Getting Started: Essential Knowledge - CEH Certified Ethical Hacker Practice Exams Second Edition (2014)

CEH Certified Ethical Hacker Practice Exams Second Edition (2014)

image

Getting Started: Essential Knowledge

This chapter includes questions from the following topics:

• Identify components of TCP/IP computer networking

• Understand basic elements of information security

• Understand incident management steps

• Identify fundamentals of security policies

• Identify essential terminology associated with ethical hacking

• Define ethical hacker and classifications of hackers

• Describe the five stages of ethical hacking

• Define the types of system attacks

image

Even if you’ve never read the book, I’m certain you know all about Alice in Wonderland. Maybe you saw the original Disney cartoon version of the tale, or perhaps you watched a retelling of it in a local play. No matter what your exposure to the story (and I hope your only experience with the story is not that dreadful version starring Johnny Depp in 2010), or even if you missed all of it, you’ve probably heard the endless references in conversation from the tale. Things like “chasing it down the rabbit hole,” “mad as a hatter,” and “off with their heads!” are all tied to the story and find their way into our day-to-day lives.

One quote from the book is especially apropos to where we find ourselves right now, Dear Reader: at the beginning. Oftentimes when we have a huge task ahead of us, we falter and are gripped with indecision about where to begin. After all, with so much to do, we can become paralyzed and overwhelmed, not knowing which step to take first. And here, to help with that small problem comes the King of Wonderland himself with some great advice: “Begin at the beginning, and go on till you come to the end. Then stop.”

Look, I know you’re wanting to dive right in and get to the juicy stuff, but if you don’t start at the beginning and cover all the mundane, boring things, you’ll wind up doing yourself a disservice and may never find yourself at the end. No, this stuff isn’t the sexy hacking questions you’re just dying to get to, but this is stuff you really need to know, and you’ll definitely be tested on it. The good news with this part of your exam is that this is the easy stuff. It’s almost pure memorization and definitions—with no wacky formulas or script nuances to figure out. And don’t worry, it’s not nearly as bad as you think it’s going to be.

image

imageSTUDY TIPS  When it comes to studying this chapter, where mostly definitions and rote memorization is all that is required for the exam, repetition is the key. Tables with words on one side and corresponding definitions on the other can be pretty effective—and don’t discount the old-school flash cards either. When studying, try to find some key words in each definition you can associate with the term. That way, when you’re looking at a weird test question on the exam, a key word will pop out and help provide the answer for you. And for goodness sake, please try not to confuse real world with the exam—trust what you get out of this book and your other study material, and don’t read too much into the questions.

Some of the most confusing questions for you in this section will probably come from the CIA triad, the methodology steps, security policies, and security control mechanisms. Be careful with confidentiality versus integrity (watch out for that pesky authentication word as well), know the methodology like the back of your hand, and use logic in figuring out preventive versus corrective controls. And when it comes to policy questions, just remember that the process of elimination can sometimes be helpful in narrowing the options down to the correct answer. Concentrate on key words for definition, and you should be fine.

Additionally, and at the risk of generating derision from the “Thank you, Captain Obvious” crowd, here’s another piece of advice I have for you: Spend your time on the things you don’t already know (trust me, I’m on to something here). Many exam prospects and students spend way too much valuable time repeating portions they already know instead of concentrating on the things they don’t. If you understand the definitions regarding white hat and black hat, don’t bother reviewing them. Instead, spend your time concentrating on areas that aren’t so “commonsense” to you.

And, finally, keep in mind that this certification is provided by an international organization. Therefore, you will sometimes see some fairly atrocious grammar on test questions here and there, especially in this section of the exam. Don’t worry about it—just keep focused on the main point of the question and look for your key words.

image

1. A security team is implementing various security controls across the organization. After several configurations and applications, a final agreed-on set of security controls are put into place; however, not all risks are mitigated by the controls. Of the following, which is the next best step?

A. Continue applying controls until all risk is eliminated.

B. Ignore any remaining risk as “best effort controlled.”

C. Ensure that any remaining risk is residual or low and accept the risk.

D. Remove all controls.

2. A Certified Ethical Hacker (CEH) follows a specific methodology for testing a system. Which step comes after footprinting in the CEH methodology?

A. Scanning

B. Enumeration

C. Reconnaissance

D. Application attack

3. Which of the following best describes a newly discovered flaw in a software application?

A. Input validation flaw

B. Shrink-wrap vulnerability

C. Insider vulnerability

D. Zero-day

4. Which type of security control is met by encryption?

A. Preventive

B. Detective

C. Offensive

D. Defensive

E. Corrective

5. You’ve been hired as part of a pen test team. During the brief, you learn the client wants the pen test attack to simulate a normal user who finds ways to elevate privileges and create attacks. Which test type does the client want?

A. White box

B. Gray box

C. Black box

D. Hybrid

6. Which of the following is defined as ensuring the enforcement of organizational security policy does not rely on voluntary user compliance by assigning sensitivity labels on information and comparing this to the level of security a user is operating at?

A. Mandatory access control

B. Authorized access control

C. Role-based access control

D. Discretionary access control

7. You begin your first pen test assignment by checking out IP address ranges owned by the target as well as details of their domain name registration. Additionally, you visit job boards and financial websites to gather any technical information online. What activity are you performing?

A. Security assessment

B. Vulnerability assessment

C. Active footprinting

D. Passive footprinting

8. Of the following choices, which best defines a formal written document defining what employees are allowed to use organization systems for, what is not allowed, and what the repercussions are for breaking the rules?

A. Information audit policy (IAP)

B. Information security policy (ISP)

C. Penetration testing policy (PTP)

D. Company compliance policy (CCP)

9. An ethical hacker is given no prior knowledge of the network and has a specific framework in which to work. The agreement specifies boundaries, nondisclosure agreements, and a completion date definition. Which of the following is true?

A. A white hat is attempting a black-box test.

B. A white hat is attempting a white-box test.

C. A black hat is attempting a black-box test.

D. A black hat is attempting a gray-box test.

10. Which of the following is a detective control?

A. Audit trail

B. CONOPS

C. Procedure

D. Smartcard authentication

E. Process

11. As part of a pen test on a U.S. government system, you discover files containing Social Security numbers and other sensitive personally identifiable information (PII) information. You are asked about controls placed on the dissemination of this information. Which of the following acts should you check?

A. FISMA

B. Privacy Act

C. PATRIOT Act

D. Freedom of Information Act

12. Joe is performing an audit to validate the effectiveness of the organization’s security policies. During his tests, he discovers that a user has a dial-out modem installed on a PC. Which security policy should be checked to see whether modems are allowed?

A. Firewall policy

B. Acceptable use policy

C. Remote access policy

D. Telework policy

13. A hacker is attempting to gain access to a target inside a business. After trying several methods, he gets frustrated and starts a denial-of-service attack against a server attached to the target. Which security control is the hacker affecting?

A. Confidentiality

B. Integrity

C. Availability

D. Authentication

14. In which phase of the ethical hacking methodology would a hacker discover available targets on a network?

A. Reconnaissance

B. Scanning and enumeration

C. Gaining access

D. Maintaining access

E. Covering tracks

15. Which of the following are potential drawbacks to a black-box test? (Choose all that apply.)

A. The client does not get a full picture of an external attacker focused on their systems.

B. The client does not get a full picture of an internal attacker focused on their systems.

C. This test takes the longest amount of time to complete.

D. This test takes the shortest amount of time to complete.

16. Which of the following best defines a logical or technical control?

A. Air conditioning

B. Security tokens

C. Fire alarms

D. Security policy

17. Which of the following would not be considered passive reconnaissance?

A. Dumpster diving for valuable, discarded information

B. Thoroughly examining financial sites for clues on target inventory and other useful information

C. Ping sweeping a range of IP addresses found through a DNS lookup

D. Using a search engine to discover competitive intelligence on the organization

18. As part of the preparation phase for a pen test that you are participating in, the client relays their intent to discover security flaws and possible remediation. They seem particularly concerned about external threats and do not mention internal threats at all. When defining scope, the threat of internal users is not added as part of the test. Which test is this client ignoring?

A. Gray box

B. Black box

C. White hat

D. Black hat

19. In which phase of the attack would a hacker set up and configure “zombie” machines?

A. Reconnaissance

B. Covering tracks

C. Gaining access

D. Maintaining access

20. Which of the following best describes an ethical hacker?

A. An ethical hacker never knowingly or unknowingly exceeds the boundaries of the scope agreement.

B. An ethical hacker never performs a denial-of-service attack on a target machine.

C. An ethical hacker never proceeds with an audit or test without written permission.

D. An ethical hacker never performs social engineering on unsuspecting members of the target organization.

21. Which of the following describes activities taken in the conclusion phase of a penetration test?

A. Reports are prepared detailing security deficiencies.

B. Vulnerability assessment is conducted.

C. Security control audits are performed.

D. Contract and scope agreement is created.

22. Which of the following should a security professional use as a possible means to verify the integrity of a data message from sender to receiver?

A. Strong password requirements for encryption of the file

B. Access controls on all network devices

C. Hash algorithm

D. Strong password requirements on operating system login

23. You are examining security logs snapshotted during a prior attack against the target. The target’s IP address is 135.17.22.15, and the attack originated from 216.88.76.5. Which of the following correctly characterizes this attack?

A. Inside attack

B. Outside attack

C. Black-box attack

D. Spoofing

24. A machine in your environment uses an open X-server to allow remote access. The X-server access control is disabled, allowing connections from almost anywhere and with little to no authentication measures. Which of the following are true statements regarding this situation? (Choose all that apply.)

A. An external vulnerability can take advantage of the misconfigured X-server threat.

B. An external threat can take advantage of the misconfigured X-server vulnerability.

C. An internal vulnerability can take advantage of the misconfigured X-server threat.

D. An internal threat can take advantage of the misconfigured X-server vulnerability.

25. While performing a pen test, you find success in exploiting a machine. Your attack vector took advantage of a common mistake—the Windows 7 installer script used to load the machine left the administrative account with a default password. Which attack did you successfully execute?

A. Application level

B. Operating system

C. Shrink wrap

D. Social engineering

E. Misconfiguration

image

1. C

2. A

3. D

4. A

5. B

6. A

7. D

8. B

9. A

10. A

11. B

12. C

13. C

14. B

15. B, C

16. B

17. C

18. A

19. D

20. C

21. A

22. C

23. B

24. B, D

25. B

image

1. A security team is implementing various security controls across the organization. After several configurations and applications, a final agreed-on set of security controls are put into place; however, not all risks are mitigated by the controls. Of the following, which is the next best step?

A. Continue applying controls until all risk is eliminated.

B. Ignore any remaining risk as “best effort controlled.”

C. Ensure that any remaining risk is residual or low and accept the risk.

D. Remove all controls.

imageC. Remember at the beginning of this chapter when I said the process of elimination may be your best bet in some cases? Well, even if you aren’t well-versed in risk management and security control efforts, you could narrow this down to the correct answer. It is impossible to remove all risk from any system and still have it usable. I’m certain there are exceptions to this rule (maybe super-secret machines in underground vaults buried deep within the earth, running on geothermal-powered batteries, without any network access at all and operated by a single operator who hasn’t seen daylight in many years), but in general the goal of security teams has always been to reduce risk to an acceptable level.

imageA is incorrect because, as I just mentioned, it’s impossible to reduce risk to absolute zero and still have a functional system. Remember the Security, Functionality, and Usability triangle? As you move toward more Security, you move further away from Functionality and Usability.

imageB is incorrect because it’s just silly. If you’re a security professional and your response to a risk—any risk—is to ignore it, I can promise you won’t be employed for long. Sure, you can point out that it’s low or residual and that the chance for actual exploitation is next to nonexistent, but you can’t ignore it. Best effort is for kindergarten trophies and IP packet delivery.

imageD is incorrect because removing all controls is worse than ignoring the risk. If you remove everything, then all risks remain. Remember, the objective is to balance your security controls to cover as much risk as possible, while leaving the system as usable and functional as possible.

2. A Certified Ethical Hacker (CEH) follows a specific methodology for testing a system. Which step comes after footprinting in the CEH methodology?

A. Scanning

B. Enumeration

C. Reconnaissance

D. Application attack

imageA. CEH methodology is laid out this way: reconnaissance (footprinting), scanning and enumeration, gaining access, escalating privileges, maintaining access, and covering tracks. While you may be groaning about scanning and enumeration both appearing as answers, they’re placed here in this way on purpose. This exam is not only testing your rote memorization of the methodology but how the methodology actually works. Remember, after scoping out the recon on your target, your next step is to scan it. After all, you have to know what targets are there first before enumerating information about them.

imageB is incorrect because, although it is mentioned as part of step 2, it’s actually secondary to scanning. Enumerating is used to gather more in-depth information about a target you already discovered by scanning. Things you might discover in scanning are IPs that respond to a ping. In enumerating each “live” IP, you might find open shares, user account information, and other goodies.

imageC is incorrect because reconnaissance and footprinting are interchangeable in CEH parlance. An argument can be made that footprinting is a specific portion of an overall recon effort; however, in all CEH documentation, these terms are used interchangeably.

imageD is incorrect because it references an attack. As usual, there’s almost always one answer you can throw out right away, and this is a prime example. We’re talking about step 2 in the methodology, where we’re still figuring out what targets are there and what vulnerabilities they may have. Attacking, at this point, is folly.

3. Which of the following best describes a newly discovered flaw in a software application?

A. Input validation flaw

B. Shrink-wrap vulnerability

C. Insider vulnerability

D. Zero-day

imageD. A zero-day threat is an attack or exploit on a vulnerability that the vendor, developer, system owner, and security community didn’t even know existed. When these arise, developers of the operating system application or system have had no time (zero days) to work on a fix, so even though we all know there is a security flaw, there’s not a whole lot we can do about it yet. Oftentimes the bad guys have been aware of it for quite a while, proving the old adage that the biggest security flaw in your system is the one you don’t even know about: We may have just now discovered the flaw, but it’s been in the application since the beginning.

imageA is incorrect because input validation flaws aren’t applicable here. While it is true that the newly discovered issue may indeed be an input that is not validated, allowing an attacker to put whatever they want in the field designed to have a serial number entered (for example), there’s nothing in this question to indicate that. It’s a newly discovered flaw, indicating that we didn’t know about it until just now.

imageB is incorrect because while a shrink-wrap vulnerability may actually exist in the real world (after all, an attack against a vulnerability in the shrink-wrapped application is taking advantage of a shrink-wrapped vulnerability), the term just isn’t real as far as your exam is concerned. There is a shrink-wrap attack, but it’s not a term for a vulnerability.

imageC is incorrect for the same reason as B: The term just doesn’t exist. It sounds good and makes for a decent distractor, but it’s irrelevant for this question.

4. Which security control role does encryption meet?

A. Preventive

B. Detective

C. Offensive

D. Defensive

E. Corrective

imageA. This one should be easy. Controls fall into three categories: preventive, detective, and corrective. In this instance, encryption of data is designed to prevent unauthorized eyes from seeing it. Depending on the encryption used, this can provide for confidentiality and nonrepudiation and is most definitely preventive in nature.

imageB is incorrect because a detective control is designed to watch for security breaches and detect when they occur. Tripwire running in real time and validating file integrity, alerting when one changes? IDS running on a machine or network to alert when naughty traffic comes by? Both are examples of detective controls.

imageC and D are incorrect for the same reason: These aren’t real terms. They may be actions you want to take as a security professional, but they’re not control categories.

imageE is incorrect because corrective controls are deigned to fix things after an attack has been discovered and stopped. An example would be a protected backup, ready to bring the system back to life after an attack.

5. You’ve been hired as part of a pen test team. During the brief, you learn the client wants the pen test attack to simulate a normal user who finds ways to elevate privileges and create attacks. Which test type does the client want?

A. White box

B. Gray box

C. Black box

D. Hybrid

imageB. A gray box test is designed to replicate an inside attacker. Otherwise known as the partial knowledge attack (don’t forget this term), the idea is to simulate a user on the inside who might know a little about the network, directory structure, and other goodies in your enterprise. You’ll probably find this one to be the most enlightening attack in out-briefing your clients in the real world—it’s amazing what you can get to when you’re a trusted, inside user. As an aside, you’ll often find in the real world that gray-box testing can also refer to a test where any inside information is given to a pen tester—you don’t necessarily need to be a fully knowledgeable inside user. In other words, if you have usable information handed to you about your client, you’re performing gray-box testing.

imageA is incorrect because a white-box test provides all knowledge to the pen tester up front and is designed to simulate an admin on your network who, for whatever reason, decides to go on the attack. For most pen testers, this test is really just unfair. It’s tantamount to sending him into the Roman Colosseum armed with a .50 caliber automatic weapon to battle a gladiator who is holding a knife.

imageC is incorrect because black-box testing indicates no knowledge at all. And if you think about it, the name is easy to correlate and remember: black = no light. Therefore, you can’t “see” anything. This is the test most people think about when it comes to hacking. You know nothing and are (usually) attacking from the outside.

imageD is incorrect because, as far as I can tell from the EC-Council’s documentation, there is no terminology for a “hybrid-box” test. This is a little tricky because the term hybrid is used elsewhere—for attacks and other things. If you apply a little common sense here, this answer is easy to throw out. If you know everything about the target, it’s white. If you know nothing, it’s black. If you’re in the middle, it’s gray. See?

6. Which of the following is defined as ensuring the enforcement of organizational security policy does not rely on voluntary user compliance by assigning sensitivity labels on information and comparing this to the level of security a user is operating at?

A. Mandatory access control

B. Authorized access control

C. Role-based access control

D. Discretionary access control

imageA. Access control is defined as the selective restraint of access to a resource, and there are several overall mechanisms to accomplish this goal. Mandatory access control (MAC) is one type that constrains the ability of a subject to access or perform an operation on an object by assigning and comparing “sensitivity labels.” Suppose a person (or a process) attempts to access or edit a file. In MAC, a label is placed on the file indicating its security level. If the entity attempting to access it does not have that level, or higher, access is denied. With mandatory access control, security is centrally controlled by a security policy administrator, and users do not have the ability to override security settings.

This should not be confused with role-based access control (RBAC) systems, which may actually use MAC to get the job done. The difference is in whether the information itself has a labeled description or whether the person accessing it has their own label. For example, in a classified area, the information classified as Top Secret will have a label on it identifying it as such, while you, as an auditor, will have your own clearance and need-to-know label allowing you to access certain information. MAC is a property of an object; RBAC is a property of someone accessing an object.

imageB is incorrect because while authorized access control may sound great, it’s not a valid term.

imageC is incorrect because role-based access control can use MAC or discretionary access control to get the job done. In RBAC, the goal is to assign a role, and any entity holding that role can perform the duties associated with it. Users are not assigned permissions directly; they acquire them through their role (or roles). The roles are assigned to the user’s account, and each additional role provides its own unique set of permissions and rights.

imageD is incorrect because discretionary access control (DAC) allows the data owner, the user, to set security permissions for the object. If you’re on a Windows machine right now, you can create files and folders and then set sharing and permissions on them as you see fit. MAC administrators in the Department of Defense may shudder at that thought now.

7. You begin your first pen test assignment by checking out IP address ranges owned by the target as well as details of their domain name registration. Additionally, you visit job boards and financial websites to gather any technical information online. What activity are you performing?

A. Security assessments

B. Vulnerability assessment

C. Active footprinting

D. Passive footprinting

imageD. This question is another potential stumbling block on the test. The desire is to look at the question and think, “Wow, I’m typing things and using the Internet to gather information, so I’m actively working on the target.” The key when it comes to active versus passive recon is to think of your probability of being caught doing it. For example, the activities of checking Internet pages, performing Google searches, and looking up DNS entries aren’t necessarily going to alert anyone. These are things everyone does every day anyway. Walking into the offices and checking locked doors or trying to elicit information from people out in the parking lot probably will get you caught.

Two other things on this topic you’ll need to keep in mind are social engineering and what you’re actually touching during your information gathering. Social engineering can be tricky because it can be both passive and active recon. Dumpster diving is considered passive (despite that in the real world it’s really easy to get caught doing it), whereas walking in and talking to users can be considered active. Pay attention to the circumstances on these types of questions.

What’s more, when it comes to active and passive recon, sometimes a question can be answered based on the target network itself: If you touch it, you’re active; if you don’t, you’re passive. Think of it this way: Imagine the network you’re paid to examine is actually a big wire that’s electrified with 10,000 volts. If you walk around it, look over the fence, and take pictures, you’re passively gathering information. Touch that wire, though, and you become active. Real active. Active footprinting involves touching the target network, and it can bleed over into the scanning and enumeration phase.

imageA is incorrect because security assessments is a broad term that can indicate actual pen tests or basic security audits. Pen tests are designed to discover, exploit, and report on security vulnerabilities within a target. A security audit doesn’t necessarily intentionally exploit any vulnerability; it just finds them and points them out.

imageB is incorrect because it has nothing to do with what is being described in the question. A vulnerability assessment lists potential vulnerabilities and considers the potential impact of loss from a successful attack against any of them. In CEH parlance—and on your test—this term is more often than not used as a distractor. If you do see it on an exam, remember it is designed as more of a measurement technique and not an attack vector.

imageC is incorrect because active footprinting indicates you’re touching the target network itself. In the question, you (as the attacker) never actually touch the target. You are availing yourself of all that competitive intelligence lying around. Remember, competitive intelligence is freely available for anyone to get and is often used by competitors seeking an advantage in the market-place. It’s not only legal to pull and analyze this information, it’s expected, and it does not require any active reconnaissance at all to acquire.

8. Of the following choices, which best defines a formal written document defining what employees are allowed to use organization systems for, what is not allowed, and what the repercussions are for breaking the rules?

A. Information audit policy (IAP)

B. Information security policy (ISP)

C. Penetration testing policy (PTP)

D. Company compliance policy (CCP)

imageB. The Information Security Policy (ISP) holds all sorts of information, but a big part of it is defining what is allowed, what’s not allowed, and what will happen if you disobey the rules. A subset of this (and generally what gets people all tricked up in this kind of question) is the Acceptable Use Policy. Generally speaking, users have to sign an Acceptable Use Policy before they’re given access. It has to be very clear and concise, and usually references the ISP for all the details a user may need to know.

imageA is incorrect because the Information Audit Policy defines what is audited, how long it’s retained, and who has access to the audit logs.

imageC is incorrect because, if it’s even valid for your organization, a Pen Test Policy defines the frequency, scope and guidelines of testing requirements for the organization.

imageD is incorrect because, there is no such thing as a Company Compliance Policy.

9. An ethical hacker is given no prior knowledge of the network and has a specific framework in which to work. The agreement specifies boundaries, nondisclosure agreements, and a completion date definition. Which of the following is true?

A. A white hat is attempting a black-box test.

B. A white hat is attempting a white-box test.

C. A black hat is attempting a black-box test.

D. A black hat is attempting a gray-box test.

imageA. I love these types of questions. Not only is this a two-for-one question, but it involves identical but confusing descriptors, causing all sorts of havoc. The answer to attacking such questions—and you will see them, by the way—is to take each section one at a time. Start with what kind of hacker he is. He’s hired under a specific agreement, with full knowledge and consent of the target, thus making him a white hat. That eliminates C and D right off the bat. Second, to address what kind of test he’s performing, simply look at what he knows about the system. In this instance, he has no prior knowledge at all, thus making it a black-box test.

imageB is incorrect because although the attacker is one of the good guys (a white hat, proceeding with permission and an agreement in place), he is not provided with full knowledge of the system. In fact, it’s quite the opposite—according to the question he knows absolutely nothing about it, making this particular “box” as black as it can be. A white-box target indicates one that the attacker already knows everything about. It’s lit up and wide open.

imageC is incorrect right off the bat because it references a black hat. Black-hat attackers are the bad guys—the ones proceeding without the target’s knowledge or permission. They usually don’t have inside knowledge of their target, so their attacks often start “black box.”

imageD is incorrect for the same reason just listed: This attacker has permission to proceed and is operating under an agreement; therefore, he can’t be a black-box attacker. Additionally, this answer went the extra mile to convince you it was wrong—and missed on both swings. Not only is this a white-hat attacker, but the attack itself is black box. A gray-box attack indicates at least some inside knowledge of the target.

10. Which of the following is a detective control?

A. Audit trail

B. CONOPS

C. Procedure

D. Smartcard authentication

E. Process

imageA. A detective control is an effort used to identify problems, errors, or (in the case of post-attack discovery) cause or evidence of an exploited vulnerability. Ideally, detective controls should be in place and working such that errors can be corrected as quickly as possible. Many compliance laws and standards (the Sarbanes–Oxley Act of 2002 is one example) mandate the use of detective controls.

imageB is incorrect because a concept of operations (CONOPS) isn’t detective in nature. A CONOPS defines what a system is and how it is supposed to be used.

imageC is incorrect because a procedure is a document the spells out specific step-by-step instructions for a given situation or process.

imageD is incorrect because smartcard authentication is a preventive control, not a detective one. It’s designed to provide strong authentication, ideally preventing a problem in the first place.

imageE is incorrect because a process can refer to a lot of different things, depending on your definition and viewpoint, but is not detective in nature as a control. A process, in general, refers to a set of steps or actions directed at accomplishing a goal.

11. As part of a pen test on a U.S. government system, you discover files containing Social Security numbers and other sensitive personally identifiable information (PII) information. You are asked about controls placed on the dissemination of this information. Which of the following acts should you check?

A. FISMA

B. Privacy Act

C. PATRIOT Act

D. Freedom of Information Act

imageB. The Privacy Act of 1974 protects information of a personal nature, including Social Security numbers. The Privacy Act defines exactly what “personal information” is, and it states that government agencies cannot disclose any personal information about an individual without that person’s consent. It also lists 12 exemptions for the release of this information (for example, information that is part of a law enforcement issue may be released). In other questions you see, keep in mind that the Privacy Act generally will define the information that is not available to you in and after a test. Dissemination and storage of privacy information needs to be closely controlled to keep you out of hot water.

imageA is incorrect because federal information security management act (FISMA) isn’t designed to control the dissemination of PII or sensitive data. Its primary goal is to ensure the security of government systems by promoting a standardized approach to security controls, implementation, and testing. The act requires government agencies to create a security plan for their systems and to have it “accredited” at least once every three years.

imageC is incorrect because the PATRIOT Act is not an effort to control personal information. Its purpose is to aid the U.S. government in preventing terrorism by increasing the government’s ability to monitor, intercept, and maintain records on almost every imaginable form of communication. As a side effect, it has also served to increase observation and prevention of hacking attempts on many systems.

imageD is incorrect because the Freedom of Information Act wasn’t designed to tell you what to do with information. Its goal is to define how you can get information—specifically information regarding how your governments work. It doesn’t necessarily help you in hacking, but it does provide a cover for a lot of information. Anything you uncover that could have been gathered through the Freedom of Information Act is considered legal and should be part of your overall test.

12. Joe is performing an audit to validate the effectiveness of the organization’s security policies. During his tests, he discovers that a user has a dial-out modem installed on a PC. Which security policy should be checked to see whether modems are allowed?

A. Firewall policy

B. Conduct policy

C. Remote access policy

D. Telework policy

imageC. Yes, Dear Reader, I do realize how ridiculous a question like this seems, and I am absolutely sure there is no way you missed it. Sometimes things are really that obvious. Organizations usually have tons of different policies that cover all sorts of different things. The remote access policy, covering things like what is an allowable method to access the network remotely, is the best option provided here.

imageA is incorrect because a firewall policy deals with corporate firewalls—how they’re used, where they’re placed, and how their rules get approved and implemented. Despite that every movie Hollywood puts out begins and ends network security with a firewall, it has absolutely nothing to do with this user bypassing everything with a modem.

imageB is incorrect because, as far as I know, there is no such thing as a conduct policy. I suppose an acceptable use policy would be the closest thing to it, but conduct policy simply doesn’t exist and wouldn’t be correct here if it did.

imageD is incorrect because, again, I’m not altogether sure this is a real term. A telework policy, if it existed at all, would be to define the roles and responsibilities of employees working from home or remote locations. A good distractor? Absolutely. The best answer here? Not even close.

13. A hacker is attempting to gain access to a target inside a business. After trying several methods, he gets frustrated and starts a denial-of-service attack against a server attached to the target. Which security control is the hacker affecting?

A. Confidentiality

B. Integrity

C. Availability

D. Authentication

imageC. Denial-of-service attacks are always attacks against the availability of the system. Regardless of whatever else the hacker has tried to accomplish against the machine, a successful denial-of-service (DoS) attack removes the availability of the machine. Remember, availability refers to the communications systems and data being ready for use when legitimate users need them. Many methods are used for availability, depending on whether the discussion is about a system, network resource, or the data itself. However, they all attempt to ensure one thing: When the system or data is needed, it can be accessed by the appropriate personnel. Attacks against availability always fall into the denial-of-service realm.

imageA is incorrect because the attacker is not affecting the machine’s ability to discern his true identity. As a matter of fact, it seems the confidentiality controls in place on the machine are working well. Remember, confidentiality addresses the secrecy and privacy of information and refers to the measures taken to prevent the disclosure of information or data to unauthorized individuals or systems.

imageB is incorrect because the attacker didn’t get frustrated and attempt to change or alter any data; he simply decided to cut off access to it. Remember, integrity refers to the methods and actions taken to protect the information from unauthorized alteration or revision—whether the data is at rest or in transit.

imageD is incorrect because the hacker appears to be having problems authenticating at the machine, which boasts well for the security personnel devoted to protecting it. Authentication is a subset of the larger confidentiality factor.

14. In which phase of the ethical hacking methodology would a hacker discover available targets on a network?

A. Reconnaissance

B. Scanning and enumeration

C. Gaining access

D. Maintaining access

E. Covering tracks

imageB. The scanning and enumeration phase is where you’ll use things such as ping sweeps to discover available targets on the network. This step occurs after reconnaissance. In this step, tools and techniques are actively applied to information gathered during recon to obtain more in-depth information on the targets. For example, reconnaissance may show a network subnet to have 500 or so machines connected inside a single building, whereas scanning and enumeration would discover which ones are Windows machines and which ones are running FTP.

imageA is incorrect because the reconnaissance phase is nothing more than the steps taken to gather evidence and information on the targets you want to attack. Activities that occur in this phase include dumpster diving and social engineering. Another valuable tool in recon is the Internet. Look for any of these items as key words in answers on your exam. Of course, in the real world you may actually gather so much information in your recon you’ll already be way ahead of the game in identifying targets and whatnot, but when it comes to the exam, stick with the hard-and-fast boundaries they want you to remember and move on.

imageC is incorrect because the gaining access phase is all about attacking the machines themselves. You’ve already figured out background information on the client and have enumerated the potential vulnerabilities and security flaws on each target. In this phase, you break out the big guns and start firing away. Key words you’re looking for here are the attacks themselves: Accessing an open and nonsecured wireless access point, manipulating network devices, writing and delivering a buffer overflow, and performing SQL injection against a web application are all examples.

imageD is incorrect because this phase is all about back doors and the steps taken to ensure you have a way back in. For the savvy readers out there who noticed I skipped a step here (escalating privileges), well done. Key words you’ll look for on this phase (maintaining access) are back doors, zombies, and rootkits.

imageE is incorrect because this phase is all about cleaning up when you’re done and making sure no one can see where you’ve been. Clearing tracks involves steps to conceal success and avoid detection by security professionals. Steps taken here consist of removing or altering log files, hiding files with hidden attributes or directories, and even using tunneling protocols to communicate with the system.

15. Which of the following are potential drawbacks to a black-box test? (Choose all that apply.)

A. The client does not get a focused picture of an external attacker dedicated on their systems.

B. The client does not get a focused picture of an internal attacker dedicated on their systems.

C. This test takes the longest amount of time to complete.

D. This test takes the shortest amount of time to complete.

imageB and C. Black-box tests are conducted to simulate an outside attacker. The problem with this test, if done solely on its own, is twofold. First, it concentrates solely on what most people think of as the biggest threat: an outside attacker. You know—some guy in a dark room surrounded by green tinted monitors who has decided to break into the enterprise network. This totally ignores one of the biggest threats to the network in the first place—the disgruntled insider. Additionally, because of its very nature, a black-box test takes longer than any other type to complete. If you think about it, this makes sense.

imageA is incorrect because the point of the black-box test is to simulate the external attacker. It’s designed to simulate an outside, unknown attacker; takes the most amount of time to complete; and is usually (by far) the most expensive option.

imageD is incorrect because black-box testing takes the longest amount of time to complete. The reason for this is obvious: With white- or gray-box testing, you’ve already got a leg up on your black-box brethren, in that you already have some insider information. With black-box testing, you need to go through all the phases of the CEH methodology.

16. Which of the following best defines a logical or technical control?

A. Air conditioning

B. Security tokens

C. Fire alarms

D. Security policy

imageB. A logical (or technical) control is one used for identification, authentication, and authorization. They can be embedded inside operating systems, applications, or database management systems. A security token (such as RSA’s SecureID) can provide a number that changes on a recurring basis that a user must provide during authentication or may provide a built-in number on a USB device that must be attached during authentication. A physical control is something, well, physical in nature, such as a lock or key or maybe a guard.

imageA and C are incorrect because air conditioning and fire alarms both fall into the category of physical control.

imageD is incorrect because a security policy isn’t a logical or technical control.

17. Which of the following would not be considered passive reconnaissance?

A. Dumpster diving for valuable, discarded information

B. Thoroughly examining financial sites for clues on target inventory and other useful information

C. Ping sweeping a range of IP addresses found through a DNS lookup

D. Using a search engine to discover competitive intelligence on the organization

imageC. When it comes to active versus passive recon, remember the two golden rules. First rule: If it’s something that exposes you to more risk in being caught, the recon is active. Second rule: If you touch the target, the recon is active. For example, walking up to locked doors and checking them or going into the building to attempt social engineering on the user are both active measures. Dumpster diving, “quiet” social engineering, and using Google to find information on the target are all examples of passive reconnaissance (a.k.a. passive footprinting). And lastly, ping sweeping is done in the scanning and enumeration phase, not during reconnaissance, so this answer should have been an easy one for you to eliminate.

imageA is incorrect because dumpster diving is one of the prime examples of passive recon. It’s simple and doesn’t expose you to too much risk of being caught. It also doesn’t require you to interact with your target at all.

imageB is incorrect because examining competitive intelligence is free and readily available and should be gathered as part of your passive reconnaissance. Other avenues for this type of recon include job boards, social networking sites, and the company’s own website. Pull a copy down and explore it. You’ll be amazed what you can find passively.

imageD is incorrect because this is also a prime example of passive reconnaissance. During passive recon, you are expected to use all avenues of the Internet to find information on your target. In addition to the other avenues mentioned here, don’t neglect the blogosphere—that wonderful world of blogging that has sprung up over the past few years. Sometimes people post the strangest stuff on their blogs, and sometimes that posted material is just the ticket you need to successfully complete your task.

18. As part of the preparation phase for a pen test you are participating in, the client relays their intent to discover security flaws and possible remediation. They seem particularly concerned about external threats and do not mention internal threats at all. When defining scope, the threat of internal users is not added as part of the test. Which test is this client ignoring?

A. Gray box

B. Black box

C. White hat

D. Black hat

imageA. Once again, this is a play on words the exam will throw at you. Note the question is asking about a test type, not the attacker. Reviewing CEH documentation, you’ll see there are three types of tests—white, black, and gray—with each designed to test a specific threat. White tests the internal threat of a knowledgeable systems administrator or an otherwise elevated privilege level user. Black tests external threats with no knowledge of the target. Gray tests the average internal user threat to expose potential security problems inside the network.

imageB is incorrect because black-box testing is designed to simulate the external threat, which is exactly what this client is asking for. Black-box testing takes the most amount of time to complete because it means a thorough romp through the five stages of an attack (and removes any preconceived notions of what to look for) and is usually the most expensive option. Another drawback to this type of test is that it focuses solely on the threat outside the organization and does not take into account any trusted users on the inside.

imageC is incorrect because a hat color refers to the attacker himself. True, the client is hiring a white hat in this instance to perform the test; however, the hat does not equate to the test. White hats are the “good guys”—ethical hackers hired by a customer for the specific goal of testing and improving security. White hats don’t use their knowledge and skills without prior consent.

imageD is incorrect because this question refers to the test itself, not the type of attacker. Black hats are the “bad guys” and are otherwise known as crackers. They illegally use their skills either for personal gain or for malicious intent, seeking to steal or destroy data or to deny access to resources and systems. Black hats do not ask for permission or consent.

19. In which phase of the attack would a hacker set up and configure “zombie” machines?

A. Reconnaissance

B. Covering tracks

C. Gaining access

D. Maintaining access

imageD. Zombies are basically machines the hacker has confiscated to do his work for him. If the attacker is really good, the owners of the zombie machines don’t even know their machines have been drafted into the war.

imageA is incorrect because the reconnaissance phase is all about gaining knowledge and information on a target. In reconnaissance you’re learning about the target itself—what system types they may have in use, what operating hours they run, whether they use a shredder, and what personal information about their employees is available are all examples. Think of reconnaissance as the background information on a good character in a novel; it may not be completely necessary to know before you read the action scenes, but it sure makes it easier to understand why the character behaves in a certain manner during the conflict phase of the book. Setting up zombie systems goes far beyond the boundaries of gathering information.

imageB is incorrect because this phase is where attackers attempt to conceal their success and avoid detection by security professionals. This can involve removing or altering log files, hiding files with hidden attributes or directories, and using tunneling protocols to communicate with the system.

imageC is incorrect because in this phase attacks are leveled against the targets enumerated during the scanning and enumeration phase. Key words to look for in identifying this phase are the attacks themselves (such as buffer overflow and SQL injection). Finally, be careful about questions relating to elevating privileges. Sometimes this is counted as its own phase, so pay close attention to the question’s wording in choosing your answer.

20. Which of the following best describes an ethical hacker?

A. An ethical hacker never knowingly or unknowingly exceeds the boundaries of the scope agreement.

B. An ethical hacker never performs a denial-of-service attack on a target machine.

C. An ethical hacker never proceeds with an audit or test without written permission.

D. An ethical hacker never performs social engineering on unsuspecting members of the target organization.

imageC. I know you’re tired of seeing this question. I’m tired of asking it. But you get the point now, right? This is important, and you will see it on the exam. The only real difference between those bad-guy crackers out there and us, the ethical hackers, is written permission. Bad guys want to steal and destroy stuff. They don’t care about rules and don’t bother to ask for permission. They will ruthlessly attack every avenue they can possibly think of in order to break into the target, and they don’t care how far down the rabbit hole it takes them. The only difference between them and us is that we agree to do it only under certain controlled circumstances and guidelines. If, for one second, you think an ethical hacker won’t take advantage of every single tool, loophole, loose lip, or technique available without regard to how bad it makes someone in the target organization feel, you are in the wrong field. We’re just as dirty as the other guys; we just do it with permission.

imageA is incorrect because, although the ethical hacker shouldn’t ever knowingly exceed the scope or boundaries of his test, it’s sometimes done unknowingly. Heck, sometimes there’s almost no way around it, and it often occurs without the tester knowing about it until later. In several famous cases a pen test has gone awry and hit things outside the target organization. This doesn’t mean the tester was unethical, however. It just happens.

imageB is incorrect because your client may specifically ask you to perform a DoS attack. Oftentimes, they’ll explicitly ask you not to perform a DoS attack, but the point is the same regardless: We will test everything we’re told to, just as a bad guy would do in trying to affect or gain access to a resource.

imageD is incorrect because social engineering is a big part of a true pen test. After all, the users are the weakest link in the chain, right? If you don’t test them, you’re not performing a full test. Because social engineering is on the table for the bad guys, it’s on the table for us, too.

21. Which of the following describes activities taken in the conclusion phase of a penetration test?

A. Reports are prepared detailing security deficiencies.

B. Vulnerability assessment is conducted.

C. Security control audits are performed.

D. Contract and scope agreement is created.

imageA. Pen tests consist of three major phases: preparation, assessment, and conclusion. The conclusion phase is where you wrap everything up and present your findings to the customer. The only tricky thing about this question is overthinking it. While you’re testing and discovering things, you’re documenting everything that’s happening. Therefore, you could easily make an argument that, in a way, you’re preparing reports during the assessmentphase. Don’t overthink this one—reports are done in the conclusion phase.

imageB is incorrect because vulnerability assessment and all attacks and audits occur during the assessment phase of a pen test.

imageC is incorrect because security control audits occur during the assessment phase of a pen test. Remember, all the action occurs in the middle, surrounding by planning for the action (preparation phase) and presenting it to the customer (conclusion phase).

imageD is incorrect because contract and scope agreement are hammered out in the preparation phase. This is where you determine how far you can go, what the client actually wants to find out, and where they don’t want you to be.

22. Which of the following should a security professional use as a possible means to verify the integrity of a data message from sender to receiver?

A. Strong password requirements for encryption of the file

B. Access controls on all network devices

C. Hash algorithm

D. Strong password requirements on operating system login

imageC. A hash is the preferred method most often used for verifying the integrity of a file. Basically, before you send the file, you run it through a hash algorithm (such as MD5 or SHA-1) that generates a number. When it’s received, you do the same. If the numbers match, voilà!

imageA is incorrect because it’s referencing confidentiality controls. Almost every time you see password referenced, you should think confidentiality, not integrity.

imageB is incorrect because it’s also referencing confidentiality controls. Access controls are exactly what they sound like: controls put in place to control access to something. In the context of network devices, they control things such as administrative access to the IOS.

imageD is incorrect because it’s also referencing confidentiality controls. Once again, passwords equate to confidentiality controls.

23. You are examining security logs snapshotted during a prior attack against the target. The target’s IP address is 135.17.22.15, and the attack originated from 216.88.76.5. Which of the following correctly characterizes this attack?

A. Inside attack

B. Outside attack

C. Black-box attack

D. Spoofing

imageB. This is an example of one of those little definition questions you’ll see on the exam and will be thankful for. An inside attack generates from inside the network boundary, whereas an outside attack comes from outside the border. Granted, anyone with any networking knowledge at all knows it’s impossible to tell, solely from an IP address, whether one is inside or outside a company’s network boundary. All sorts of things, such as VPNs, multiple nets, and subsidiaries, could make life miserable in figuring out where the inside versus outside line is. If you’re faced with this on the exam, though, just take it at face value. Trust me on this.

imageA is incorrect because the attack came from a different network—fully outside the enterprise’s virtual walls. The only time this can become a tricky question is when subnetting is involved, in which case the question will have to point out where the enterprise network footprint stops.

imageC is incorrect because we simply have no idea what type of attack—black, gray, or white—this is. True, it’s starting from outside the network, leading us to believe it a black-box attack, but that’s not necessarily true, and there certainly isn’t enough information here to make that call.

imageD is incorrect because spoofing has to do with an attempt to fake a machine’s identity (usually through MAC or IP). The question doesn’t specify whether this is in play, so it can’t be the answer you’re looking for.

24. A machine in your environment uses an open X-server to allow remote access. The X-server access control is disabled, allowing connections from almost anywhere and with little to no authentication measures. Which of the following are true statements regarding this situation? (Choose all that apply.)

A. An external vulnerability can take advantage of the misconfigured X-server threat.

B. An external threat can take advantage of the misconfigured X-server vulnerability.

C. An internal vulnerability can take advantage of the misconfigured X-server threat.

D. An internal threat can take advantage of the misconfigured X-server vulnerability.

imageB and D. This is an easy one because all you have to understand are the definitions of threat and vulnerability. A threat is any agent, circumstance, or situation that could potentiality cause harm or loss to an IT asset. In this case, the implication is the threat is an individual (hacker) either inside or outside the network. A vulnerability is any weakness, such as a software flaw or logic design, that could be exploited by a threat to cause damage to an asset. In both these answers, the vulnerability—the access controls on X-server are not in place—can be exploited by the threat, whether internal or external.

imageA and C are both incorrect because they list the terms backward. Threats take advantage of vulnerabilities and exploit them, not the other way around.

25. While performing a pen test, you find success in exploiting a machine. Your attack vector took advantage of a common mistake—the Windows 7 installer script used to load the machine left the administrative account with a default password. Which attack did you successfully execute?

A. Application level

B. Operating system

C. Shrink wrap

D. Social engineering

E. Misconfiguration

imageB. Operating system (OS) attacks target common mistakes many people make when installing operating systems—accepting and leaving all the defaults. Examples usually include things such as administrator accounts with no passwords, ports left open, and guest accounts left behind. Another OS attack you may be asked about deals with versioning. Operating systems are never released fully secure and are consistently upgraded with hotfixes, security patches, and full releases. The potential for an old vulnerability within the enterprise is always high.

imageA is incorrect because application-level attacks are centered on the actual programming codes of an application. These attacks are usually successful in an overall pen test because many people simply discount the applications running on their OS and network, preferring to spend their time hardening the OSs and network devices. Many applications on a network aren’t tested for vulnerabilities as part of their creation and, as such, have many vulnerabilities built in.

imageC is incorrect because shrink-wrap attacks take advantage of the built-in code and scripts most off-the-shelf applications come with. These attacks allow hackers to take advantage of the very things designed to make installation and administration easier. These shrink-wrapped snippets make life easier for installation and administration, but they also make it easier for attackers to get in.

imageD is incorrect because social engineering isn’t relevant at all in this question. There is no human element here, so this one can be thrown out.

imageE is incorrect because misconfiguration attacks take advantage of systems that are, on purpose or by accident, not configured appropriately for security. For example, suppose an administrator wants to make things as easy as possible for the users and, in keeping with security and usability being on opposite ends of the spectrum, leaves security settings at the lowest possible level, enabling services, opening firewall ports, and providing administrative privileges to all users. It’s easier for the users but creates a target-rich environment for the hacker.