Correct Answer:

Use unpredictable sequence numbers is correct.

Session hijacking requires the attacker to guess the proper upcoming sequence number(s) to pull off the attack, pushing the original client out of the session. In the real world, where the predictability of sequence numbers is a function of the operating system, for 99.999 percent of systems out there configuring sequence numbers is just simply not something you can do. On your exam, though, this is definitely something to remember. For your exam, just remember that using unpredictable session IDs in the first place protects against this. Other countermeasures for session hijacking are fairly common sense: use encryption to protect the channel, limit incoming connections, minimize remote access, and regenerate the session key after authentication is complete.

Incorrect Answers:

Use only nonroutable protocols, use a file-verification application such as Tripwire, and use good password policy are incorrect.

These choices would do nothing to stop session hijacking.

Correct Answer:

Internal, black box is correct.

EC-Council defines two types of penetration tests: external and internal. An external assessment analyzes publicly available information and conducts network scanning, enumeration, and testing from the network perimeter. An internal assessment is performed from within the organization, from various network access points. Black-box testing assumes no prior knowledge.

Incorrect Answers:

Internal, white box, external, white box, and external, black box are incorrect.

White-box testers have knowledge of the internal workings and have a generally easier task, and this test is obviously occurring inside the network boundary.

Correct Answer:

A reliable and consistent point of contact for all incident response services for associates of the Department of Homeland Security is correct.

CSIRT provides incident response services for any user, company, agency, or organization in partnership with the Department of Homeland Security.

Incorrect Answers:

Vulnerability measurement and assessments for the U.S. Department of Defense, incident response services for all Internet providers, and pen test registration for public and private sector are incorrect.

These answers do not reflect CSIRT.

Correct Answer:

SOA is correct.

Service-Oriented Architecture is an architecture-driven software design where software components deliver information to other components, usually over a network. For example, a company might develop an API that provides software programming access to a specific database, which would then let other developers build applications that could leverage the API to query or upload data.

Incorrect Answers:

EC2, SOAP, and DAR are incorrect.

EC2 refers to Amazon Web Services cloud offerings.

SOAP (Simple Object Access Protocol) is a messaging protocol using XML (and HTTP) that allows programs running on different operating systems to communicate.

DAR (data at rest) has nothing to do with this question.

Correct Answer:

Whois is correct.

Whois provides information on registrants—technical POCs, who registered the domain, contact numbers, and so on.

Incorrect Answers:

CAPTCHA, IANA, and IETF are incorrect.

CAPTCHA is a means to distinguish human from machine input, where a text entry or a picture identification requires a real human to enter it or click it, respectively.

IANA regulates IP allocation.

IETF is a standards organization.

Correct answer:

CCMP is correct.

As good as WPA was, there were tiny flaws to be exploited in TKIP. Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) was created to fix those and is the integrity method used by Wi-Fi Protected Access 2 (WPA2).

Incorrect Answers:

RC4, AES, and 802.1x are incorrect.

RC4 and AES are encryption algorithms (AES is used in WPA, by the way).

802.1x is the standards family wireless comes from.

Correct Answer:

Secpol.msc is correct.

Stand-alone computers are not part of Active Directory, and Group Policies do not apply to them, so editing the Local Security Policy is the only option. Microsoft Management Console can be opened via the mmc command, and the Local Security Policy snap-in can be added, or you can just use secpol.msc.

Incorrect Answers:

gpedit.msc, compmgmt.msc, and locsec.msc are incorrect.

gpedit.msc is used to open the Group Policy Editor.

compmgmt.msc is used to open Computer Management.

locsec.msc is not a valid command.

Correct Answer:

Zero-day attack is correct.

A zero-day attack is one carried out on a vulnerability the good guys didn’t even know existed. The true horror of such attacks is that you do not know about the vulnerability until it’s far too late.

Incorrect Answers:

Zero-hour attack, no-day attack, and nada-sum attack are incorrect.

The remaining answers are not legitimate terms.

Correct Answers:

IaaS is correct.

Amazon’s EC2 provides resizable compute capacity in the cloud via VMs that can be controlled via an API, thus fitting the definition of IaaS.

Incorrect Answers:

PaaS, SaaS, and Public are incorrect.

These do not match the Amazon EC2 service description.

Correct Answer:

Meterpreter is correct.

Meterpreter, short for meta-interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that allow developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard antivirus detection.

Incorrect Answers:

Inline, staged, and remote are incorrect.

Inline payloads are single payloads that contain the full exploit and shell code for the designed task. They are easier to detect and, because of their size, may not be viable for many attacks.

Staged payloads establish a connection between the attacking machine and the victim.

They then read in a payload to execute on the remote machine. Finally, “remote” isn’t a recognized payload type.