A virus that attempts to install itself inside of the file it is infecting is called?

Polymorphic virus

Tunneling virus

Stealth virus

Cavity virus

Answer: D

You are a security officer of a company. You had an alert from IDS that indicate one PC on your Intranet
connected to a blacklisted IP address(C2 Server) on the Internet. The IP address was blacklisted just
before of the alert. You are starting investigation to know the severity of situation roughly. Which of the
following is appropriate to analyze?

IDS log

Event logs on the PC

Event logs on domain controller

Internet Firewall/Proxy log (Answer: D)TBC

Firewalls are the software or hardware systems that are able to control and monitor
the traffic coming in and out the target network based on pre-defined set of rules.
Which of the following types of firewalls can protect against SQL injection
attacks?

Web application firewall

Packet firewall

Stateful firewall

Data-driven firewall

Answer: A
A hacker is an intelligent individual with excellent computer skills that grant them the ability to explore a
computer’s software and hardware without the owner’s permission. Their intention can either be to
simply gain knowledge or to illegally make changes.
Which of the following class of hacker refers to individual who work both offensively and defensively at
various times?

Gray Hat

Black Hat

Suicide Hacker

White Hat

Answer: A

Which of the following is considered as one of the most reliable forms of TCP scanning?

NULL Scan

Half-open Scan

TCP Connect / Full Open Scan

Xmas Scan

Answer: C

Which of the following Secure Hashing Algorithm (SHA) produces a 160-bit digest from a message with a
maximum length of (264 − 1) bits, and resembles the MD5 algorithm?

SHA-2

SHA-1

SHA-3

SHA-0

Answer: B
Which of the following scanning method splits the TCP header into several packets and makes it difficult
for packet filters to detect the purpose of the packet?

IPID scanning

ICMP Echo scanning

ACK flag probe scanning

SYN/FIN scanning using IP fragments

Answer: D

An unauthorized individual enters a building following an employee through the employee entrance after
the lunch rush. What type of breach has the individual just performed?

Announced

Piggybacking

Reverse Social Engineering

Tailgating (Answer: D)

Provided this log, What sentences are true?

Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip

Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the client.

SSH communications are encrypted it’s impossible to know who is the client or the
server.

Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the server.

Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the server.

Answer: B
Which Nmap option would you use if you were not concerned about being detected and wanted to
perform a very fast scan?

-T0

-O

-T5

-A (Answer: C)

Security Policy is a definition of what it means to be secure for a system, organization or other
entity. For Information Technologies, there are sub-policies like; Computer Security Policy,
Information Protection Policy, Information Security Policy, Network Security Policy, Physical
Security Policy, Remote Access Policy, User Account Policy.

What is main theme of the sub-policies for Information Technologies?

Authenticity, Confidentiality, Integrity

Confidentiality, Integrity, Availability

Availability, Non-repudiation, Confidentiality

Authenticity, Integrity, Non-repudiation

Answer: B

You perform a scan of your company's network and discover that TCP port 123 is open. What services
by default run on TCP port 123?

POP3

Telnet

DNS

Network Time Protocol

Answer: D
Steve, a scientist which works in a governmental security agency, developed a technological
solution to identify people based on walking patterns, and implemented this approach to a
physical control access.
A camera captures people walking and identifies the individuals using Steve's approach.
After that, people must approximate their RFID badges.Both identification are required to open
the door.
In this case, we can say:

Although the approach has two phases, it actually implements just one authentication factor

The solution implements the two authentication factors: physical object and physical characteristic

Biological motion cannot be used to identify people

The solution will have a high level of false positives

Answer: D (TBC)

Which one of the following options represents a conceptual characteristic of an anomaly-based IDS over
a signature-based IDS?

Produces less false positives

Requires vendor updates for new threats

Can identify unknown attacks

Cannot deal with encrypted network traffic

Answer(C ) TBC

In Wireshark, the packet bytes panes shows the data of the current packet in which format?

Binary

ASCII only

Hexadecimal

Decimal

Answer ( C )
An attacker, using a rogue wireless AP, performed a MITM attack and injected a HTML code to
embed a malicious applet in all HTTP connections. When users accessed any page, the applet ran
and exploited many machines.
Which one of the following tools the hacker probably used to inject HTML code?

Wireshark

Tcpdump

Aircrack-ng

Ettercap

Answer (D)

"You are working as a Security Analyst in a Company XYZ . XYZ owns the whole Subnet
range of 23.0.0.0/8 and 192.168.0.0/8.

While monitoring the Data you find a high number of outbound connections. You see that IP's
Owned by XYZ(Internal) and Private IP's are communicating to a Single Public IP. Therefore
the Internal IP's are Sending data to the Public IP.

After further analysis you find out that this Public IP is a blacklisted IP and the internal
communicating Devices are compromised.

What kind of attack does the above scenario depict ?"

Botnet Attack

Spear Phishing Attack

Rootkit Attack

Advanced Persistent Threats

Answer (A)

What is the least important information when you analyse a public IP address in a security alert?

Geolocation
 DNS

ARP

Whois

Answer( D)

Bob, a system administrator at TPNQM SA, concluded one day that a DMZ is not needed if he
configure properly the firewall to allow access just to servers/ports which can have direct internet
access, and block the access to workstations.
Bob also concluded that DMZ really makes sense just when a stateful firewall is available, which
is not the case of TPNQM SA.
In this context, what you can say?

Bob is partially right. He doesn't need to separate networks if he can create rules by destination
IPs, one by one.

Bob is partially right. Actually, DMZ doesn't make sense when a stateless firewall is available.

Bob is totally wrong. DMZ is always relevant when the company has internet servers and
workstations.

Bob can be right, DMZ doesn't make sense combined with stateless firewalls.

Answer: (C ) TBC

An attacker scans a host with the below command. Which three flags are set?
# nmap -sX host.domain.com

This is SYN scan. SYN flag is set.

This is Xmas scan. URG, PUSH and FIN are set.

This is ACK scan. ACK flag is set.

This is Xmas scan. SYN and ACK flags are set.

Answer: B
Which of the following act requires employers standard national numbers to identify them on standard
transactions?

HIPAA

SOX

DMCA

PCI-DSS

Answer: A

Which of the following bluetooth hacking techniques attacker uses to send messages to users without the
recipient's consent, similar to email spamming?

BlueSniffing

Bluesmacking

Bluejacking

Bluesnarfing

Answer: C

Which of the following cryptography attack is an understatement for the extraction of

cryptographic secrets (e.g. the password to an encrypted file) from a person by
coercion or torture?

Ciphertext-only Attack

Timing Attack

Rubber Hose Attack

 Chosen-Cipher text Attack
Answer: C

What type of a vulnerability/attack is it when the malicious person forces the user's
browser to send an authenticated request to a server?

Cross-site request forgery

Server side request forgery

Cross-site scripting

Session hijacking
Answer: A

Code injection is a form of attack in which a malicious user:

Gets the server to execute arbitrary code using a buffer overflow.

Inserts additional code into the JavaScript running in the browser.

Gains access to the codebase on the server and inserts new code.

Inserts text into a data field that gets interpreted as code.

Answer: D

When conducting a penetration test it is crucial to use all means to get all available
information about the target network. One of the ways to do that is by sniffing the
network.Which of the following cannot be performed by the passive network sniffing?

Identifying operating systems, services, protocols and devices

Collecting unencrypted information about usernames and passwords

Capturing a network traffic for further analysis

Modifying and replaying captured network traffic

Answer D (TBC)

You are attempting to run a Nmap portscan on a web server. Which of the following
commands would result in a scan of common ports with the least amount of noise in
order to evade an IDS?

nmap -sP -p-65535 -T5

nmap -A --host-timeout 99 -T1

nmap -sT -O -T0

nmap -A - Pn

Answer: C

The collection of potentially actionable, overt, and publicly available information is

known as

Social intelligence

Human intelligence

Real intelligence

Open-source intelligence

Answer: D

During the process of encryption and decryption, what keys are shared?

Private keys

User passwords

Public keys

Public and private keys

Answer: C (TBV)

Which one of the following approaches are commonly used to automatically detect host
intrusions?

The host's network interface use

System CPU utilization

Network traffic analysis

File checksums

Answer: D

Bob finished a C programming course and created a small C application to monitor the network
traffic and to produce alerts when any origin sends "many" IP packets, based on the average
number of packets sent by all origins and using some thresholds.
In concept, the solution developed by Bob is actually:

A behavioural IDS

Just a network monitoring tool

A signature IDS

A hybrid IDS

Answer: D (TBC)

An attacker, using a rogue wireless AP, performed a MITM attack and injected a HTML code to
embed a malicious applet in all HTTP connections. When users accessed any page, the applet ran
and exploited many machines.
Which one of the following tools the hacker probably used to inject HTML code?

Wireshark
 Tcpdump

Aircrack-ng

Ettercap

Answer: D

What is purpose of a demilitarized zone on a network?

To scan all traffic coming through the DMZ to the internal network

To contain the network devices you wish to protect

To provide a place to put the honeypot

To only provide direct access to the nodes within the DMZ and protect the
network behind it

Answer: D

You are a security officer of a company. You had an alert from IDS that indicate one PC
on your Intranet connected to a blacklisted IP address(C2 Server) on the Internet. The
IP address was blacklisted just before of the alert. You are starting investigation to
know the severity of situation roughly. Which of the following is appropriate to analyze?

IDS log

Internet Firewall/Proxy log

Event logs on domain controller

Event logs on the PC

Answer: B
DNS cache snooping is a process of determining if the specified resource address present in the
DNS cache records. It may be useful during examination of the network to determine what
software update resources are used, thus discovering what software is installed.
What command is used to determine if the entry is present in DNS cache?

nslookup -norecursive update.antivirus.com

dns --snoop update.antivirus.com

dnsnooping -rt update.antivirus.com

nslookup -fullrecursive update.antivirus.com

Answer: A

What type of analysis is performed when an attacker has partial knowledge of inner-
workings of the the application?

White-box

Black-box

Grey-box

Announced
Answer: C

When you are performing a risk assessment you need to determine the potential
impacts if some of the critical business processes of the company interrupt its service.
What is the name of the process you need to determine those critical business?

Risk Mitigation

Disaster Recovery Planning (DRP)

Business Impact Analysis (BIA)

Emergency Plan Response (EPR)

Answer: C
An attacker scans a host with the below command. Which three flags are set?
# nmap -sX host.domain.com

This is ACK scan. ACK flag is set.

This is SYN scan. SYN flag is set.

This is Xmas scan. URG, PUSH and FIN are set.

This is Xmas scan. SYN and ACK flags are set.

Answer: C

You are looking for SQL injection vulnerability by sending special character to web
applications. Which of the following is most useful to quick validation?

Single quotation

Backslash

Double quotation

Semicolon

Answer: A

Why should the security analyst disable/remove unnecessary ISAPI filters?

To defend against social engineering attacks

To defend against jailbreaking

To defend against wireless attacks

To defend against webserver attacks

Standard Range (ft)

802.11a 150-150
802.11b 150-150
802.11g 150-150
802.16 (WiMax) 30 miles

802.11g

802.16 (WiMax)

802.11a

802.11b
Answer: C

A hacker named Jack is trying to compromise a bank’s computer system. He needs to know the
operating system of that computer to launch further attacks.
What process would help him?

IDLE/IPID Scanning

Banner Grabbing

UDP Scanning

SSDP Scanning

Answer: B

Firewalls are the software or hardware systems that are able to control and monitor the traffic
coming in and out the target network based on pre-defined set of rules.
Which of the following types of firewalls can protect against SQL injection attacks?

Stateful firewall

Web application firewall

Data-driven firewall
 Packet firewall

Answer: B

What would you enter if you wanted to perform a stealth scan using Nmap?

nmap -sU

nmap -sM

nmap -sS

nmap -sT

Answer: C

You are Monitoring the Network of your Organization. You notice that

1. There is huge Outbound Connections from your Internal Network to External IP’s.
2. On further Investigation you see that the external IP’s are Blacklisted.
3. Some connections are Accepted and some Dropped .
4. You find that it’s a CnC communication.

Which of the Following solution will you Suggest ?

Clean the Malware which are trying to Communicate with the External Blacklist
IP’s.

Block the Blacklist IP’s @ Firewall.

Update the Latest Signatures on your IDS/IPS.

Both B and C

Answer: D (TBC)

If you are a Penetration Tester. You are assigned to scan a Server. You need to use a Scanning
Technique wherein TCP Header is Slipt into many packets so that it becomes difficult to detect
what the packets are meant for ?
Which Scanning technique of the below will you use ?

IP Fragment Scanning

ACK flag scanning

TCP Scanning

Inverse TCP flag scanning

Answer: A

Sam is working as a pen-tester in an organization in Houston. He performs penetration

testing on IDS in order to find the different ways an attacker uses to evade the IDS.
Sam sends large amount of packets to the target IDS that generate alerts which enable
Sam to hide the real traffic. What type of method is Sam using to evade IDS?

Insertion Attack

Obfuscating

False Positive Generation

Denial-of-Service

Answer: C

which of the following password protection technique, random string of characters are
added to the password before calculating their hashes?

Salting

Double Hashing

Key Stretching

Keyed Hashing
Answer: A
Which of the following types of jailbreaking allows user-level access but does not allow
iboot-level access?

iBoot Exploit

Bootrom Exploit

Sandbox Exploit

Userland Exploit
Answer: D

Which is the first step followed by Vulnerability Scanners for Scanning a Network ?

OS Detection

Firewall detection

TCP / UDP Port scanning

Checking if the remote host is alive

Answer: D

If you want to only scan fewer ports than the default scan using Nmap tool, which
option would you use?

-F

-sP

-r

-P
Answer: A

Which one of the following Google advance search operators allows an attacker to
restrict the results to those websites in the given domain?

[cache:]

[site:]

[inurl:]

[link:]

Answer: B

If you are the Network Admin and you get a Compliant that some of the Websites are no longer
accessible.
You try to ping the servers, it’s reachable. Then you type the IP address and then try on the
browser, even then its accessible. But they are not accessible when you try using the URL.
What may be the Problem ?

Traffic is Blocked on TCP port 80.

Traffic is Blocked on UDP port 80

Traffic is Blocked on UDP Port 53.

Traffic is blocked on TCP Port 54.

Answer: C

If an attacker uses the command SELECT * FROM user WHERE name = 'x' AND userid
IS NULL; --'; which type of SQL injection attack is the attacker performing?

UNION SQL Injection

Illegal/Logically Incorrect Query

End of Line Comment

Tautology
Answer: C

Cross-site request forgery involves:

A browser making a request to a server without the user’s knowledge

A server making a request to another server without the user’s knowledge

A request sent by a malicious user from a browser to a server

Modification of a request by a proxy between client and server.

Answer: A

In which of the following cryptography attack methods, attacker makes a series of interactive
queries, choosing subsequent plaintexts based on the information from the previous encryptions?

Chosen-plaintext attack

Adaptive chosen-plaintext attack

Ciphertext-only attack

Known-plaintext attack
Answer: C

Provided this log, What sentences are true?

Mar 1, 2016, 7:33:28 AM 10.240.250.23 - 54373 10.249.253.15 - 22 tcp_ip

Application is FTP and 10.240.250.23 is the client and 10.249.253.15 is the

server.

SSH communications are encrypted it’s impossible to know who is the client or the
server.

Application is SSH and 10.240.250.23 is the server and 10.249.253.15 is the

client.
 Application is SSH and 10.240.250.23 is the client and 10.249.253.15 is the
server.

Answer B (TBC)

When tuning security alerts, what is the best approach?

Decrease False negatives

Decrease the false positives

Rise False positives Rise False Negatives

Tune to avoid False positives and False Negatives

Answer: B (TBC)

When does the Payment Card Industry Data Security Standard (PCI-DSS) require
organizations to perform external and internal penetration testing?

At least once every three years and after any significant infrastructure or
application upgrade or modification

At least twice a year and after any significant infrastructure or application upgrade
or modification

At least once a year and after any significant infrastructure or application upgrade
or modification

At least once every two years and after any significant infrastructure or
application upgrade or modification

Answer: C

Which of the following is an adaptive SQL injection testing technique used to discover
coding errors by inputting massive amounts of random data and observing the changes
in the output?

Fuzzing Testing

Dynamic Testing
 Static Testing

Function Testing

Answer: A

Which of the following is the best countermeasure to encrypting ransomwares?

Analyze the ransomware to get decryption key of encrypted data

Pay a ransom

Keep some generation of off-line backup

Use multiple antivirus softwares

Answer: C (TBC)

Which of the following is considered as one of the most reliable forms of TCP scanning?

NULL Scan

Xmas Scan

Half-open Scan

TCP Connect / Full Open Scan

Answer: D

You need a tool that can do network intrusion prevention, but also intrusion detection
and can function as a network sniffer and records network activity, what tool would you
most likely select?

Nessus
 Snort

Nmap

Cain & Abel

Answer: B

Which one of the following options represents a conceptual characteristic of an

anomaly-based IDS over a signature-based IDS?

Produces less false positives

Cannot deal with encrypted network traffic

Can identify unknown attacks

Requires vendor updates for new threats

Answer: C (TBC)

Some clients of TPNQM SA were redirected to a malicious site when tried to access the TPNQM
main site.
Bob, a system administrator at TPNQM SA, found that they were victim of DNS Cache
Poisoning.
What Bob should recommend to deal with such a threat?

The use of double-factor authentication

Client awareness

The use of security agents in clients computers

The use of DNSSEC

Answer: C
Which of the following Secure Hashing Algorithm (SHA) produces a 160-bit digest from
a message with a maximum length of (264 − 1) bits, and resembles the MD5
algorithm?

SHA-0

SHA-2

SHA-1

SHA-3
Answer: C

Insecure direct object reference is a type of the vulnerability where application doesn't verify if
the user is authorized to access internal object via its name or key.
Suppose the malicious user Rob tries to get an access to the account of the benign user Ned.
Which of the following requests best illustrates an attempt to exploit an insecure direct object
reference vulnerability?

GET /restricted/accounts/?name=Ned HTTP/1.1

Host: westbank.com

GET /restricted/goldtransfer?to=Rob&from=1 or 1=1' HTTP/1.1

Host: westbank.com

GET /restricted/\r\n\%00account%00Ned%00access HTTP/1.1

Host: westbank.com

GET /restricted/ HTTP/1.1

Host: westbank.com

Answer: A

Which of the following antenna commonly used in communications for a frequency band of 10
MHz to VHF and UHF

Parabolic grid antenna

 Omnidirectional antenna

Yagi antenna

Dipole antenna

Answer: C

Identify the web application attack where attackers exploit vulnerabilities in dynamically
generated web pages to inject client-side script into web pages viewed by other users

SQL injection attack

LDAP Injection attack

Cross-Site Scripting (XSS)

Cross-Site Request Forgery (CSRF)

Answer: C

Which of the following provides a security professional with the most information about
the system's security posture?

Social engineering, company site browsing, tailgating

Wardriving, warchalking, social engineering

Port scanning, banner grabbing, service identification

Phishing, spamming, sending trojans

Answer: C (TBC)

Bob,Your Senior Colleague has send you a mail regarding a deal with one of the clients.You are
requested to accept the offer and you Oblige.
After 2 days Bob denies that he had never send a mail.
What do you want to "know" to prove yourself that it was Bob who had send a mail ?

Non-Repudiation

Integrity

Authentication

Confidentiality

Answer: A

Chandler works as a pen-tester in an IT-firm in New York. As a part of detecting viruses in the
systems, he uses a detection method where the anti-virus executes the malicious codes on a
virtual machine to simulate CPU and memory activities.
Which type of virus detection method did Chandler use in this context?

Code Emulation

Scanning

Heuristic Analysis

Integrity checking
Answer: A

Alice encrypts her data using her public key PK and stores the encrypted data in the
cloud. Which of the following attack scenarios will compromise the privacy of her data?

Hacker Harry breaks into the cloud server and steals the encrypted data.

None of these scenarios compromise the privacy of Alice's data

Alice also stores her private key in the cloud, and Harry breaks into the cloud
server as before

Agent Andrew subpoenas Alice, forcing her to reveal her private key. However,
the cloud server successfully resists Andrew's attempt to access the stored
Answer: C (TBC)
Which component of IPsec performs protocol-level functions that are required to
encrypt and decrypt the packets?

IPsec driver

Internet Key Exchange (IKE)

Oakley

IPsec Policy Agent

Answer: A

You need to deploy a new web-based software package for your organization. The
package requires three separate servers and needs to be available on the Internet.
What is the recommended architecture in terms of server placement?

All three servers need to face the Internet, so they can communicate between
themselves.

All three servers need to be placed internally.

A web server and the database server facing the Internet, an application server
on the internal network.

A web server facing the Internet, an application server on the internal network,
a database server on the internal network.

Answer: D

Bob, a network administrator at BigUniversity, realized that some students are connecting their
notebooks in the wired network to have Internet access.In the university campus there are many
Ethernet ports available for professors and authorized visitors, but not for students.
He identified this when the IDS alerted for malware activities in the network.
What Bob should do to avoid this problem?

Disable unused ports in the switches.

 Separate students in a different VLAN.

Use the 802.1x protocol.

Ask students to use the wireless network.

Answer: A