The term de-escalation refers to the process of communicating between the client and the tester to dial back the intensity of exploits used during the penetration test because of the adverse effects they may be having on the network.

One of the first steps when looking to gain access to a host, system, or application is to enumerate usernames. Once usernames are guessed, targeted password–based attacks can then be attempted. A RID cycling attack attempts to enumerate user accounts through null sessions. If a tester specifies a password file, it will automatically attempt to brute- force the user accounts when it’s finished enumerating. So, in this scenario, attempting RID cycling will be the next step the tester should try.

Low frequency RFID cards are often used for entry access cards, and are easily cloned using inexpensive commodity cloning devices. Medium frequency cards in the 400 to 451 KHz range do not exist, while high frequency cards are more likely to be cloned using a phone’s NFC capability. Ultra high frequency cards are less standardized, making cloning more complex.

In this scenario, a command was entered, and the attacker was attempting to gain access to the password file within the /etc directory. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via vulnerable applications. Command injection attacks are possible when an application passes unsafe user- supplied data (forms, cookies, HTTP headers, etc.) to a system shell

In this scenario, you and your colleague are discussing something you have. Physical objects may be used as authentication mechanisms. Organizations seeking to protect sensitive information and critical resources should implement multifactor authentication. Multifactor authentication implementations combine two or more authentication mechanisms coming from different authentication categories. The authentication categories are something you know, something you have, and something you are.

Cross-site scripting (XSS) attacks occur when web applications allow an attacker to perform HTML injection, inserting their own HTML code into a web page. In this scenario, the attacker is attempting to manipulate an HTML iframe with JavaScript code using a web browser

TLS 1.1 is a secure transport protocol that supports web traffic. The other protocols listed all have flaws that render them insecure and unsuitable for use.

Maltego is a utility that penetration testers frequently use to organize the information they have gathered from OSINT sources. One of its key benefits is its ability to graphically display the information discovered and visually link it together.

In this scenario, the tester should recommend that the client enable HTTP Strict Transport Security (HSTS). An HSTS response header lets a website tell browsers that it should be accessed using only HTTPS, instead of using HTTP. It is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header, that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.

An attestation of findings is a document provided by the penetration testers to document that they conducted a test and the results for compliance purposes. It serves as record of the tester performing the penetration test. It includes a summary of the findings. Its intent is for external use, outside of your client’s organization, to show proof that a penetration test was performed and to highlight the test results.

System hardening, also known as operating system hardening, helps minimize security vulnerabilities. The purpose of system hardening is to get rid of as many security risks as possible. This is usually done by removing all nonessential software programs and utilities from the computer. The goal of systems hardening by removing unused programs, accounts functions, applications, ports, permissions, access, etc., is that attackers have fewer opportunities to gain access to your network. There are several types of system hardening activities. They include the following: ? Application hardening ? Operating system hardening ? Server hardening ? Database hardening ? Network hardening

Metasploit’s SMB capture mode, Responder, and Wireshark can all capture SMB hashes from broadcasts. Impacket doesn’t build this capability in but provides a wide range of related tools, including the ability to authenticate with hashes once you have captured them. If you’re wondering about encountering this type of question on the exam, remember to eliminate the answers you are sure of to reduce the number of remaining options. Here, you can likely guess that Metasploit has a module for this, and Wireshark is a packet capture tool, so capturing broadcast traffic may require work, but would be possible. Now you’re down to a 50/50 chance!

A downgrade attack is a form of attack in which a tester forces a network channel to switch to a less secure or unprotected data transmission standard. Downgrading the protocol is one component of a man-in-the-middle type attack and is used to intercept encrypted traffic. Downgrade attacks work by causing the client and server to use a lesssecure protocol. In this scenario, since you are trying to capture all unencrypted web traffic, you would want to implement an HTTP downgrade attack.

The Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security vulnerabilities. Dima could use this scoring system to prioritize issues raised by different source systems.

The first step in the penetration testing process is to work with the client to clearly define the scope of the test. The scope determines what penetration testers will do and how their time will be spent. Researching the organization’s products is a task that will pro bably be done after the scope of work has been defined. Determining the budget and gaining authorization are subtasks that are usually completed as a part of the overall scoping process.

OBJ-3.1: Vishing (voice phishing) is a phishing attack in which an attacker entices their victim through a traditional telephone system or IP-based voice communications like Voice over IP (VoIP). If the attack is being carried out using the attacker’s voice over a telephone, it is usually considered vishing.

OBJ-1.1: The test boundaries are used to define the acceptable actions and scope used during an engagement. For example, it will define whether servers, endpoints, or both will be in the scope of the attack. It may also dictate whether only technical means may be used for exploitation or if social engineering can also be utilized.

OBJ-3.4: ID and certification must be crafted so that when substituted for the “.getparameter” fields, the SQL statement formed is still complete and will return a Boolean value of true for the ENTIRE statement every time it is evaluated. The AND in the middle of the WHERE clause indicates that both the courseID and certification portion must be true to be true in every case. When this occurs, the entire table of courses would be returned. The only string that would ensure both halves of the WHERE clause always return true would be

OBJ-3.3: An evil twin is meant to mimic a legitimate hotspot provided by a nearby business, such as a coffee shop that provides free Wi-Fi access to its patrons. The evil twin is the wireless LAN equivalent of the phishing scam. This type of attack may be used to steal the passwords of unsuspecting users by monitoring their connections or phishing, which involves setting up a fraudulent web site and luring people there.

OBJ-5.1: Risk appetite describes how much risk an organization is willing to accept. This is a crucial factor both in designing the assessment and determining the recommended mitigations. Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a data center. Risk mitigation refers to applying security controls to reduce the risk of a known vulnerability. Risk avoidance is the elimination of hazards, activities, and exposures that can negatively affect an organization’s assets. Risk acceptance is the act of accepting the identified risk and not taking additional actions to reduce the risk because the risk is low enough. Risk acceptance should only be done once an organization’s risk tolerance is defined and communicated amongst the decision-makers.

OBJ-4.3: Web-based attacks would likely appear on port 80 (HTTP) or port 443 (HTTPS). An attack against Active Directory is likely to be observed on port 389 LDAP. An attack on an FTP server is likely to be observed on port 21 (FTP). An attack using the remote desktop protocol would be observed on port 3389 (RDP).

OBJ-5.3: Layer 7 firewalls are application-filtering firewalls. FTP traffic does not usually travel over port 25 and should travel over port 21. Using a Layer 7 firewall, the device can perform a deep packet inspection (DPI) to identify which application or protocol is actually being used to send traffic over a given port.

OBJ-4.2: Powersploit is a series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios. Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors. Searchsploit is a tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive. Responder is a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries to possibly recover sensitive information such as user names and passwords.

OBJ-1.2: Pentesters should never disclose any information from previous penetration tests to anyone outside of the assessed organization since this could expose the vulnerability found. This non-disclosure is usually outlined in the original contract and scope of work. If the contractor wishes to provide a sample report, then the report should be created specifically for the contract and only include information from a sample/test network, not a previous customer’s assessment. This could also be in breach of the NDA between the pentester and the organization, as well.

OBJ-3.4: Since there are no indications in the IDS logs, the database, or the server, it is most likely that the hacker changed hidden form values to change the items’ price in the shopping cart. A buffer overflow is an anomaly that occurs when a program overruns the buffer’s boundary and overwrites adjacent memory locations while writing data to a buffer. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in a browser side script, to a different end-user. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker.

OBJ-4.2: The world’s most popular open-source port scanning utility is nmap. The Services console (services.msc) allows an analyst to disable or enable Windows services. The dd tool is used to copy files, disk, and partitions, and it can also be used to create forensic disk images. Nessus is a proprietary vulnerability scanner developed by Tenable. While Nessus does contain the ability to conduct a port scan, its primary role is as a vulnerability scanner, and it is not an open-source tool.

OBJ-4.3: This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user’s password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using several different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraudulent purposes. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack for their own purposes.

OBJ-5.4: An indicator of compromise is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or botnet command and control servers’ domain names. SQL injection is a code injection technique used to attack data-driven applications. Malicious SQL statements are inserted into an entry field for execution, such as dumping the database contents to the attacker. Cross-site request forgery (CSRF or XSRF) is a malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit commands, such as specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests can all work without the user’s interaction or even knowledge. A botnet consists of many Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection.

OBJ-3.3: An SSL stripping attack, also known as an HTTP downgrade attack, forces the client to communicate with the webserver in plain text (unencrypted) over HTTP instead of HTTPS. Both SSL downgrade and SSL stripping attacks are used to force the victim into using a weaker encryption mechanism (SSL downgrade to SSL-based HTTPS) or no encryption (SSL stripping to HTTP) for its web traffic.

OBJ-1.3: While the physical security posture of the company has definitely been improved by adding the cameras, alarms, and locks, this appliance-based system may pose additional risks to the store’s network. Specialized technology and appliance-based systems rarely receive security updates at the same rate as regular servers or endpoints. These devices need to be on a network to ensure that their network functions can continue, but they don’t necessarily need to be on the enterprise production network. A good option would be to set up a parallel network that is physically or logically isolated from the enterprise network and install the video cameras, alarms, and lock on that one. These devices cannot be isolated from the internet without compromising their functions, such as allowing remote monitoring of the system and locks. The devices should be scanned for viruses before installation, but that is a short-term consideration and doesn’t protect them long-term.

OBJ-5.4: If an indicator of a previous compromise is found during a penetration test, the team should pause their work and immediately inform the client’s trusted point of contact. The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance. The trusted agents and communication paths should be determined when planning the engagement.

OBJ-2.1: Vulnerability scans should never take place in a vacuum. Analysts should correlate scan results with other information sources, including logs, SIEM systems, and configuration management systems. DMARC (domain-based message authentication, reporting, and conformance) and DKIM (domain keys identified mail) are configurations performed on a DNS server to verify whether an email is sent by a third-party are verified to send it on behalf of the organization. For example, if you are using a third-party mailing list provider, they need your organization to authorize them to send an email on your behalf by setting up DMARC and DKIM in your DNS records. While this is an important security configuration, it would not be a good source of information to validate the results of an analyst’s vulnerability scans on a domain controller.

OBJ-3.1: Airgaps are designed to remove connections between two networks to create a physical segmentation between them. The only way to cross an airgap is to have a physical device between these systems, such as using a removable media device to transfer files between them. A directory traversal is an HTTP attack that allows attackers to access restricted directories and execute commands outside of the web server’s root directory. Cross-Site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. A directory traversal, cross-site scripting, or session hijacking attack cannot by itself cross an airgap.

OBJ-3.3: The most prominent attack against WPS enabled wireless networks involves brute-forcing the 8-digit PIN that client uses to enroll their devices without knowing the pre-shared key. WPS checks each half of the PIN individually, reducing the number of possible combinations from a maximum of 100,000,000 to only 11,000. This only takes a few minutes to crack on most modern computers, as long as the WAP doesn’t have a lockout after a certain number of failures. The lockout mechanism may also be triggered based on the client’s MAC, so you can often spoof MAC to bypass this defense.

OBJ-2.1: The above example searches for files with the name “password” in them (q=password) and (+) have a filetype equal to xls (filetype%3Axls, %3A is the hex-code for ‘:’) and (+) limits the results to files hosted on skillcertprotraining.com (site%3Askillcertprotraining.com) and (&) disables personalization (pws=0) and (&) deactivates the directory filtering function (filter=p). If you wanted to exclude Microsoft Excel spreadsheets, this would be done by typing -filetype%3Axls as part of the search query. To find related websites or pages, you would include the “related:” term to the query. To deactivate all filters from the search, the “filter=0” should be used. To deactivate the directory filtering function, the “filter=p” is used.

OBJ-4.2: The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Nessus is a very popular vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins to test for vulnerabilities. Also, Nessus can perform compliance auditing, like internal and external PCI DSS audit scans. The nmap tool is a port scanner. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

OBJ-3.1: Likeness is the social engineering motivational technique that relies on people being more willing to help people who look and sounds like themselves. In this scenario, the social engineer started talking sports and acting like the victim he sought to exploit. He then started making jokes about different server types to see if he could gain some information from the victim.

OBJ-2.1: Google interprets this statement as @skillcertprotraining.com and understands that the user is searching for email addresses since %40 is the hex code for the @ symbol. The * is a wild card character meaning that any text could be substituted for the * in the query. This type of search would provide an attacker with a list of email addresses associated with skillcertprotraining.com, which could be used as part of a spear-phishing campaign. To return all web pages hosted at skillcertprotraining.com, you should use the “site:” modifier in the query. To return all web pages with the text skillcertprotraining.com, enter “skillcertprotraining.com” into the Google search bar with no modifiers to return those results.

OBJ-2.5: IoT device manufacturers are more focused on making the devices convenient to use instead of ensuring they have strong security. The other options are incorrect and not true. IoT devices can receive patches and updates through an over-the-air firmware update if a manufacturer creates the patches. IoT devices are powerful these days, and they can support encryption and other security features if manufacturers would add them to their code. IoT devices are not just used in low-security use cases, either. For example, IoT devices are often used as life-saving devices in hospitals or security systems in our homes. Unfortunately, IoT devices are notoriously lax when it comes to security. Some IoT systems may even allow a user full remote control of a device.

OBJ-2.4: A rainbow table is a tool for speeding up attacks against Windows passwords by precomputing possible hashes. A rainbow table is used to authenticate users by comparing the hash value of the entered password against the one stored in the rainbow table. Using a rainbow table makes password cracking a lot faster and easier for an attacker.

OBJ-5.3: The management interface should only be exposed to an isolated or dedicated network used for the management and configuration of the network device and platforms only. This would also help reduce the likelihood of an attack against the virtualization platform or the hypervisor itself. The external zone (internet), internal zone (LAN), or DMZ should not have the management interface exposed to them.

OBJ-3.2: If you see a question like this, don’t let it confuse you. Look for keywords and phrases that you recognize to answer the question. As you look at the command issued in the first line, you may not recognize it. That is because this is an older exploit script that is being run with the parameters of support (the user account we are trying to exploit), SkillcertproTraining (our penetration testing machine’s name), and RedHat (our target/victim server). Ignoring this line, look at the second line where you see a keyword that you should recognize: Sendmail. Sendmail is a service that runs on Linux machines to “send mail” using the SMTP protocol over port 25. This is the key to answering this question. As you continue through the script, you see it performed a DNS name resolution from RedHat to the server’s IP, connected to the server, and successfully sent the exploit. This exploit conducts a buffer overflow against a vulnerable Sendmail server resulting in the server providing a remote callback to a listening port on the attacker’s machine (port 2525). This is why the attacker then telnets into their localhost over port 2525 and runs the whoami command to determine what user they are connected to the victimized server as. In this case, they are reported as the root user, which means this SMTP exploit was successful.

OBJ-4.2: Empire (PowerShell Empire) is a post-exploitation framework for Windows devices that allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data, extract passwords, and install persistent backdoors. Powersploit is a series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios. Searchsploit is a tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive. Responder is a fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries to possibly recover sensitive information such as user names and passwords.

OBJ-2.1: Port Scanning is the name for the technique used to identify open ports and services available on a network host. Based on the logs, you can see a sequential scan of some commonly used ports (20, 21, 22, 23, 25, 80, 135, 443, 445) with a two-second pause between each attempt. The scan source is 10.10.3.2, and the destination of the scan is 10.10.3.6, making “Port scan targeting 10.10.3.6” the correct choice. IP fragmentation attacks are a common form of denial of service attack, in which the perpetrator overbears a network by exploiting datagram fragmentation mechanisms. A denial-of-service (DoS) attack occurs when legitimate users cannot access information systems, devices, or other network resources due to a malicious cyber threat actor’s actions.

OBJ-1.2: Written authorization documents help control the amount of liability incurred by the penetration tester. You must ensure you have the correct authorization in place before beginning your engagement. You ALWAYS need written authorization from your client. If the client uses a third-party service provider, then you may need to also get proper authorization from them in writing too. During your engagement planning, you should contact the third-party service provider to determine if written consent is required. In the case of Amazon, there are a handful of services that do not require prior authorization before conducting a penetration test on behalf of your client. DoS and DDoS attacks and simulations do require written authorization from both your client and Amazon. If you do not have this, you could be held liable for any negative consequences to Amazon and its client’s servers or even be charged with criminal computer hacking.

OBJ-4.2: Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. User Acceptance Testing is the process of verifying that a created solution/software works for the user. Security regression testing ensures that changes made to a system do not harm its security, are therefore of high significance, and the interest in such approaches has steadily increased. Stress testing verifies the system’s stability and reliability by measuring its robustness and error handling capabilities under heavy load conditions.

OBJ-3.4: NIST’s SP 800-63-3 recommends that SMS messages be deprecated as a means of delivering a second factor for multifactor authentication because they may be accessible to attackers. SMS is unable to be encrypted (at least without adding additional applications to phones). A third factor is typically not a user-friendly recommendation and would be better handled by replacing SMS with the proposed third factor. SMS is not a costly method since it can be deployed for less than $20/month at scale.

OBJ-4.2: BeEF (Browser Exploitation Framework) is a penetration testing tool included with Kali Linux that focuses on web browsers. BeEF can be used for XSS and injection attacks against a website. Netcat is an open-source networking utility for debugging and investigating the network, and that can be used to create TCP/UDP connections and investigate them. Nikto is an open-source web server scanner that searches for potentially harmful files, checks for outdated web server software, and looks for problems with some web server software versions. Androzer is a security testing framework for Android apps and devices.

OBJ-2.5: Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn’t supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker. MySQL runs on port 3306. LDAP runs on port 389. IMAP over SSL runs on port 993.

OBJ-5.2: This scenario uses the systemctl command to remove persistence from a Linux server within its shell. The systemd tool is an init system and system manager that has widely become the new standard for Linux distributions. The systemctl is part of systemd. The systemctl is used to manage services, check their status, change their status, and work with the configuration files. By entering “sudo systemctrl stop SkillcertproTrainingApp” in the shell, the system will stop the service known as SkillcertproTrainingApp. This will remove any persistence gained by running the SkillcertproTrainingApp service, which is just a fictional service name used in this example to hide the penetration tester’s persistence tools. This service could be named anything the penetration tester deems appropriate during the service’s installation.

OBJ-2.2: Since Apache is being run on the scanned server, this indicates a web server. Therefore, a web application vulnerability scan would be the most likely to provide valuable information. A network vulnerability scan or port scan can provide valuable information against any network-enabled server. Since an Apache server doesn’t contain a database by default, running a database vulnerability scan is not likely to provide any valuable information to the analyst.

OBJ-1.4: Since the analyst cannot remediate the vulnerabilities by installing a patch, the next best action would be to implement some compensating controls. If a vulnerability exists that cannot be patched, compensating controls can mitigate the risk. Additionally, the analyst should document the current situation to achieve compliance with PCI DSS. The analyst will likely not remove the terminals from the network without affecting business operations, so this is a bad option. The analyst should not build a custom OS image with the patch since this could void the support agreement with the manufacturer and introduce additional vulnerabilities. Also, it would be difficult (or impossible) to replace the POS terminals with standard Windows systems due to the custom firmware and software utilized on these systems.

OBJ-3.2: TCP ACK scans can be used to determine what services are allowed through a firewall. An ACK scan sends TCP packets with only the ACK bit set. Whether ports are open or closed, the target is required to respond with an RST packet. Firewalls that block the probe usually make no response or send back an ICMP destination unreachable error. This distinction allows Nmap to report whether the ACK packets are being filtered. A TCP SYN scan can sometimes be used to determine what ports are filtered. Still, if the firewall is configured to drop packets for disallowed ports instead of sending an RST packet, then a TCP SYN scan will not be able to determine if a firewall was there or if the port was simply unavailable. A target sends a TCP RST packet in response to a TCP ACK scan, but a TCP RST is not a valid type of scan itself. An XMAS Tree scan will set the FIN, PSH, and URG flags in the TCP packet. This is a noisy type of scan and not useful for probing firewall rules.

OBJ-5.4: If an indicator of a previous compromise is found during a penetration test, the team should immediately inform the client’s trusted point of contact unless the scope of work states otherwise. The penetration testing team should have a direct communication path with the system owners or their trusted agents during an engagement. If the team discovers any security breaches, current hacking activity, extremely critical findings on a production server, or a production server becomes unresponsive during exploitation, then the team should stop what they are doing and contract their trusted point of contact within the organization to get further guidance. The trusted agents and communication paths should be determined when planning the engagement.

OBJ-1.2: A Statement of Work (SOW) is a document that outlines all the work that is to be performed, as well as the agreed-upon deliverables and timelines.

OBJ-2.1: Banner grabbing requires a connection to the host to grab the banner successfully. This is an active reconnaissance activity. All other options are considered passive processes and typically use information retrieved from third-parties that do not directly connect to an organization’s remote host.

OBJ-2.4: A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. The key to answering this question is that they were using passwords from a list. In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. A dictionary attack is a specific form of a brute-force attack that uses a list. A session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the webserver. A man-in-the-middle attack (MITM), also known as a hijack attack, is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.

OBJ-5.1: Risk mitigation is the overall process of reducing exposure to or the effects of risk factors, such as patching a vulnerable system. Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities). Avoidance means that the company stops doing the activity that is risk-bearing. Acceptance means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be an unavoidable delay before the countermeasures are deployed.

OBJ-3.7: A scheduled task or scheduled job is an instance of execution, like initiating a process or running of a script, that the system performs on a set schedule. Once the task executes, it can prompt the user for interaction or run silently in the background; it all depends on what the task is set up to do. Scheduled tasks in Windows use the schtasks command. The correct answer for this persistence is to enter the command “schtasks /create /tn beacon /tr C:\temp\beacon.bat /sc MINUTE /mo 20 /ru SYSTEM” that will create a task called “beacon” that runs the script at “C:\temp\beacon.bat every 20 minutes as the SYSTEM level user. The other variant of schtasks is incorrect because it used a Linux-based file directory structure to reference the script location and would fail to run in Windows. The crontab options are used in Linux, not in Windows.

OBJ-3.4: This scenario is a perfect example of the effects of a cross-site scripting (XSS) attack. If your website’s HTML code does not perform input validation to remove scripts that may be entered by a user, then an attacker can create a popup window that collects passwords and uses that information to compromise other accounts further. A cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. An XSS will allow an attacker to execute arbitrary JavaScript within the victim’s browser (such as creating pop-ups). A CSRF would allow an attack to induce a victim to perform actions they do not intend to perform. A rootkit is a set of software tools that enable an unauthorized user to control a computer system without being detected. SQL injection is the placement of malicious code in SQL statements via web page input. None of the things described in this scenario would indicate a CSRF, rootkit, or SQL injection.

OBJ-2.1: Captured packets show you the information that was traveling through certain files, etc. Packet sniffers detail the information they’ve received, so working through those shows if the external network shows or details software versions.

OBJ-5.3: Application whitelisting will only allow a program to execute if it is specifically listed in the approved exception list. All other programs are blocked from running. This makes it the BEST mitigation against a zero-day virus. An intrusion detection system might detect the anomalous activity created by a piece of malware, but it will only log or alert based on the activity, not prevent it. A host-based firewall may prevent a piece of malware from establishing a network connection with a remote server. Still, again, it wouldn’t prevent infection or prevent it from executing. An anti-malware solution is a good investment towards improving your security. Since the threat is a zero-day virus, an anti-malware solution will not detect it using its signature database.

OBJ-3.4: A directory traversal attack aims to access files and directories stored outside the webroot folder. By manipulating variables or URLs that reference files with “dot-dot-slash (../)” sequences and its variations or using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code or configuration and critical system files. The example output provided comes from a remote code execution vulnerability being exploited in which a directory traversal is used to access the files. XML Injection is an attack technique used to manipulate or compromise an XML application or service’s logic. SQL injection is the placement of malicious code in SQL statements via web page input. Password spraying attempts to crack various user’s passwords by attempting a compromised password against multiple user accounts.

OBJ-2.1: The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise’s computing assets.

OBJ-5.3: The gpupdate command refreshes a computer’s local Group Policy, as well as any Active Directory-based group policies. This command works on Windows 10, 8, 7, Vista, and XP. The gpupdate command can be used to restrict access to USB removable storage devices (like USB thumb drives and hard drives). In some organizations, USB storage devices are blocked for security reasons to prevent security leakage of confidential data and the penetration of viruses into the internal corporate network.