Q191. You are the CIO for Avantes Finance International, a global finance company based in Geneva. You are responsible for network functions and logical security throughout the entire corporation. Your company has over 250 servers running Windows Server, 5000 workstations running Windows Vista, and 200 mobile users working from laptops on Windows 7. 

Last week, 10 of your company's laptops were stolen from salesmen while at a conference in Amsterdam. These laptops contained proprietary company information. While doing damage assessment on the possible public relations nightmare this may become, a news story leaks about the stolen laptops and also that sensitive information from those computers was posted to a blog online. 

What built-in Windows feature could you have implemented to protect the sensitive information on these laptops? 

A. You should have used 3DES which is built into Windows 

B. If you would have implemented Pretty Good Privacy (PGP) which is built into Windows, the sensitive information on the laptops would not have leaked out 

C. You should have utilized the built-in feature of Distributed File System (DFS) to protect the sensitive information on the laptops 

D. You could have implemented Encrypted File System (EFS) to encrypt the sensitive files on the laptops 

Answer: D


Q192. A Trojan horse is a destructive program that masquerades as a benign application. The software initially appears to perform a desirable function for the user prior to installation and/or execution, but in addition to the expected function steals information or harms the system. 

The challenge for an attacker is to send a convincing file attachment to the victim, which gets easily executed on the victim machine without raising any suspicion. Today's end users are quite knowledgeable about malwares and viruses. Instead of sending games and fun executables, Hackers today are quite successful in spreading the Trojans using Rogue security software. 

What is Rogue security software? 

A. A flash file extension to Firefox that gets automatically installed when a victim visits rogue software disabling websites 

B. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. 

C. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. 

D. A Fake AV program that claims to rid a computer of malware, but instead installs spyware or other malware onto the computer. This kind of software is known as rogue security software. 

E. Rogue security software is based on social engineering technique in which the attackers lures victim to visit spear phishing websites 

F. This software disables firewalls and establishes reverse connecting tunnel between the victim's machine and that of the attacker 

Answer: BCD


Q193. Which of the following is a patch management utility that scans one or more computers on your network and alerts you if you important Microsoft Security patches are missing. It then provides links that enable those missing patches to be downloaded and installed. 

A. MBSA 

B. BSSA 

C. ASNB 

D. PMUS 

Answer: A

Explanation: The Microsoft Baseline Security Analyzer (MBSA) is a tool put out by Microsoft to help analyze security problems in Microsoft Windows. It does this by scanning the system for security problems in Windows, Windows components such as the IIS web server application, Microsoft SQL Server, and Microsoft Office. One example of an issue might be that permissions for one of the directories in the wwwroot folder of IIS could be set at too low a level, allowing unwanted modification of files from outsiders. 


Q194. While scanning a network you observe that all of the web servers in the DMZ are responding to ACK packets on port 80. 

What can you infer from this observation? 

A. They are using Windows based web servers. 

B. They are using UNIX based web servers. 

C. They are not using an intrusion detection system. 

D. They are not using a stateful inspection firewall. 

Answer: D

Explanation: If they used a stateful inspection firewall this firewall would know if there has been a SYN-ACK before the ACK. 


Q195. How can you determine if an LM hash you extracted contains a password that is less than 8 characters long? 

A. There is no way to tell because a hash cannot be reversed 

B. The right most portion of the hash is always the same 

C. The hash always starts with AB923D 

D. The left most portion of the hash is always the same 

E. A portion of the hash will be all 0's 

Answer: B

Explanation: When looking at an extracted LM hash, you will sometimes observe that the right most portion is always the same. This is padding that has been added to a password that is less than 8 characters long. 


Q196. Every company needs a formal written document which spells out to employees precisely what they are allowed to use the company's systems for, what is prohibited, and what will happen to them if they break the rules. Two printed copies of the policy should be given to every employee as soon as possible after they join the organization. The employee should be asked to sign one copy, which should be safely filed by the company. No one should be allowed to use the company's computer systems until they have signed the policy in acceptance of its terms. What is this document called? 

A. Information Audit Policy (IAP) 

B. Information Security Policy (ISP) 

C. Penetration Testing Policy (PTP) 

D. Company Compliance Policy (CCP) 

Answer: B


Q197. A user on your Windows 2000 network has discovered that he can use L0phtcrack to sniff the SMB exchanges which carry user logons. The user is plugged into a hub with 23 other systems. However, he is unable to capture any logons though he knows that other users are logging in. 

What do you think is the most likely reason behind this? 

A. There is a NIDS present on that segment. 

B. Kerberos is preventing it. 

C. Windows logons cannot be sniffed. 

D. L0phtcrack only sniffs logons to web servers. 

Answer: B

Explanation: In a Windows 2000 network using Kerberos you normally use pre-authentication and the user password never leaves the local machine so it is never exposed to the network so it should not be able to be sniffed. 


Q198. What attack is being depicted here? 

A. Cookie Stealing 

B. Session Hijacking 

C. Cross Site scripting 

D. Parameter Manipulation 

Answer: D

Explanation: Manipulating the data sent between the browser and the web application to an attacker's advantage has long been a simple but effective way to make applications do things in a way the user often shouldn't be able to. In a badly designed and developed web application, malicious users can modify things like prices in web carts, session tokens or values stored in cookies and even HTTP headers. In this case the user has elevated his rights. 


Q199. What do you conclude from the nmap results below? 

Staring nmap V. 3.10ALPHA0 (www.insecure.org/map/) 

(The 1592 ports scanned but not shown below are in state: closed) 

PortStateService 21/tcpopenftp 25/tcpopensmtp 80/tcpopenhttp 443/tcpopenhttps 

Remote operating system guess: Too many signatures match the reliability guess the OS. Nmap run completed – 1 IP address (1 host up) scanned in 91.66 seconds 

A. The system is a Windows Domain Controller. 

B. The system is not firewalled. 

C. The system is not running Linux or Solaris. 

D. The system is not properly patched. 

Answer:

Explanation: There is no reports of any ports being filtered. 


Q200. John Beetlesman, the hacker has successfully compromised the Linux System of Agent Telecommunications, Inc’s WebServer running Apache. He has downloaded sensitive documents and database files off the machine. 

Upon performing various tasks, Beetlesman finally runs the following command on the Linux box before disconnecting. 

for ((i=0;i<1;i++));do 

?dd if=/dev/random of=/dev/hda && dd if=/dev/zero of=/dev/hda 

done 

What exactly is John trying to do? 

A. He is making a bit stream copy of the entire hard disk for later download 

B. He is deleting log files to remove his trace 

C. He is wiping the contents of the hard disk with zeros 

D. He is infecting the hard disk with random virus strings 

Answer:

Explanation: dd copies an input file to an output file with optional conversions. –if is input file, -of is output file. /dev/zero is a special file that provides as many null characters (ASCII NULL, 0x00; not ASCII character "digit zero", "0", 0x30) as are read from it. /dev/hda is the hard drive.