy to ensure that all mobile devices used by employees are secure. Since many of the employees are now using new laptops with Windows Vista, Cindy has configured Bitlocker on those devices for hard disk encryption. Cindy then uses the BlackBerry Attack Toolkit along with BBProxy to check for vulnerabilities on the blackberry devices. As it turns out, these devices are vulnerable and she is able to gain access to the

corporate network through the Blackberry devices. What type of attack has Cindy used to gain access to the network through the mobile devices? A. Cindy has used Blackjacking to gain access to the corporate network. * B. This type of attack would be called Skipjacking since it is utilizing mobile devices to gain access to a corporate network. C. This would be considered a Berryjack attack since it attacks Blackberry devices. D. Cindy is using a MITM attack by using Blackberry devices. 45. Henry is the network administrator for a large advertising firm in Chicago. As well as ensuring overall network health, Henry is responsible for performing security audits, vulnerability assessments and penetration tests to check for network security. Henry has been asked to travel to one of the company’s branch offices in Taylor Texas to perform a security audit. Right away, Henry notices how many mobile devices that branch office utilizes including PDA’s, Blackberries, and laptops. To prove a point, Henry wants to show the IT manager at that branch office how insecure some of those mobile devices are. In particular, he wants to point out the sensitive information that Palm devices can pass when using HotSync to synch itself with a computer. What UDP port should Henry listen on that is used by the Palm OS to find sensitive information? A. Henry should listen on UDP port 14237 to see the traffic passed back and forth when using HotSync. * B. He should have his device listen on UDP port 16999 to see the traffic passed from the Palm device. C. If he listens on UDP port 1219, he will be able to see the traffic. D. Henry needs to have his device listen on UDP port 14001. 46. Richard is an IT security expert currently making presentations in Las Vegas at a logical security conference. Richard’s specialty is in Bluetooth technology and different ways to take advantage of its vulnerabilities. Richard is using one of his Bluetooth enabled cell phones and a Bluetooth enabled laptop to make a demonstration on how to steal information from a wireless device through a Bluetooth connection. Richard shows how to connect to the OBEX Push target and how to perform an OBEX GET request to pull the address book and calendar off the cell phone. What type of attack is Richard demonstrating here at the conference? A. Richard is demonstrating Bluesnarfing by stealing information from a wireless device through a Bluetooth connection. * B. He is showing how to perform a Bluejacking attack by exploiting the inherent weaknesses in Bluetooth connections. C. This attack that Richard is demonstrating is called a BlueSpam attack. D. At the conference, Richard is demonstrating how to perform a BlueBack attack. 47. William is the senior security analyst for Cuthbert & Associates, a large law firm in Miami. William is responsible for ensuring complete network security. William’s boss, the IT director, is trying to convince the owners of the firm to purchase new Blackberry devices and new Bluetooth enabled laptops. William has been telling his boss that using Bluetooth devices like that is not secure. William’s boss doesn’t believe that Bluetooth devices are a security risk, so he asks for a demonstration. William obliges his boss by setting up an attack with his personal laptop and his boss’ Bluetooth enabled phone. William uses Logical Link Control and Adaptation Layer Protocol ( L2CAP) to send oversized packets to his boss’ phone. This attack overloads the phone and William is able to do whatever he wants to with the device now. What type of attack has William just demonstrated to his boss? A. He has shown his boss how to perform a Bluesmacking attack. *

B. William has performed a Bluesnarf attack on his boss’ phone. C. This type of attack is called a BlueDump attack. D. William was able to demonstrate to his boss how to perform a Bluejacking attack. 48. Blake is an IT security consultant, specializing in PBX and VoIP implementation testing. Blake has been recently hired on my Thwarting Enterprises, a brokerage firm in New York City. The company heard through contacts that Blake was the best in the business as far as examining and securing VoIP network implementations. About a year ago, Thwarting Enterprises installed a Cisco VoIP system throughout their office to replace the older PBX system. They have now brought Blake in to test its security, or lack thereof. Blake first begins his testing by finding network devices on the network that might be used for VoIP. Blake prefers to use UDP scanning because of its quickness. Blake finds a target on the network that looks promising and begins to perform a scan against it by sending packets with empty UDP headers to each port. Almost all of the ports respond with the error of “ICMP port unreachable”. From these errors, what can Blake deduce about these ports? A. From this error, Blake can tell that these ports are not being used. * B. This specific error means that the ports are currently in stealth mode. C. Blake can deduce that the ports that respond with this error are open and listening. D. He can tell that these specific ports are in hybrid mode. 49. Vicki is the IT manager for her company, an online retail business in Seattle. Vicki was recently given budget approval by the CIO to purchase 100 VoIP phones and all the VoIP networking equipment needed to make a complete VoIP implementation. Vicki and her employees install all the phones and set up the servers needed to run the new system. After about three months of setup, everything has been completed and the system is finally stable. Because she is not very familiar with VoIP security, she attends a VoIP security seminar which she finds very informative. One interesting piece of information she learns of is that most VoIP phones are installed with an imbedded OS called VxWorks. This, she finds out, is also what the VoIP phone manufacturer installed on all her company’s new VoIP phones. Vicki also learns that there is a default remote debugger on all these phones that listens on a specific port in case a remote administrator needs to do some troubleshooting. Vicki sees this as a large security problem. Instead of going to each and every new phone to turn off this feature, she decides to block the necessary port on the firewall to save time. What port should Vicki block at the firewall so no external connections can be made directly to the VoIP phones? A. Vicki needs to block TCP port 17185 at the firewall to prevent the default debugger program from communicating outside the network. * B. She should block UDP port 21972 at the firewall to keep the remote debugging feature on the VoIP phones from being used. C. TCP port 9121 should be blocked at the firewall to keep anyone from using the remote admin debugging software. D. She needs to block any traffic on the firewall coming in on or going out on TCP port 4290. 50. Steven is the senior network administrator for Onkton Incorporated, an oil well drilling company in Oklahoma City. Steven and his team of IT technicians are in charge of keeping inventory for the entire company; including computers, software, and oil well equipment. To keep track of everything, Steven has decided to use RFID tags on their entire inventory so they can be scanned with either a wireless scanner or a handheld scanner. These RFID tags hold as much information as possible about the equipment they are attached to. When Steven purchased these tags, he made sure they were as state of the art as possible. One feature he really liked was the ability to disable RFID tags if necessary. This comes in very handy when the company actually sells oil drilling equipment to other companies. All Steven has to do is disable the

RFID tag on the sold equipment and it cannot give up any information that was previously stored on it. What technology allows Steven to disable the RFID tags once they are no longer needed? A. RFID Kill Switches built into the chips enable Steven to disable them. * B. The technology used to disable an RFIP chip after it is no longer needed, or possibly stolen, is called RSA Blocking. C. Newer RFID tags can be disabled by using Terminator Switches built into the chips. D. The company’s RFID tags can be disabled by Steven using Replaceable ROM technology. 51. Leonard is a systems administrator who has been tasked by his supervisor to slow down or lessen the amount of SPAM their company receives on a regular basis. SPAM being sent to company email addresses has become a large problem within the last year for them. Leonard starts by adding SPAM prevention software at the perimeter of the network. He then builds a black list, white list, turns on MX callbacks, and uses heuristics to stop the incoming SPAM. While these techniques help some, they do not prevent much of the SPAM from coming in. Leonard decides to use a technique where his mail server responds very slowly to outside connected mail servers by using multi-‐line SMTP responses. By responding slowly to SMTP connections, he hopes that SPAMMERS will see this and move on to easier and faster targets. What technique is Leonard trying to employ here to stop SPAM? A. He is using the technique called teergrubing to delay SMTP responses and hopefully stop SPAM. * B. This technique that Leonard is trying is referred to as using a Sender Policy Framework to aid in SPAM prevention. C. Leonard is trying to use the Transparent SMTP Proxy technique to stop incoming SPAM. D. To stop SPAM, Leonard is using the technique called Bayesian Content Filtering. 52. Jacob is the systems administrator for Haverson Incorporated, a food processing company in Boston. Jacob is responsible for all equipment on the network as well as network security. After attending the CEH class and passing the CEH test, Jacob wants to make some changes on the network to ensure network security. Since there are three company computers in a publicly accessible area, he wants to lock those machines down as much as possible. Jacob wants to make sure that no one can use USB flash drives on those computers; while still allowing USB mice and keyboards to work. What can Jacob do to prevent USB flash drives from working on these publicly available computers? (Select 2) A. Jacob needs to change the registry value to “4” at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor\Start * B. He needs to rename the files UsbStor.inf and UsbStor.pnf. * C. Jacob should delete the registry key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usbhub D. To disable USB drives, he should rename the USBFile.sys and StoreDrive.inf files. 53. Lyle is the network security analyst for his company, a large state agency in Florida. Lyle is responsible for ensuring the agency’s network security; including everything from mobile users to internal databases. Lyle has been charged with performing a security audit to comply with state regulations that were just passed. Lyle begins to test different aspects of the network, including the many Oracle databases that are utilized. Lyle finds out that the Oracle DBA created all of the databases with the simple create database command. After finding this out, Lyle is able to exploit the default user accounts that were created for these databases. What is the default user account created for Oracle databases when the create database command is used? A. The default user account created for Oracle databases is called OUTLN. *

B. Oracle creates the default user account DEFAULT when the create database command is used. C. SYSTEM is the default user account created in Oracle. D. The default account created when using the create database command on Oracle databases is called SYSOP. 54. John is the senior research security analyst for Terror Trends International, a research foundation that provides terrorism information to companies as well as governments. John and his team have been monitoring terrorist cyber traffic for over eight years now and have noticed an interesting trend. Through translated bulletin posts and intercepted email communications, they have seen terrorist and extremist groups use less conventional means of communication on the Internet. They appear to be using technologies like social-‐networking sites, eBay, and even environments like Second Life. By using these new communication methods, it has made the job of John and his research team much harder. What are these Internet communication environments referred to? A. These are called Web 2.0 environments. * B. These environments are often referred to as Internet2. C. These collaborative areas on the Internet are called Centrix environments. D. Environments such as these used by terrorists and common people alike are called Symbiotic Networks. 55. Stephan is the senior security analyst for NATO, currently working out of Amsterdam. Stephan has been assigned to research terrorist activities, specifically cyber Jihad. Stephan was recently given a computer that was seized from a terrorist cell in London. After breaking through the disk encryption, Stephan and his team were able to read files and their contents on the computer. Stephan found a copy of Mujahedeen Secrets 2 in a hidden folder that the terrorists were apparently using to hide their communications on the Internet. Unfortunately, the other files used by the application were not in that same directory. What file should Stephan look for on the computer if he wants to find the file that stores all the keys used by Mujahedeen Secrets 2? A. Stephan needs to look for AsrarKeys.db on the computer. * B. To find the file used by Mujahedeen Secrets 2 to store keys, Stephan should look for KeyFob.db. C. He should search on the computer for Secrets2.db. D. Stephan and his team need look for the file LockedAsrar.db on the computer. 56. Frederick is a security research analyst for the Department of Defense. Frederick was recently assigned to the cyber defense unit based in Washington D.C. He has been researching terrorist activity online through bulletin boards, social networking sites, and other extremist websites. One of Frederick’s colleagues was able to obtain a copy of Mujahedeen Secrets 2 for him to check out. When Frederick’s boss hears of this, he tells Frederick he wants to be briefed on every aspect of the software within 2 days. Since the help file was in Arabic, Frederick had to translate the 60 some odd pages which took him over 6 hours. By the time that his boss’ briefing came around, Frederick was only able to research and look through half of the application. Frederick’s boss asks him specifically about the File Shredder module of the software; which Frederick was not able to research. Frederick’s boss wants to know what the maximum number of passes the program uses when deleting files from a computer. What should Frederick’s answer be? A. Mujahedeen Secrets 2 can be set to make a maximum number of 10 passes over a file to delete it from a computer. * B. Frederick should tell his boss that the application can make a maximum number of 99 passes to delete a file. C. This application is able to make a maximum number of 5 passes over a file to completely delete it from a computer.

D. Frederick should reply by saying that the application can make a maximum number of 299 passes. 57. Jacob is the network administrator for Richardson Electric, a heating and air conditioning company based out of Wichita. Jacob is responsible for the entire corporate network, including its security. Jacob has recently been receiving numerous calls from users stating that they receive pop-‐ups all the time. These users’ computers are all running Windows XP SP2. Jacob checks their Internet Explorer settings and the pop-‐up blocker is on for every machine. Jacob decides to install a couple of other free browsers that have pop-‐up blockers, and the computers still receive numerous pop-‐ups. Jacob downloads free spyware and adware removal software to scan these computers. The scans return no results, and the computers are still getting numerous pop-‐ups. Jacob does not have any money in his budget to buy any commercial products to stop this issue. What no-‐cost setting could Jacob make to stop pop-‐ups on these computers? A. Jacob can edit the hosts file on these computers by adding the addresses of these pop-‐up sites and pointing them to 127.0.0.1. * B. He can manually add the registry key of “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BlockPopups” with a value of “1”. C. To block pop-‐ups, he can edit the hosts file on these computers and add entries for the pop-‐up sites and point them to the broadcast address for their particular subnet. D. Jacob can modify the Windows Firewall settings on these computers to block pop-‐ups. 58. Natalie is the IT security administrator for Sheridan Group, an investment company based in Detroit. Natalie has been getting reports from the help desk that users are having issues when they go to a particular vendor’s website; a company that sells paper. They report strange browser behavior such as pop-‐ups, browser redirection, and so on. These users also state they have been getting SPAM related to paper products, similar to those being provided by the vendor. Natalie scans these computers for viruses, adware, and spyware and turns up nothing. Natalie has one of these users navigate to the vendor’s website and sees the odd browser behavior. Natalie decides to take a look at the source code of that website to see if she can pull out anything of use. Natalie finds many places in the source code referring to a jpg file that is only one pixel in height and one pixel in width. What has Natalie discovered here in the source code? A. Natalie has discovered Web Bugs in the source code. * B. She has found hidden Form Fields in the source code of the vendor’s website. C. She has discovered an apparent use of stegonagraphy in the source code. D. This type of code is indicative of a Web Virus. 59. Michelle is a CPA working in the Accounting department for Beyerton & Associates. Michelle works on a Windows XP SP2 computer. Michelle’s daily duties take up about 6 hours out of her 8 hour workday. This leaves her about 2 hours a day where she can surf the Internet. Michelle goes to Myspace.com quite a bit during this free time to stay in touch with friends. After a new IT policy is implemented, sites like Myspace are blocked so users cannot get to them. The IT department is using an Internet filter to block specific websites such as Myspace. Michelle really wants to go to Myspace to stay in touch with the people she knows, even though it is now prohibited by an IT policy. What could Michelle do to still gain access to Myspace.com? A. Michelle can use Proxify.net to navigate to Myspace. * B. Michelle can edit her local hosts file to get around the Internet filter. C. She can navigate to Redirect.com to serve as a proxy; letting her navigate to Myspace. D. She can turn off Windows Firewall on her computer.

60. Bonnie is an IT security consultant currently working out of her home. She is able to perform much of her job through her home network when performing external footprinting, scanning, and pen testing. Bonnie has a number of computers running on different operating systems from Windows XP SP2 to Fedora. She uses two desktops that run as servers for her home network; handing out DHCP numbers, performing DNS lookups, and so on. Bonnie also utilizes an IDS to watch any traffic that might try to get into her network. One day, Bonnie sees some odd traffic trying to connect to her internal computers. Bonnie decides to download and install NetDefender on her Windows computers to block malicious traffic. All of her Windows computers are running Windows XP SP2 with the default install. Bonnie tries to start NetDefender, but receives an error that it cannot start. Why can’t Bonnie get NetDefender to start on her Windows computers? A. She needs to stop the Windows firewall before starting NetDefender. * B. She cannot start NetDefender because the computers are getting dynamic IPs. C. To get NetDefender to work properly, Bonnie needs to allow TCP port 559 in the Windows firewall settings. D. She cannot get NetDefender to work because it is only meant to run on Linux-‐based computers. 61. You are the CIO for Avantes Finance International, a global finance company based in Geneva. You are responsible for network functions and logical security throughout the entire corporation. Your company has over 250 servers running Windows Server, 5000 workstations running Windows Vista, and 200 mobile users working from laptops on Windows XP. Last week, 10 of your company’s laptops were stolen from salesmen while at a conference in Amsterdam. These laptops contained proprietary company information. While doing damage assessment on the possible public relations nightmare this may become, a news story leaks about the stolen laptops and also that sensitive information from those computers was posted to a blog online. What built-‐in Windows feature could you have implemented to protect the sensitive information on these laptops? A. You could have implemented Encrypted File System (EFS) to encrypt the sensitive files on the laptops. * B. You should have used 3DES which is built into Windows. C. If you would have implemented Pretty Good Privacy (PGP) which is built into Windows, the sensitive information on the laptops would not have leaked out. D. You should have utilized the built-‐in feature of Distributed File System (DFS) to protect the sensitive information on the laptops. 62. Tommy is the systems administrator for his company, a large law firm based in New York City. Since Tommy’s company employs many telecommuters and mobile users, he has to administer over 100 laptops. Due to laptop theft within the last couple of years, Tommy has convinced management to purchase PAL PC Tracker to install on all company laptops. Tommy chose this software because of its ability to track equipment and its ability to notify administrators if the laptop has been stolen. What method is used by PAL PC Tracker to notify administrators of a laptop’s location? A. PAL PC Tracker can send stealth email to a predetermined address whenever a tracked computer is connected to the Internet. * B. This software sets off a loud alarm when sent a signal from an administrator, alerting anyone in the vicinity of the laptop. C. PAL PC Tracker sends a page to a predetermined phone number through any wireless signal it can find. D. When a laptop is classified as missing or stolen, PAL PC Tracker will send HTTP messages to a predetermined website when the equipment is connected to the Internet.

63. Shayla is an It security consultant, specializing in social engineering and external penetration tests. Shayla has been hired on by Treks Avionics, a subcontractor for the Department of Defense. Shayla has been given authority to perform any and all tests necessary to audit the company’s network security. No employees for the company, other than the IT director, know about Shayla’s work she will be doing. Shayla’s first step is to obtain a list of employees through company website contact pages. Then she befriends a female employee of the company through an online chat website. After meeting with the female employee numerous times, Shayla is able to gain her trust and they become friends. One day, Shayla steals the employee’s access badge and uses it to gain unauthorized access to the Treks Avionics offices. What type of insider threat would Shayla be considered? A. She would be considered an Insider Affiliate. * B. Because she does not have any legal access herself, Shayla would be considered an Outside Affiliate. C. Shayla is an Insider Associate since she has befriended an actual employee. D. Since Shayla obtained access with a legitimate company badge; she would be considered a Pure Insider. 64. Lori is a certified ethical hacker as well as a certified hacking forensics investigator working as an IT security consultant. Lori has been hired on by Kiley Innovators, a large marketing firm that recently underwent a string of thefts and corporate espionage incidents. Lori is told that a rival marketing company came out with an exact duplicate product right before Kiley Innovators was about to release it. The executive team believes that an employee is leaking information to the rival company. Lori questions all employees, reviews server logs, and firewall logs; after which she finds nothing. Lori is then given permission to search through the corporate email system. She searches by email being sent to and sent from the rival marketing company. She finds one employee that appears to be sending very large email to this other marketing company, even though they should have no reason to be communicating with them. Lori tracks down the actual emails sent and upon opening them, only finds picture files attached to them. These files seem perfectly harmless, usually containing some kind of joke. Lori decides to use some special software to further examine the pictures and finds that each one had hidden text that was stored in each picture. What technique was used by the Kiley Innovators employee to send information to the rival marketing company? A. The employee used steganography to hide information in the picture attachments. * B. The Kiley Innovators employee used cryptography to hide the information in the emails sent. C. The method used by the employee to hide the information was logical watermarking. D. By using the pictures to hide information, the employee utilized picture fuzzing. 65. Tarik is the systems administrator for Qwerty International, a computer parts manufacturing company in San Francisco. Tarik just passed his certified ethical hacker test and now wants to implement many of the things he learned in class. The first project that Tarik completes is to create IT security policies that cover everything security related from logical to physical. Through management approval, all employees must sign and agree to the policies or face disciplinary action. One policy in particular, network file access, is of importance to Tarik and his superiors because of past incidents where employees accessed unauthorized documents. Tarik has fine-‐tuned the ACL’s to where no one can access information outside of their department’s network folder. To catch anyone that might attempt to access unauthorized files or folders, Tarik creates a folder in the root of the network file share. Tarik names this folder “HR-‐Do Not Open”. In this folder, Tarik creates many fake HR documents referring to personal information of employees that do not exist. In each document, he places headers and footers that read “Do Not Print or Save”. Then Tarik sets up logging and monitoring to see if anyone accesses the folder and its contents. After only one week, Tarik records two separate employees opening the fake HR files, printing them, and saving them to their personal directories. What has Tarik set up here to catch employees accessing unauthorized documents?

A. Tarik has set up a Honeytoken to catch employees accessing unauthorized files. * B. He has configured a Honeypot to log when employees access unauthorized files. C. Since this was set up on an internal network, this would be considered a Tar Pit. D. Tarik has configured a network Black Hole. 66. Marshall is the information security manager for his company. Marshall was just hired on two months ago after the last information security manager retired. Since the last manager did not implement or even write IT policies, Marshall has begun writing IT security policies to cover every conceivable aspect. Marshall’s supervisor has informed him that while most employees will be under one set of policies, ten other employees will be under another since they work on computers in publicly-‐accessible areas. Per his supervisor, Marshall has written two sets of policies. For the users working on publicly-‐accessible computers, their policies state that everything is forbidden. They are not allowed to browse the Internet or even use email. The only thing they can use is their work related applications like Word and Excel. What types of policies has Marshall written for the users working on computers in the publicly-‐accessible areas? A. He has written Paranoid policies for these users in public areas. * B. Marshall has created Prudent policies for the computer users in publicly-‐accessible areas. C. These types of policies would be considered Promiscuous policies. D. He has implemented Permissive policies for the users working on public computers. 67. Theresa is an IT security analyst working for the United Kingdom Internet Crimes Bureau in London. Theresa has been assigned to the software piracy division which focuses on taking down individual and organized groups that distribute copyrighted software illegally. Theresa and her division have been responsible for taking down over 2,000 FTP sites hosting copyrighted software. Theresa’s supervisor now wants her to focus on finding and taking down websites that host illegal pirated software. What are these sights called that Theresa has been tasked with taking down? A. These sites that host illegal copyrighted software are called Warez sites. * B. These sites that Theresa has been tasked to take down are called uTorrent sites. C. These websites are referred to as Dark Web sites. D. Websites that host illegal pirated versions of software are called Back Door sites. 68. You are the systems administrator for your company, a medium-‐sized state agency in Oregon. You are responsible for all workstations, servers, network equipment, and software. You have two junior IT staff that field help desk calls as their primary duty. Since you are on a limited budget, you have had to get by with outdated hardware and software for many years. After a small increase in your budget this year, you decide to purchase Microsoft Office 2007 for your agency. This software is licensed for only one copy; but you give it to your junior IT staff and tell them to install it on every computer in the agency. What have you asked your IT staff to install on all the computers in the agency? A. You have asked them to install abusive copies of the Office 2007 software. * B. You have instructed your IT staff to install pirated copies of Office 2007 on every computer. C. By installing one licensed copy, you are asking your staff to use cracked copies of Office 2007. D. Installing one licensed copy on many different computers is called using an OEM copy. 69. Calvin is the IT manager for Riverson & Associates, an advertising firm based out of Toronto. Calvin is responsible for all IT related situations. The firm’s marketing director has asked Calvin to purchase a graphics editing application to install on two computers in the marketing department. Calvin makes the purchase and receives the software in the mail one week later. Calvin installs the software on the two requested computers. When the marketing users try to use the software, it says they need to “Insert device

for validation”. Calvin calls the software company to find out what the issue is. Calvin thought there was a CD key that needed to be used on installation but the company’s support representative said there should have been a USB device included in the software box. Calvin looks through the software boxes and finds two USB devices. After plugging the devices into the computers in marketing, the graphics software works properly. What kind of license validation was used to make the graphics software work correctly? A. The software company used dongles to ensure license validation. * B. These USB devices are called hardware validators. C. The company used logic gates to ensure license validation. D. The USB devices the software required for license validation are called logic keys. 70. Harold is a software application developer for 24/7 Gaming Incorporated, an online gaming company that hosts over 25 online game environments. Harold has worked at the company for over 8 years and has risen up through the ranks. One day, Harold comes in to work and is informed that his position is being terminated in two weeks for budget reasons. Harold is furious because of all the time and effort he has invested in the company. Harold decides to get revenge so he implants some hacks into the code of one online game the company hosts. He tells his friends how to access the code; which lets them see through walls and other objects within the game while other players cannot. What type of exploit has Harold inserted into the online game? A. Harold has created a Wall Hack to allow his friends to see through walls and objects in the game. * B. He has inserted an Aimbot hack into the game giving his friends an unfair advantage over other players. C. Harold has hacked the online game by inserting a Cham hack into the environment. D. This type of code exploit is called Strafe-‐jumping. 71. Wesley is an IT technician working for Bonner-‐Riddel, a research foundation located in Lansing. Wesley works on both Windows and Linux-‐based machines, but enjoys tweaking and customizing open source applications more. Wesley has been using a Concurrent Versions System (CVS) to monitor the latest additions and revisions to source code he likes to work on. Wesley likes CVS but has issues when some items are partially checked-‐in. A colleague of his told him about another way to monitor source code; this method even tracks directory versioning. What monitoring method is Wesley’s colleague recommending? A. He is recommending that Wesley use Subversion Repositories for monitoring. * B. Wesley’s colleague is recommending that he use Granular Repositories for monitoring. C. His colleague has suggested Wesley use Reverse Zone Repositories. D. He is suggesting the use of Recursive Repositories. 72. Ralph is the network administrator for his company. As well as being responsible for the logical and physical network, he is in charge of logical and physical security. Ralph is currently performing a security audit of the company’s network, including its two internally-‐hosted websites. These websites utilize RSS feeds to update subscribers on current information. While performing his audit, Ralph is flagged to some irregular code in one of the website pages. What is the purpose of this code? A. This code is will log all keystrokes. * B. This JavaScript code will use a Web Bug to send information back to another server.

C. This code snippet will send a message to a server at 192.154.124.55 whenever the “escape” key is pressed. D. This bit of JavaScript code will place a specific image on every page of the RSS feed. 73. Steven is the help desk manager for Fortified Investors, an investment firm based in Boston. Steven is responsible for fielding all help desk calls from company employees. Steven is getting numerous calls from users stating that when they navigate to one of the company vendor’s websites, their Internet Explorer browser starts to behave abnormally by pulling up pop-‐ups and being redirected to other pages. All the users that have called Steven are using Internet Explorer for their browsers. Steven checks the source code of the vendor’s page and sees some odd scripts in the source code. The employees still need to access the vendor’s page to perform their work duties so Steven decides to download and install Firefox on these users’ computers. When browsing with Firefox, the users do not see any odd behavior on the website as before. Why are they not seeing the same odd behavior when browsing the vendor website with Firefox? A. They are not having issues because Firefox does not support VBScript and ActiveX. * B. The users are not experiencing the same issues with Firefox as with Internet Explorer because Firefox does not support JavaScript. C. Their new Firefox browsers are not showing the same odd behavior because Firefox does not support DHTML and XML. D. The vendor’s website is not displaying the same behavior because Firefox only supports HTML and DHTML. 74. Ryan is the network administrator for Hammerstein Incorporated, a sign manufacturing company in Chicago. Ryan holds certificates for certified ethical hacker and certified hacking forensics investigator. Ryan prefers to use Linux-‐based operating systems, but has to work on Windows computers for much of his work-‐related duties. Ryan also prefers to use Netscape Navigator on his Windows computers because he believes it is more secure than Internet Explorer. While reading a security-‐related article online one day, he reads that Netscape Navigator has an issue with improperly validating SSL sessions which worries him greatly. What add-‐on provided for Netscape Navigator could Ryan install that would alleviate this issue of not properly validating SSL sessions? A. Ryan can install the Personal Security Manager add-‐on for Netscape Navigator. * B. He needs to download and install the SSL Fixer add-‐on for Netscape Navigator. C. If Ryan installs the Safety Zone Navigator add-‐on, his Netscape Navigator browser will no longer improperly handle SSL sessions. D. Ryan should download and install the Session Manager add-‐on for Netscape Navigator. 75. Ursula is the systems administrator for GateTime Enterprises, a clock manufacturing company in Atlanta. Ursula is in charge of all network equipment as well as network security. Ursula has recently created a set of IT security policies which include an acceptable use policy that all employees must sign. Ursula wants to install software on a proxy server that will monitor all user Internet traffic, enable her to administer Internet policy settings in one place, and prevent avoidance of the new acceptable use policy. What kind of proxy server does Ursula want to implement? A. Ursula wants to implement an Intercepting Proxy server. * B. She wants to implement a Forced Proxy server. C. This would be considered a Split Proxy server since all Internet activity must pass through it. D. By funneling all Internet traffic through one server, she is implementing a Reverse Proxy server.

76. Travis is an administrative assistant to the executive director of Thuel Energy, an oil and gas company based in Oklahoma City. Travis has an IT degree, but was not able to get a technical job because of the competitive job market. Travis likes to surf the Internet at work when he has time. He likes to go to social networking sites to chat with friends and meet new people. Unfortunately, his company has recently enacted a computer use and acceptable use policy that prohibits employees from going to social networking sites. To further keep users from sites they should not go to, the IT department installs a proxy server that specifically blocks certain websites. Trying to outsmart the company policies, Travis installs a virtual machine on his computer and a proxy server on that virtual machine. Through the proxy on his own computer, he is able to get around the company’s Internet proxy and get to the websites he wants to. What type of proxy has Travis installed on his own computer? A. Travis has installed a Circumventor Proxy on his work computer. * B. He has installed a Transparent Proxy to bypass the company’s Internet policies. C. By installing a proxy on his own computer to bypass another proxy, Travis has implemented a Split Proxy. D. This would be considered a Reverse Proxy. 77. Stewart is an IT security analyst for his company. Stewart is responsible for network security of his entire company. Stewart also does a vast amount of security research when time permits. This research usually takes him to websites that might not have the safest content. Stewart decides to install Proxomitron on his computer for web filtering. This should help his browser remove banner ads, Java scripts, offsite images, flash animation, and other potentially harmful objects. What port must Stewart configure his browser to utilize in order to use Proxomitron? A. His browser must use the local port 8080 on his computer. * B. The local host browser must be configured to use 548 on his computer in order to function. C. The browser needs to use port 9000. D. It must be set to utilize port 10421. 78. Harold is the network administrator for Wintrex Systems, a software development company in Salt Lake City. Harold is responsible for all physical and logical network equipment. Wintrex Systems sells most of their products online, so they have a large retail-‐oriented website where customers can purchase anything the company offers. All company workstations are running Windows XP and all servers are running Windows Server 2003. For inventory and product management, Wintrex uses many SQL Server 2005 databases. Harold has been informed by the company’s CIO that he needs to implement some kind of protection for the corporate databases to prevent intrusions, SQL injection, data leakage, regulatory compliance, and so on. Harold is not too familiar with database software or protection, but is inclined to use a company like Symantec since they provide the company’s virus, backup, and IPS software. If Harold wants to use Symantec, what software product could he acquire from them that would serve his needs to protect the company’s SQL databases? A. He could use the Symantec Database Security solution that they provide. * B. Symantec provides a software package call SQL Protector that would perform all the tasks that Harold needs. C. He could install and use Symantec SQL Suite which would help Harold perform all the tasks the CIO has requested. D. He should use Symantec’s Data Guard Pro to protect the company’s data housed in the SQL databases. 79. Justin is an electrical engineer working for ZenWorks Navigation, a Global Positioning device manufacturing company based in Las Vegas. Justin and a team of other engineers are working on the latest GPS handheld system for the company. ZenWorks previously only produced GPS systems for airplanes, but

now wants to branch out to the individual consumer market. Currently, Justin is trying to work out errors the devices are experiencing in regards to four variables (latitude, longitude, altitude, and time) on the accuracy of a three-‐dimensional fix. Until this issue is resolved, the new devices cannot be finished. What GPS-‐related issue is Justin currently working on? A. Justin is working on the Geometric Dilution of Precision problem. * B. This issue would be considered a problem with the Local Area Augmentation System. C. When a GPS device is having issues with these four variables, it is considered a problem with the Wide Area Augmentation System. D. Justin is experiencing issues with the Signal to Noise Ratio. 80. Theo is an IT security consultant that was just hired on by the city of Seattle. Theo has been asked to map out free available wireless hotspots on a chart that will be published by the city. Theo has never mapped wireless hotspots over such a large range, so he buys software and GPS devices that he thinks will do the job. Theo buys two software programs, one for finding the hotspots and one to precisely locate his whereabouts on a city map. These two pieces of software will utilize two GPS devices. To run both these devices at the same time, Theo downloads and installs a GPS service daemon on his laptop running Windows XP SP2 so the GPS applications will not conflict with each other. When Theo opens both GPS programs, they say they cannot communicate with the GPS devices. What does Theo need to do to ensure the GPS applications can communicate with the GPS devices? A. Theo needs to open TCP port 2947 on the Windows firewall so they can communicate. * B. He should open TCP port 1699 on his local Windows firewall so the applications can talk to the devices. C. He needs to install the GPS daemon service on a Linux-‐based computer since it will not work on a Windows computer. D. UDP port 1121 needs to be open on his laptop’s Windows firewall. 81. Mary is a field service technician for Garmin which makes all kinds of GPS devices. Mary has been called out to a car rental company that purchased over 1000 GPS devices to be installed in their rental cars. Almost all the devices appear to be getting an error message when they are started up. Mary’s company has decided to send her out to the car rental company instead of them sending back every GPS device. When Mary gets to the company, she troubleshoots a number of the devices but cannot figure out what the issue is. She calls her company’s customer support line for some help. The service rep on the phone tells her to force the devices to perform a cold start. How can Mary force the devices to perform a cold start? A. She must hold the Page key down while the units are powering up. * B. Mary should hold the Mark key down until the units are forced to perform a cold start. C. Mary needs to hold the Enter key down until they reboot. D. She needs to hold down the Reset key for at least 20 seconds. 82. Darren is the network administrator for Greyson & Associates, a large law firm in Houston. Darren is responsible for all network functions as well as any digital forensics work that is needed. Darren is examining the firewall logs one morning and notices some unusual activity. He traces the activity target to one of the firm’s internal file servers and finds that many documents on that server were destroyed. After performing some calculations, Darren finds the damage to be around $75,000 worth of lost data. Darren decides that this incident should be handled and resolved within the same day of its discovery. What incident level would this situation be classified as? A. This situation would be classified as a mid-‐level incident. * B. Since there was over $50,000 worth of loss, this would be considered a high-‐level incident.

C. Because Darren has determined that this issue needs to be addressed in the same day it was discovered, this would be considered a low-‐level incident. D. This specific incident would be labeled as an immediate-‐level incident. 83. Lyle is the IT director for his company, a large food processing plant in North Carolina. After undergoing a disastrous incident last year where data was deleted by a hacker, Lyle has begun creating an incident response team made up of employees from varying departments. Lyle is now assigning different roles and responsibilities to the different team members. When handling computer-‐related incidents, which IT role should be responsible for recovery, containment, and prevention to constituents? A. The Network Administrator should be responsible for recovery, containment, and prevention. * B. Lyle should be responsible for these issues in computer-‐related incident handling. C. The CEO of the company should ultimately be responsible for these types of issues. D. The Security Administrator should be held responsible for recovery, containment, and prevention. 84. Pauline is the IT manager for Techworks, an online retailer based out of St. Louis. Pauline is in charge of 8 IT employees which include 3 developers. These developers have recently created a new checkout website that is supposed to be more secure than the one currently being used by the company. After numerous fraud attempts on the website, the company’s CIO decided that there needed to be a change; creating a more secure checkout portal that will check for potential fraud. This new portal checks for fraud by looking for multiple orders that are to be delivered to the same address but using different cards, different orders originating from the same IP address, credit card numbers vary by only a few digits, and users repeatedly submiting the same credit card numbers with different expiration dates. What fraud detection technique will the new retail portal be using? A. The portal will be using pattern detection to check for potential fraud. * B. The new site created by the developers will be using reverse lookup detection to see if fraud is involved. C. The developers have written the new portal to utilize round robin checking to see if visitors are attempting fraud. D. The new website portal will be using anomaly variance detection to look for fraud in transactions on the site. 85. Hanna is the network administrator for her company. Hanna is responsible for all network functions, including corporate email. Hanna receives a call from the Director of Administration one morning saying he cannot access one of his archive files. Hanna goes to the director’s office and tries to open the archive file from inside his Outlook 2003 client. The program says that she needs a password to open the file. Apparently, the director password protected the archive file without realizing it. What program could Hanna use to recover the archive password for the director? A. She could download and install PstPassword to recover the password of the archive file. * B. Outlook Revealer would be the best application to recover the password. C. Hanna could run ArchiveRestore to find the password for the archive file. D. She should use PwdRecover Toolset to retrieve the password for the archive file. 86. Heather is the network administrator for her company, a small medical billing company in Billings. Since the company handles personal information for thousands of clients, they must comply with HIPAA rules and regulations. Heather downloads all the HIPAA requirements for information security and begins an audit of the company. Heather finds out that many of the billing technicians have been sending sensitive information in PDF documents to outside companies. To protect this information, they have been password protecting the PDF documents. Heather has informed all the technicians that this method of protecting the

data is not safe enough. Why is using passwords to protect PDF documents not enough to safeguard against information leakage? A. This is not enough protection because PDF passwords can easily be cracked by many different software applications. * B. The technicians should not only rely on PDF passwords because the passwords are sent as an attached text file went sent through email. C. Since PDF password protection alone does not comply with SOX; they should not solely rely on them for protection. D. PDF passwords are not reliable because they are completely stripped off from the documents once they are passed through email. 87. You are the IT manager for a small investment firm in Los Angeles. Including you, the firm only employs a total of 20 people. You were hired on last month to take over the position of the last IT manager that was fired. The last manager did not have any security measures in place for the firm’s network; which led to a data breach. You have decided to purchase the Check Point firewall model Firewall-‐1 to help secure the network. You have chosen this particular firewall because of its adaptive and intelligent inspection technology that protects both the network and application layers. What built-‐in technology used by Check Point firewalls protects traffic on both the network and application layers? A. Check Point firewalls use the INSPECT technology. * B. They utilize built-‐in technology called SORT. C. You have chosen a Check Point firewall because of its adaptive STINGER technology. D. The built-‐in technology used by Check Point firewalls for traffic inspection is called SEARCH & DESTROY. 88. Dylan is the systems administrator for Intern Support Staffing, an IT staffing company in Oregon. All workstations on the company’s network are running Windows XP SP2 except for three laptops that run MAC OS X. Even though Dylan has setup and configured a hardware firewall for the company, a recent audit suggested he utilize application-‐level firewalls for all workstations and mobile computers. Dylan configures the Windows Firewall settings for the Windows computers. Dylan then downloads and installs Doorstop X Firewall onto the MAC laptops. After installation, none of the MAC laptops can connect to any other computers on the network. Why are these laptops not able to connect to other computers after Dylan installed Doorstop X Firewall? A. The laptops cannot connect because all TCP ports are protected by default when Doorstop X Firewall is installed. * B. They cannot make a connection because he needs to modify the firewall.conf file before they can use the software properly. C. Dylan needs to modify the local firewall.data files on all the MAC laptops before they can function properly. D. They cannot connect to other computers on the network because Dylan needs to install the “Network Services for MAC” piece on all the Windows workstations. 89. Geoffrey is the systems administrator for Veering Incorporated, a custom car manufacturer in California. Geoffrey administers the corporate Windows Server 2003 Active Directory network. He is also responsible for logical security. All computers are under one domain named veering.com. Geoffrey has organized all user accounts by placing them in an Organizational Unit (OU) named Company Users. He has also created another OU named Company Computers that contains all computer accounts. After implementing a strong password policy through Active Directory, the executive team tells Geoffrey the policy is too stringent for

them and they would like their own policy. How can Geoffrey apply a different policy to the members of the executive team? A. Geoffrey must create a new domain and move their user accounts to that domain. * B. He needs to move their user accounts to a different OU, create a new password policy for that OU, and deny the other policy from applying to that OU. C. Geoffrey needs to move their computer accounts to a different OU, create a new password policy for that OU, and deny the other policy from applying to that OU. D. He can create a WMI filter that keeps the current policy from applying to their machines. 90. Kevin is the systems administrator for Inktime International, an ink cartridge replacement company based out of New Orleans. Kevin has been told by his boss that he needs to change the password policy on the network. Users are apparently reusing passwords over and over and changing them immediately whenever IT resets their passwords for them. Kevin's boss doesn't want users to be able to change their passwords so often or be able to change their password right after IT resets their passwords. The company's network consists of one 2003 Active Directory domain. What password policy settings does Kevin need to adjust to accomplish what his boss has asked him to do? (Select 2) A. Kevin needs to adjust the "Minimum Password Age" setting. * B. He should change the "Enforce Password History" setting in the Group Policy settings module. * C. Kevin should adjust the "Maximum Password Age" Group Policy setting. D. To accomplish what his boss has asked, Kevin needs to adjust the "Enforce User Change at Next Logon" policy. 91. Charlie is the systems administrator for his company, an aeronautics engineering company based in Dallas. Charlie is responsible for the entire network which consists of one Server 2008 Active Directory domain. All user accounts are in respective department Organizational Units (OU) such as Accounting Users, HR Users, and so on. All computer accounts are in respective department OUs such as Accounting Computers, HR Computers, and so on. The user accounts for the company’s management team are all under the Management Users OU. The computer accounts for the company’s management team are all under the Management Computers OU. Charlie has assigned a fine-‐grained password policy to only the management team because they wanted a different password policy than the rest of the company. According to company policy, all user accounts must have a password expiration policy applied to them. The management team does not want to have to deal with changing their passwords often like the other users. What is the maximum password age that Charlie can set for the management team in a Server 2008 Active Directory domain? A. The maximum age of a password in 2008 is 999 days. * B. This is not possible since only one password policy can be set per domain in 2008. C. The maximum age for passwords that Charlie can set for the management team is 9999 days. D. He can adjust the password policy to allow for up to 99 days on password age. 92. Sherral is the systems administrator for Trigon Technologies, a software development company in Wichita. She oversees the entire network which consists of one Windows Server 2003 Active Directory domain. To accommodate 20 new mobile users, Sherral has enabled Challenge Handshake Authentication Protocol (CHAP) and remote access to let the remote users get into the network from the outside. After

applying these settings, Sherral receives calls from the remote users stating that they cannot authenticate with the network. What password policy change must she configure to allow the remote users access to the network? A. She must enable the “Store password using reversible encryption for all users in the domain” setting in the Default Domain Group Policy. * B. Sherral needs to disable the “Require Kerberos Authentication” setting in the Default Domain Group Policy. C. So that remote workers using CHAP can connect to an Active Directory domain, Sherral must enable the “Allow logon using CHAP” setting in the Default Domain Group Policy. D. To allow these new remote users access, she needs to enable the “Password must meet complexity requirements” setting. 93. Willem is the network administrator for his company, a toy manufacturing company in London. Willem manages the entire company’s network which consists of one Server 2003 Active Directory domain. Willem was hired on last month to replace the last administrator that retired. To Willem’s amazement, the company previously had no password policies in place. The CIO has just recently created new network policies which include a comprehensive password policy. This new password policy states that every password setting in group policy must be set. After implementing this new policy, many users are calling Willem and stating that they locked themselves out of their accounts. The CIO’s policy states that once a user locks him or herself out, they must wait a period of time until that account is unlocked. Willem has convinced the CIO to let him change that specific password policy so that Willem must manually unlock user accounts when they call. What setting must Willem adjust to ensure that user accounts must be manually reset by him when they are locked out? A. Willem should change the “Account Lockout Duration” setting to zero minutes. * B. He needs to adjust the “Account Lockout Duration” setting to 99,999 minutes. C. By setting the “Account Lockout Duration” policy to disabled, he will have to manually unlock every locked user account. D. William needs to change the “Account Lockout Threshold” to zero minutes. 94. Richard is the systems administrator for BillRight Incorporated, a medical billing company in Minneapolis. Richard is currently writing the company’s IT security policies. Based on instructions from the IT director, Richard has written the password policy to require complex passwords, passwords must be at least 8 characters, and user accounts will be locked out after 5 unsuccessful attempts to help prevent against brute force attacks. One of the IT policies also states that user computers must utilize a password protected screensaver that is activated after 20 minutes of inactivity. Richard wants the logon attempts to unlock a screensaver to apply towards the number of attempts that will lockout a user account if tried too many times. How can Richard apply this setting across the network if it is running under one Windows Server 2003 Active Directory domain? A. Richard needs to enable the “Interactive logon: Require Domain Controller authentication to unlock workstation” setting in Group Policy. * B. He should enable the “Domain Controller: Require screensaver authentication to unlock” setting. C. This can be set in Group Policy by enabling the “Interactive logon: Require local SAM authentication to unlock workstation” setting. D. Richard can apply this setting network-‐wide if he enables “Domain Controller: Authenticate workstation unlocking”.

95. Jerald is the systems administrator for his company. Jerald is responsible for all servers, workstations, and network security. Based on company policy, every available auditing feature is turned on for the network through Group Policy. Jerald comes in to work one morning and two of his Domain Controllers are completely shut down. Jerald boots the two machines up and checks their event logs. Then Jerald checks the firewall logs to see if anything stands out. From the event and firewall logs, it appears that a hacker was able to gain access to the two servers using an old unused service account that had a weak password. The hacker then was apparently able to generate millions of erroneous events in the server event logs which caused them to shut down. What setting does Jerald need to adjust to prevent this same issue from happening again? A. Jerald needs to disable the “Audit: Shut down system immediately if unable to log security audits” setting. * B. He should enable the “Domain member: Do not shut down system if unable to log events” setting. C. To prevent the servers from shutting down in the future, Jerald needs to disable logging on those two Domain Controllers. D. Jerald should enable the “Audit: Do not shut down system if events can no longer be logged” setting. 96. Raul is the network administrator for Davidson Pipe, an oil pipeline manufacturing company in San Antonio. Raul manages a team of 10 IT personnel which includes two software developers. The company network consists of one Windows Server 2003 Active Directory domain. These developers have recently created a custom inventory application that will run on one of the company’s servers and all the workstations. Raul has created a domain account on the network which will serve as the service account used by the new custom application. The developers have informed Raul that this service account will need to run as a process on client computers and will need to be able to use the identity of any user and access the resources authorized to that user. Raul wants to make one centralized setting change on the network to make sure the service account will work properly when running the application. What Group Policy setting can Raul edit to affect this change on the network? A. Raul needs to add the new service account to the list of users in the “Act as part of the operating system” Default Domain Group Policy. * B. He should add the new service account to the users list in the “Act as SYSTEM account on domain computers” Default Domain Group Policy. C. If he adds the new service account to the list of users in the “Impersonate a client after authentication” setting in the Default Domain Group Policy, the application will work properly. D. He needs to add this service account to the users list in the “Replace a process level token” Default Domain Group Policy. 97. Louis is the senior systems administrator for the University of Eastern Wyoming. Louis manages 25 IT technicians and junior systems administrators. The University’s network consists of one Windows Server 2003 Active Directory domain. All domain user accounts are contained in one Organizational Unit (OU) called Staff. All domain computer accounts are contained in one OU called Computer Accounts. Louis wants one of his junior systems administrators, Steven, to be able to add workstations to the domain. All computer accounts are added to the Computer Accounts OU by default when they are joined to the domain. Louis has given the “Add workstations to domain” permission to Steven’s user account, but he is still not able to add computer accounts to the domain. What else does Louis need to do to ensure that Steven can add computers to the domain? A. Louis needs to give Steven “Create computer objects” permission for the Computer Accounts OU. * B. To allow Steven the permission to add computers to the domain, Louis needs to make Steven a Domain Admin.

C. Steven needs the “Create nisMap Objects” permission for the Computer Accounts OU. D. Louis should give Steven the “Take ownership of” permission for the Computer Accounts OU. 98. Jayson is the network administrator for Consultants Galore, an IT consulting firm based in Kansas City. Jayson is responsible for the company’s entire network which consists of one Windows Server 2003 Active Directory domain. Almost all employees have Remote Desktop access to the servers so they can perform their work duties. Jayson has created a security group in Active Directory called “RDP Deny” which contains all the user accounts that should not have Remote Desktop permission to any of the servers. What Group Policy change can Jayson make to ensure that all users in the “RDP Deny” group cannot access the company servers through Remote Desktop? A. Jayson needs to add the “RDP Deny” group to the “Deny logon through Terminal Services” policy. * B. He should add the “RDP Deny” group to the “Deny RDP connections to member servers” policy. C. By adding the “RDP Deny” group to the “Deny logon as a service” policy, the users in that security group will not be able to establish remote connections to any of the servers. D. Jayson should add the “RDP Deny” group into the list of Restricted Groups to prevent the users from accessing servers remotely. 99. Phillip is the systems administrator for Photopia Incorporated, a camera manufacturing company in Des Moines. Phillip is responsible for the company’s entire network which consists of one 2003 Active Directory domain. Some computer accounts have been placed in a special Organizational Unit (OU) called Restricted Computer Accounts because those computers have been placed outside the firewall to allow for video conferencing. These computers are all running Windows XP SP2. These computers have very stringent group policies applied to them so they can be as secure as possible. In particular, the “Accounts: Administrator account status” setting in group policy is set to disabled. While performing a security audit, Phillip finds some hacking software on one of the computers in the Restricted Computer Accounts OU. He immediately takes that computer offline to keep it from infecting or contaminating any more computers. Phillip cannot logon to the computer as an administrator since the group policy was set to disable that account. How can Phillip logon to this computer as administrator if he must keep if offline? A. Phillip can logon as the administrator if he boots the computer in Safe Mode. * B. If Phillip runs the gpupdate command on the computer, he will be able to logon as the administrator. C. He needs to run the gpresult /force command on the computer. D. Phillip should boot the computer in VGA mode. 100. Lionel is an IT security consultant currently working on contract for a car manufacturing company in Philadelphia. Lionel has been brought in to asses the company’s network security state. This manufacturing company’s network is comprised of one 2003 Active Directory domain. He has been given permission to perform any and all necessary tests against the network. Lionel interviews the IT staff for the company to get a feel for the logical security measures they have already put in place. The IT manager for the company says that the biggest security precaution they have taken is to rename the administrator account on the network. The manager believes that this will keep any hackers from ever using the administrator account to perform attacks. Lionel informs the IT manager that while changing the administrator name is a good idea, the account can still possibly be cracked. How can an administrator account still be cracked even though the name has been changed? A. The SID for the administrator account does not change. * B. The administrator name will still be used if connecting through a NULL session. C. An administrator account can still be cracked because the GUI for that account does not change when the name itself is changed.

D. It can still be cracked since the name is still stored in clear text as “administrator” in the local SAM database.

asd

Documents

Transcript of asd