You are looking for SQL injection vulnerability by sending a special character to web applications. Which of the following is the most useful for quick validation?
Double quotation
Backslash
Semicolon
Single quotation
SHOW ANSWERWhy should the security analyst disable/remove unnecessary ISAPI filters?
To defend against social engineering attacks
To defend against webserver attacks
To defend against jailbreaking
To defend against wireless attacks
SHOW ANSWERWhen a security analyst prepares for the formal security assessment - what of the following should be done in order to determine inconsistencies in the secure assets database and verify that system is compliant to the minimum security baseline?
Data items and vulnerability scanning
Interviewing employees and network engineers
Reviewing the firewalls configuration
Source code review
SHOW ANSWERIt is a regulation that has a set of guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing, and sharing any electronic medical data to keep patient data secure. Which of the following regulations best matches the description?
HIPAA
ISO/IEC 27002
COBIT
FISMA
SHOW ANSWERCross-site request forgery involves:
A request sent by a malicious user from a browser to a server
Modification of a request by a proxy between client and server
A browser making a request to a server without the user's knowledge
A server making a request to another server without the user's knowledge
SHOW ANSWERWhich regulation defines security and privacy controls for Federal information systems and organizations?
NIST-800-53
PCI-DSS
EU Safe Harbor
HIPAA
SHOW ANSWERAn ethical hacker for a large security research firm performs penetration tests, vulnerability tests, and risk assessments. A friend recently started a company and asks the hacker to perform a penetration test and vulnerability assessment of the new company as a favor. What should the hacker's next step be before starting work on this job?
Start by foot printing the network and mapping out a plan of attack
Ask the employer for authorization to perform the work outside the company
Begin the reconnaissance phase with passive information gathering and then move into active information gathering
Use social engineering techniques on the friend's employees to help identify areas that may be susceptible to attack
SHOW ANSWERDNS cache snooping is a process of determining if the specified resource address is present in the DNS cache records. It may be useful during the examination of the network to determine what software update resources are used, thus discovering what software is installed. What command is used to determine if the entry is present in DNS cache?
nslookup -fullrecursive update.antivirus.com
dnsnooping -rt update.antivirus.com
slookup -norecursive update.antivirus.com
dns --snoop update.antivirus.com
SHOW ANSWERIt has been reported to you that someone has caused an information spillage on their computer. You go to the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What step in incident handling did you just complete?
Containment
Eradication
Recovery
Discovery
SHOW ANSWERWhich of the following tools is used by pen testers and analysts specifically to analyze links between data using link analysis and graphs?
Metasploit
Wireshark
Maltego
Cain & Abel
SHOW ANSWERYou have gained physical access to a Windows 2008 R2 server which has an accessible disc drive. When you attempt to boot the server and log in, you are unable to guess the password. In your toolkit, you have an Ubuntu 9.10 Linux LiveCD. Which Linux-based tool can change any user's password or activate disabled Windows accounts?
John the Ripper
SET
CHNTPW
Cain & Abel
SHOW ANSWERBob, your senior colleague, has sent you a mail regarding aa deal with one of the clients. You are requested to accept the offer and you oblige. After 2 days, Bob denies that he had ever sent a mail. What do you want to "know" to prove yourself that it was Bob who had send a mail?
Confidentiality
Integrity
Non-Repudiation
Authentication
SHOW ANSWERWhen does the Payment Card Industry Data Security Standard (PCI-DSS) require organizations to perform external and internal penetration testing?
At least twice a year or after any significant upgrade or modification
At least once a year and after any significant upgrade or modification
At least once every two years and after any significant upgrade or modification
At least once every three years or after any significant upgrade or modification
SHOW ANSWERYou have successfully comprised a server having an IP address of 10.10.0.5. You would like to enumerate all machines in the same network quickly. What is the best nmap command you will use?
nmap -T4 -q 10.10.0.0/24
nmap -T4 -F 10.10.0.0/24
nmap -T4 -r 10.10.1.0/24
nmap -T4 -O 10.10.0.0/24
SHOW ANSWER