Endpoint Security (ESec) Module 1 – 6 Group Exam Answers

Endpoint Security (ESec) Module 1 – 6 Group Exam Answers (Module Group Exam 1)

1. The employees in a company receive an email stating that the account password will expire immediately and requires a password reset within 5 minutes. Which statement would classify this email?

  • It is a DDoS attack.
  • It is an impersonation attack.
  • It is a hoax.
  • It is a piggy-back attack.

Explanation: Social engineering uses several different tactics to gain information from victims.

2. What type of attack targets an SQL database using the input field of a user?

  • XML injection
  • buffer overflow
  • Cross-site scripting
  • SQL injection

Explanation: A criminal can insert a malicious SQL statement in an entry field on a website where the system does not filter the user input correctly.

3. A cyber criminal sends a series of maliciously formatted packets to the database server. The server cannot parse the packets and the event causes the server to crash. What is the type of attack the cyber criminal launches?

  • SQL injection
  • packet Injection
  • man-in-the-middle
  • DoS

Explanation: A cybersecurity specialist needs to be familiar with the characteristics of the different types of malware and attacks that threaten an organization.

4. What three best practices can help defend against social engineering attacks? (Choose three.)

  • Resist the urge to click on enticing web links.
  • Add more security guards.
  • Deploy well-designed firewall appliances.
  • Educate employees regarding policies.
  • Enable a policy that states that the IT department should supply information over the phone only to managers.
  • Do not provide password resets in a chat window.

Explanation: A cybersecurity specialist must be aware of the technologies and measures that are used as countermeasures to protect the organization from threats and vulnerabilities.

5. Match the type of cyberattackers to the description.

Endpoint Security (ESec) Module 1 - 6 Group Exam 5

Endpoint Security (ESec) Module 1 – 6 Group Exam 5

Explanation: Place the options in the following order:

Hacktivists Make political statements in order to create an awareness of issues that are important to them
Vulnerability brokers discover exploits and report them to vendors
State-sponsored attackers Gather intelligence or commit sabotage on specific goals on behalf of their government

6. What is the first line of defense to protect a device from improper access control?

  • end user license agreement (EULA)
  • encryption
  • passwords
  • shredding

Explanation: Improper access control is a common data loss vector. Passwords are the first line of defense because stolen or weak passwords provide a threat actor access to machines and data on the network.

7. A security service company is conducting an audit in several risk areas within a major corporate client. What attack or data loss vector term would be used to describe providing access to corporate data by gaining access to stolen or weak passwords?

  • an internal threat
  • hard copy
  • improper access control
  • unencrypted devices

Explanation: Improper access control allows the exploitation of stolen or weak passwords to gain access to corporate data.

8. A social media site is describing a security breach in a sensitive branch of a national bank. In the post, it refers to a vulnerability. What statement describes that term?

  • The likelihood that a particular threat will exploit a vulnerability of an asset and result in an undesirable consequence.
  • A weakness in a system or its design that could be exploited by a threat.
  • The actions that are taken to protect assets by mitigating a threat or reducing risk.
  • The potential damage to the organization that is caused by the threat.

Explanation: Review terms and descriptions from module 2.

9. Which three IPv4 header fields have no equivalent in an IPv6 header? (Choose three.)

  • TTL
  • fragment offset
  • version
  • identification
  • protocol
  • flag

Explanation: Unlike IPv4, IPv6 routers do not perform fragmentation. Therefore, all three fields supporting fragmentation in the IPv4 header are removed and have no equivalent in the IPv6 header. These three fields are fragment offset, flag, and identification. IPv6 does support host packet fragmentation through the use of extension headers, which are not part of the IPv6 header.

10. What kind of ICMP message can be used by threat actors to create a man-in-the-middle attack?

  • ICMP redirects
  • ICMP unreachable
  • ICMP echo request
  • ICMP mask reply

Explanation: Common ICMP messages of interest to threat actors include the following:
* ICMP echo request and echo reply: used to perform host verification and DoS attacks
* ICMP unreachable: used to perform network reconnaissance and scanning attacks
* ICMP mask reply: used to map an internal IP network
* ICMP redirects: used to lure a target host into sending all traffic through a compromised device and create a man-in-the-middle attack
* ICMP router discovery: used to inject bogus route entries into the routing table of a target host

11. Which term describes a field in the IPv4 packet header used to detect corruption in the IPv4 header?

  • version
  • header checksum
  • protocol
  • destination IPv4 address

Explanation: The header checksum is used to determine if any errors have been introduced during transmission.

12. Which type of network attack involves randomly opening many Telnet requests to a router and results in a valid network administrator not being able to access the device?

  • man-in-the-middle
  • spoofing
  • SYN flooding
  • DNS poisoning

Explanation: The TCP SYN Flood attack exploits the TCP three-way handshake. The threat actor continually sends TCP SYN session request packets with a randomly spoofed source IP address to an intended target. The target device replies with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet. Those responses never arrive. Eventually the target host is overwhelmed with half-open TCP connections and denies TCP services.

13. Match the attack to the definition.

Endpoint Security (ESec) Module 1 - 6 Group Exam 13

Endpoint Security (ESec) Module 1 – 6 Group Exam 13

Explanation: Place the options in the following order:

Resource utilization attack Attacker sends multiple packets that consume server resources
Cache poisoning Attacker sends falsified information to redirect users to malicious sites
Amplification and reflection Attacker uses open resolvers to increase the volume of attacks and mask the true source of the attack

14. How do cybercriminals make use of a malicious iFrame?

  • The attacker embeds malicious content in business appropriate files.
  • The iFrame allows the browser to load a web page from another source.
  • The attacker redirects traffic to an incorrect DNS server.
  • The iFrame allows multiple DNS subdomains to be used.

Explanation: An inline frame or iFrame is an HTML element that allows the browser to load a different web page from another source.

15. Which risk management plan involves discontinuing an activity that creates a risk?

  • risk retention
  • risk avoidance
  • risk sharing
  • risk reduction

Explanation: During a risk assessment it may be determined that an activity involves more risk than benefit. In such a situation an organization may decide to avoid the risk altogether by discontinuing the activity. This is known as risk avoidance.

16. Which security measure is best used to limit the success of a reconnaissance attack from within a campus area network?

  • Implement encryption for sensitive traffic.
  • Implement restrictions on the use of ICMP echo-reply messages.
  • Implement access lists on the border router.
  • Implement a firewall at the edge of the network.

Explanation: The implementation of an access list may provide extra security by permitting denying a flow of traffic, but it will not provide a direct response to limit the success of the attack. The implementation of a firewall on the network edge may prevent reconnaissance attacks from the Internet, but attacks within the local network are not prevented. By implementing restrictions on the sending of ICMP echo-reply messages within a local network, devices may not respond to ping messages, but port scans are not prevented and clear-text data sent on the network are still vulnerable. The best security measure is to encrypt as much network traffic as possible, both user data and network management traffic.

17. What are the two methods that a wireless NIC can use to discover an AP? (Choose two.)

  • sending a multicast frame
  • initiating a three-way handshake
  • receiving a broadcast beacon frame
  • sending an ARP request broadcast
  • transmitting a probe request

Explanation: Two methods can be used by a wireless device to discover and register with an access point: passive mode and active mode. In passive mode, the AP sends a broadcast beacon frame that contains the SSID and other wireless settings. In active mode, the wireless device must be manually configured for the SSID, and then the device broadcasts a probe request.

18. A network administrator of a small advertising company is configuring WLAN security by using the WPA2 PSK method. Which credential do office users need in order to connect their laptops to the WLAN?

  • the company username and password through Active Directory service
  • a user passphrase
  • a username and password configured on the AP
  • a key that matches the key on the AP

Explanation: When a WLAN is configured with WPA2 PSK, wireless users must know the pre-shared key to associate and authenticate with the AP.

19. Which combination of WLAN authentication and encryption is recommended as a best practice for home users?

  • WEP and RC4
  • WPA and PSK
  • WPA2 and AES
  • EAP and AES
  • WEP and TKIP

Explanation: WPA2 is the Wi-Fi alliance version of 802.11i, the industry standard for authentication. Neither WEP nor WPA possess the level of authentication provided by WPA2. AES aligns with WPA2 as an encryption standard, and is stronger than TKIP or RC4. PSK refers to pre-shared passwords, an authentication method that can be used by either WPA or WPA2. EAP is intended for use with enterprise networks which use a RADIUS server.

20. A user calls the help desk complaining that the password to access the wireless network has changed without warning. The user is allowed to change the password, but an hour later, the same thing occurs. What might be happening in this situation?

  • rogue access point
  • user laptop
  • user error
  • password policy
  • weak password

Explanation: Man-in-the-middle attacks are a threat that results in lost credentials and data. These type of attacks can occur for different reasons including traffic sniffing.

21. Which statement describes one of the rules that govern interface behavior in the context of implementing a zone-based policy firewall configuration?

  • An administrator can assign interfaces to zones, regardless of whether the zone has been configured.
  • An administrator can assign an interface to multiple security zones.
  • By default, traffic is allowed to flow between a zone member interface and any interface that is not a zone member.
  • By default, traffic is allowed to flow among interfaces that are members of the same zone.

Explanation: An interface can belong to only one zone. Creating a zone is the first step in configuring a zone-based policy firewall. A zone cannot be assigned to an interface if the zone has not been created. Traffic can never flow between an interface that is assigned to a zone and an interface that has not been assigned to a zone.

22. What is an IPS signature?

  • It is a security script that is used to detect unknown threats.
  • It is the timestamp that is applied to logged security events and alarms.
  • It is a set of rules used to detect typical intrusive activity.
  • It is the authorization that is required to implement a security policy.

Explanation: An IPS signature uniquely identifies specific malware, protocol anomalies, or malicious traffic. IPS sensors are tuned to look for matching signatures or abnormal traffic patterns. IPS signatures are conceptually similar to the virus.dat file used by virus scanners.

23. Which statement describes a VPN?

  • VPNs use open source virtualization software to create the tunnel through the Internet.
  • VPNs use dedicated physical connections to transfer data between remote users.
  • VPNs use logical connections to create public networks through the Internet.
  • VPNs use virtual connections to create a private network through a public network.

Explanation: A VPN is a private network that is created over a public network. Instead of using dedicated physical connections, a VPN uses virtual connections routed through a public network between two network devices.

24. What is a function of SNMP?

  • provides statistical analysis on packets flowing through a Cisco router or multilayer switch
  • synchronizes the time across all devices on the network
  • captures packets entering and exiting the network interface card
  • provides a message format for communication between network device managers and agents

Explanation: SNMP is an application layer protocol that allows administrators to manage devices on the network by providing a messaging format for communication between network device managers and agents.

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x