312-50 : CEH Certified Ethical Hacker (312-50v9) : Part 17

  1. A company’s security policy states that all Web browsers must automatically delete their HTTP browser cookies upon terminating. What sort of security breach is this policy attempting to mitigate?

    • Attempts by attackers to access Web sites that trust the Web browser user by stealing the user’s authentication credentials.
    • Attempts by attackers to access the user and password information stored in the company’s SQL database.
    • Attempts by attackers to access passwords stored on the user’s computer without the user’s knowledge.
    • Attempts by attackers to determine the user’s Web browser usage patterns, including when sites were visited and for how long.
    Cookies can store passwords and form content a user has previously entered, such as a credit card number or an address.
    Cookies can be stolen using a technique called cross-site scripting. This occurs when an attacker takes advantage of a website that allows its users to post unfiltered HTML and JavaScript content.
  2. A company’s Web development team has become aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web application.

    What kind of Web application vulnerability likely exists in their software?

    • Cross-site scripting vulnerability
    • Cross-site Request Forgery vulnerability
    • SQL injection vulnerability
    • Web site defacement vulnerability
    Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset of HTML markup. When accepting HTML input from users (say, <b>very</b> large), output encoding (such as &lt;b&gt;very&lt;/b&gt; large) will not suffice since the user input needs to be rendered as HTML by the browser (so it shows as “very large”, instead of “<b>very</b> large”). Stopping an XSS attack when accepting HTML input from users is much more complex in this situation. Untrusted HTML input must be run through an HTML sanitization engine to ensure that it does not contain cross-site scripting code.
  3. Which of the following is considered the best way to protect Personally Identifiable Information (PII) from Web application vulnerabilities?

    • Use cryptographic storage to store all PII
    • Use encrypted communications protocols to transmit PII
    • Use full disk encryption on all hard drives to protect PII
    • Use a security token to log into all Web applications that use PII


    As a matter of good practice any PII should be protected with strong encryption.

  4. Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in software applications?

    • Validate and escape all information sent to a server
    • Use security policies and procedures to define and implement proper security settings
    • Verify access right before allowing access to protected information and UI controls
    • Use digital certificates to authenticate a server prior to sending data
    Contextual output encoding/escaping could be used as the primary defense mechanism to stop Cross-site Scripting (XSS) attacks.
  5. An Internet Service Provider (ISP) has a need to authenticate users connecting using analog modems, Digital Subscriber Lines (DSL), wireless data services, and Virtual Private Networks (VPN) over a Frame Relay network.

    Which AAA protocol is most likely able to handle this requirement?

    • RADIUS
    • Kerberos
    • TACACS+
    Because of the broad support and the ubiquitous nature of the RADIUS protocol, it is often used by ISPs and enterprises to manage access to the Internet or internal networks, wireless networks, and integrated e-mail services. These networks may incorporate modems, DSL, access points, VPNs, network ports, web servers, etc.
  6. A new wireless client is configured to join a 802.11 network. This client uses the same hardware and software as many of the other clients on the network. The client can see the network, but cannot connect. A wireless packet sniffer shows that the Wireless Access Point (WAP) is not responding to the association requests being sent by the wireless client.

    What is a possible source of this problem?

    • The WAP does not recognize the client’s MAC address
    • The client cannot see the SSID of the wireless network
    • Client is configured for the wrong channel
    • The wireless client is not configured to use DHCP
    MAC Filtering (or GUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network. MAC Filtering is often used on wireless networks.
  7. An Intrusion Detection System (IDS) has alerted the network administrator to a possibly malicious sequence of packets sent to a Web server in the network’s external DMZ. The packet traffic was captured by the IDS and saved to a PCAP file.

    What type of network tool can be used to determine if these packets are genuinely malicious or simply a false positive?

    • Protocol analyzer
    • Intrusion Prevention System (IPS)
    • Network sniffer
    • Vulnerability scanner
    A packet analyzer (also known as a network analyzer, protocol analyzer or packet sniffer—or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is a computer program or piece of computer hardware that can intercept and log traffic that passes over a digital network or part of a network. A packet analyzer can analyze packet traffic saved in a PCAP file.
  8. An attacker gains access to a Web server’s database and displays the contents of the table that holds all of the names, passwords, and other user information. The attacker did this by entering information into the Web site’s user login page that the software’s designers did not expect to be entered. This is an example of what kind of software design problem?

    • Insufficient input validation
    • Insufficient exception handling
    • Insufficient database hardening
    • Insufficient security management
    The most common web application security weakness is the failure to properly validate input coming from the client or from the environment before using it. This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.
  9. Which of the following is a protocol specifically designed for transporting event messages?

    • SYSLOG
    • SMS
    • SNMP
    • ICMP
    syslog is a standard for message logging. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity label.
  10. Which of the following security operations is used for determining the attack surface of an organization?

    • Running a network scan to detect network services in the corporate DMZ
    • Training employees on the security policy regarding social engineering
    • Reviewing the need for a security clearance for each employee
    • Using configuration management to determine when and where to apply security patches
    For a network scan the goal is to document the exposed attack surface along with any easily detected vulnerabilities.
  11. The security concept of “separation of duties” is most similar to the operation of which type of security device?

    • Firewall
    • Bastion host
    • Intrusion Detection System
    • Honeypot
    In most enterprises the engineer making a firewall change is also the one reviewing the firewall metrics for unauthorized changes. What if the firewall administrator wanted to hide something? How would anyone ever find out? This is where the separation of duties comes in to focus on the responsibilities of tasks within security.
  12. The “black box testing” methodology enforces which kind of restriction?

    • Only the external operation of a system is accessible to the tester.
    • Only the internal operation of a system is known to the tester.
    • The internal operation of a system is only partly accessible to the tester.
    • The internal operation of a system is completely known to the tester.
    Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings.
  13. The “gray box testing” methodology enforces what kind of restriction?

    • The internal operation of a system is only partly accessible to the tester.
    • The internal operation of a system is completely known to the tester.
    • Only the external operation of a system is accessible to the tester.
    • Only the internal operation of a system is known to the tester.
    A black-box tester is unaware of the internal structure of the application to be tested, while a white-box tester has access to the internal structure of the application. A gray-box tester partially knows the internal structure, which includes access to the documentation of internal data structures as well as the algorithms used.
  14. The “white box testing” methodology enforces what kind of restriction?

    • The internal operation of a system is completely known to the tester.
    • Only the external operation of a system is accessible to the tester.
    • Only the internal operation of a system is known to the tester.
    • The internal operation of a system is only partly accessible to the tester.
    White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases.
  15. To determine if a software program properly handles a wide range of invalid input, a form of automated testing can be used to randomly generate invalid input in an attempt to crash the program.

    What term is commonly used when referring to this type of testing?

    • Fuzzing
    • Randomizing
    • Mutating
    • Bounding
    Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems. It is a form of random testing which has been used for testing hardware or software.
  16. To maintain compliance with regulatory requirements, a security audit of the systems on a network must be performed to determine their compliance with security policies. Which one of the following tools would most likely be used in such an audit?

    • Vulnerability scanner
    • Protocol analyzer
    • Port scanner
    • Intrusion Detection System
    A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses.
    They can be run either as part of vulnerability management by those tasked with protecting systems – or by black hat attackers looking to gain unauthorized access.
  17. Which of these options is the most secure procedure for storing backup tapes?

    • In a climate controlled facility offsite
    • On a different floor in the same building
    • Inside the data center for faster retrieval in a fireproof safe
    • In a cool dry environment
    An effective disaster data recovery strategy should consist of producing backup tapes and housing them in an offsite storage facility. This way the data isn’t compromised if a natural disaster affects the business’ office. It is highly recommended that the backup tapes be handled properly and stored in a secure, climate controlled facility. This provides peace of mind, and gives the business almost immediate stability after a disaster.
  18. What term describes the amount of risk that remains after the vulnerabilities are classified and the countermeasures have been deployed?

    • Residual risk
    • Inherent risk
    • Deferred risk
    • Impact risk
    The residual risk is the risk or danger of an action or an event, a method or a (technical) process that, although being abreast with science, still conceives these dangers, even if all theoretically possible safety measures would be applied (scientifically conceivable measures); in other words, the amount of risk left over after natural or inherent risks have been reduced by risk controls.
  19. Risks = Threats x Vulnerabilities is referred to as the:

    • Risk equation
    • Threat assessment
    • BIA equation
    • Disaster recovery formula
    The most effective way to define risk is with this simple equation:
    Risk = Threat x Vulnerability x Cost
    This equation is fundamental to all information security.
  20. Which of the following is designed to identify malicious attempts to penetrate systems?

    • Intrusion Detection System
    • Firewall
    • Proxy
    • Router
    An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces electronic reports to a management station.