412-79V10 Online Practice Questions and Answers

DMZ is a network designed to give the public access to the specific internal resources and you might want to do the same thing for guests visiting organizations without compromising the integrity of the internal resources. In general, attacks on the wireless networks fall into four basic categories. Identify the attacks that fall under Passive attacks category.(Select all that apply)

A. Wardriving

B. Spoofing

C. Sniffing

D. Network Hijacking

One of the steps in information gathering is to run searches on a company using complex keywords in Google.

Which search keywords would you use in the Google search engine to find all the PowerPoint presentations containing information about a target company, ROCHESTON?

A. ROCHESTON fileformat:+ppt

B. ROCHESTON ppt:filestring

C. ROCHESTON filetype:ppt

D. ROCHESTON +ppt:filesearch

Which of the following documents helps in creating a confidential relationship between the pen tester and client to protect critical and confidential information or trade secrets?

A. Penetration Testing Agreement

B. Rules of Behavior Agreement

C. Liability Insurance

D. Non-Disclosure Agreement

Which of the following defines the details of services to be provided for the client's organization and the list of services required for performing the test in the organization?

A. Draft

B. Report

C. Requirement list

D. Quotation

Fuzz testing or fuzzing is a software/application testing technique used to discover coding errors and security loopholes in software, operating systems, or networks by inputting massive amounts of random data, called fuzz, to the system in an attempt to make it crash. Fuzzers work best for problems that can cause a program to crash, such as buffer overflow, cross-site scripting, denial of service attacks, format bugs, and SQL injection.

Fuzzer helps to generate and submit a large number of inputs supplied to the application for testing it against the inputs. This will help us to identify the SQL inputs that generate malicious output.

Suppose a pen tester knows the underlying structure of the database used by the application (i.e., name, number of columns, etc.) that she is testing.

Which of the following fuzz testing she will perform where she can supply specific data to the application to discover vulnerabilities?

A. Clever Fuzz Testing

B. Dumb Fuzz Testing

C. Complete Fuzz Testing

D. Smart Fuzz Testing

A framework is a fundamental structure used to support and resolve complex issues. The framework that delivers an efficient set of technologies in order to develop applications which are more secure in using Internet and Intranet is:

A. Microsoft Internet Security Framework

B. Information System Security Assessment Framework (ISSAF)

C. Bell Labs Network Security Framework

D. The IBM Security Framework

Identify the data security measure which defines a principle or state that ensures that an action or transaction cannot be denied.

A. Availability

B. Integrity

C. Authorization

D. Non-Repudiation

A penetration tester performs OS fingerprinting on the target server to identify the operating system used on the target server with the help of ICMP packets.

While performing ICMP scanning using Nmap tool, message received/type displays "3 ?Destination Unreachable[5]" and code 3.

Which of the following is an appropriate description of this response?

A. Destination port unreachable

B. Destination host unavailable

C. Destination host unreachable

D. Destination protocol unreachable

Vulnerability assessment is an examination of the ability of a system or application, including the current security procedures and controls, to withstand assault.

What does a vulnerability assessment identify?

A. Disgruntled employees

B. Weaknesses that could be exploited

C. Physical security breaches

D. Organizational structure

In the process of hacking a web application, attackers manipulate the HTTP requests to subvert the application authorization schemes by modifying input fields that relate to the user ID, username, access group, cost, file names, file identifiers, etc. They first access the web application using a low privileged account and then escalate privileges to access protected resources. What attack has been carried out?

A. XPath Injection Attack

B. Authorization Attack

C. Authentication Attack

D. Frame Injection Attack

Which one of the following acts makes reputational risk of poor security a reality because it requires public disclosure of any security breach that involves personal information if it is unencrypted or if it is reasonably believed that the information has been acquired by an unauthorized person?

A. California SB 1386

B. Sarbanes-Oxley 2002

C. Gramm-Leach-Bliley Act (GLBA)

D. USA Patriot Act 2001

If a web application sends HTTP cookies as its method for transmitting session tokens, it may be vulnerable which of the following attacks?

A. Parameter tampering Attack

B. Sql injection attack

C. Session Hijacking

D. Cross-site request attack

Internet Control Message Protocol (ICMP) messages occur in many situations, such as whenever a datagram cannot reach the destination or the gateway does not have the buffering capacity to forward a datagram. Each ICMP message contains three fields: type, code, and checksum. Different types of Internet Control Message Protocols (ICMPs) are identified by a type and code field.

Which of the following ICMP messages will be generated if the destination port is not reachable?

A. ICMP Type 11 code 1

B. ICMP Type 5 code 3

C. ICMP Type 3 code 2

D. ICMP Type 3 code 3

Which one of the following acts related to the information security in the US fix the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting?

A. California SB 1386

B. Sarbanes-Oxley 2002

C. Gramm-Leach-Bliley Act (GLBA)

D. USA Patriot Act 2001

John, a penetration tester, was asked for a document that defines the project, specifies goals, objectives, deadlines, the resources required, and the approach of the project. Which of the following includes all of these requirements?

A. Penetration testing project plan

B. Penetration testing software project management plan

C. Penetration testing project scope report

D. Penetration testing schedule plan