B. The destination address is used as the address to send messages to. The don’t fragment bit is used to tell network devices not to fragment the packet. The Type of Service (ToS) field can be used to perform quality of service. The IP identification field is used to identify fragments of the same packet, as they would all have the same IP identification number.

C. A SQL injection attack makes use of SQL queries, which can include logic that may alter the flow of the application. In the example provided, the intent is to force the result of the SQL query to always return a true. It is quoted the way it is to escape the existing query already in place in the application. None of the other attacks use a syntax that looks like the example.

C. The Apple App Store and the Google Play Store are controlled by Apple and Google. It’s not impossible to get malware onto mobile devices that way, but it’s very difficult because apps get run through a vetting process. While some Android devices will support external storage, it’s not an effective way to get malware onto a smartphone or other mobile device. Jailbreaking can lead to malware being installed but it’s not the means to get malware onto a mobile device. Third-party app stores can be a good means to get malware onto mobile devices because some third-party app stores don’t vet apps that are submitted.

B. DHCP is used to get IP configuration to endpoints. DNS is used to resolve a hostname to an IP address and vice versa. RARP is the reverse address protocol used to take a MAC address and resolve it to an IP address. ARP is used to resolve an IP address to a MAC address. Communication on a local network requires the use of a MAC address. The IP address is used to get to systems off the local network.

C. Heap spraying uses dynamically allocated space to store attack code. A slowloris attack is used to hold open web server connection buffers. A SQL injection will be used to inject SQL queries to the database server. A buffer overflow sends more data into the application than space has been allocated for.

B. A /23 network would be 255.255.254.0. A /22 would be 255.255.252. A /20 would be 255.255.240.0. Only a /21 would give you a 255.255.248.0 subnet mask.

C. Both worms and viruses could be written to use polymorphic code, which means they could modify what they look like as they propagate. A worm, though, could self-propagate. It’s the one distinction between worms and viruses. Viruses require some intervention on the part of the user to propagate and execute.

A. Risk is the probability of the occurrence of an event multiplied by the dollar value of loss. There is no mitigation factor that is quantified so it could be put into a risk calculation.

B. An evil twin attack uses an access point masquerading to be the point of connection for stations trying to connect to a legitimate wireless network. Stations reach out to make connections to this access point masquerading as another access point. While you may phish for credentials as part of an evil twin attack, credential phishing is not how evil twin attacks work. SSIDs don’t get changed as part of an evil twin attack, meaning no SSID that exists will become another SSID. Injecting four-way handshakes won’t do much, since four-way assumes both ends are communicating, so the injection of a full communication stream will get ignored.

C. Antivirus solutions are used on endpoints or maybe on email servers. Stateful firewalls add in the ability to factor in the state of the connection—new, related, established. An Application layer gateway knows about Application layer protocols. A unified threat management appliance adds additional capabilities on top of firewall functions, including antivirus.

A. Standards and practices should be derived from a security policy, which is the high-level guidance on the role of security within an organization. Security does not generally increase the bottom line of a company. Policies are not for providing specific directions, which would be the role of procedures.

B. Base64 encoding takes non-printable characters and encodes them in a way that they can be rendered in text. Encryption would generally render text unreadable to people. A cryptographic hash is a way of generating a fixed-length value to identify a value. URL encoding takes text and uses hexadecimal values to represent the characters. This is text that has been converted into hexadecimal so they can be used in a URL.

B. Mail exchanger records would be identified as MX records. A name server record is identified with the tag NS. While an enterprise may have one or even several caching name servers, the caching name server wouldn’t be said to belong to the domain since it doesn’t have any domain identification associated with it.

C. A DNS query can be used to identify an IP address from a hostname or vice versa. You could potentially use a brute-force technique to identify hostnames, though you may not get everything using that method. A recursive request is common from a caching server to get an authoritative response. The term for getting all the contents of the zone is a zone transfer.

A. Tunneling attacks can be used to hide one protocol inside another. This may be used to send operating system commands using a tunnel system. A DNS amplification attack is where a small DNS request results in much larger responses sent to the target. DNS recursion is used to look up information from DNS servers. An XML entity injection attack is a web-based attack and wouldn’t be found inside a DNS request.

D. There may be several reasons for performing a ping sweep. You likely want to identify responsive hosts on the network segment you are targeting. You may not, though, want to use a full port scan. ICMP is a lightweight protocol and there is a chance it will be allowed through the firewall, since it’s used for troubleshooting and diagnostics.

C. The NIST cybersecurity framework specifies five functions—identify, protect, detect, response, recover.

B. Python interpreters may be considered to be slower to execute than a compiled program, however the difference is negligible and generally speed of execution isn’t much of a concern when it comes to malware. Python is not a hard language to learn and there are a lot of community-developed libraries. One challenge, though, is that you may need a Python interpreter, unless you go through the step of getting a Python compiler and compiling your script. Windows systems wouldn’t commonly have a Python interpreter installed.

B. The expression host 192.168.10.5 is BPF indicating that tcpdump should only capture packets to and from 192.168.10.5. If you wanted to only get it to or from, you would need to modify host with src or dest.

C. Certificates can be revoked but that’s not what Diffie-Hellman is used for. Key management is a much broader topic than what Diffie-Hellman is used for. Diffie-Hellman is used for key exchange. It is a process that allows parties to an encrypted conversation to mutually derive the same key starting with the same base value.

D. While you might be imitating someone, imitation is not a social engineering principle. Neither social proof nor scarcity are at play in this situation. However, if you are calling from the help desk, you may be considered to be in a position of authority.

D. SNMPv3 implemented username and password authentication. With version 1, you used a cleartext community string. SNMP doesn’t use hashes and while the word “public” is often used as a community string, a public string is not a way to authenticate with SNMPv1.

A. Interprocess communications across systems using a network is called remote method invocation. The process that programs have to communicate with to get a dynamic port allocation is the RMI registry. This is the program you query to identify services that are available on a system that has implemented RMI.

C. When an ARP response is sent without a corresponding ARP request, it’s an unexpected or unnecessary message, so it is a gratuitous ARP.

D. There are three date and time stamps commonly used in file metadata. When the file is created, that moment is stored. When a file is accessed by a user, that moment is stored. When a file is modified, that moment is stored. Accessed is not the same as modified since accessing a file could be read-only. You could open a file, expecting to modify it but not ending up doing the modification. The access time still changes. While moves, adds, and changes may sometimes be referred to as MAC like modified, accessed, and created, those are not tasks associated with file times.

C. Local vulnerabilities are used against applications that are not listening on the network. This means they require you to be “local” to the machine and not remote. In other words, you have to be logged in somehow. A local vulnerability would not be used to collect passwords since you don’t need a vulnerability to do that. Similarly, you don’t need to make use of a vulnerability to manipulate logs or to pivot. Most of those would require you to have elevated permissions, though. A local vulnerability may be exploited to get you those elevated permissions.

A. Integrity is part of the CIA triad but isn’t the principle that ties a signed message back to the subject of the signing certificate. Non-verifiability is nonsense and authority isn’t relevant here. Instead, non-repudiation means someone can’t say they didn’t send a message if it was signed with their key and that key was in their possession and password-protected.

D. Biometrics and badge access are forms of physical access control. Phone verification could possibly be used as a way of verifying identity but it won’t protect against tailgating. A man trap, however, will protect against tailgating because a man trap only allows one person in at a time.

B. Bluesnarfing is an attack that connects to a Bluetooth device in order to grab data from that device. Bluejacking can be used to send information to a Bluetooth device that is receiving from the attacker, such as a text message. Neither of these attacks install keyloggers. The victim device sends information to the attacker in a bluesnarfing attack.

B. The Biba security model covers data integrity. While other models cover confidentiality, none of them cover availability.