Quiz-summary
0 of 10 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
Information
Certified Ethical Hacker Exam Practice Questions
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 10 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 points, (0)
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- Answered
- Review
-
Question 1 of 10
1. Question
The International Organization for Standardization (ISO) published a guide for information security management systems that is called the ISO 27001. It provides another way to think about implementing information security systems. What are the phases included in the ISO 27001 cycle?
Correct
ISO 27001 was developed to help organizations of any size or any industry to protect their information systematically and cost-effectively through the adoption of an Information Security Management System (ISMS). The phases of ISO 27001 include the following: Plan, Do, Check, and Act.
Incorrect
ISO 27001 was developed to help organizations of any size or any industry to protect their information systematically and cost-effectively through the adoption of an Information Security Management System (ISMS). The phases of ISO 27001 include the following: Plan, Do, Check, and Act.
-
Question 2 of 10
2. Question
Symmetric key cryptography is any cryptographic algorithm that is based on a shared key that is used to encrypt or decrypt text. Any symmetric key algorithm can be either a stream or a block cipher. Which of the following statements best defines a stream cipher?
Correct
A stream cipher encrypts the data byte for byte. An example of a stream cipher is the vigenere cipher, wherein the data is encrypted one letter at a time without any reliance on any other portion of the message.
Incorrect
A stream cipher encrypts the data byte for byte. An example of a stream cipher is the vigenere cipher, wherein the data is encrypted one letter at a time without any reliance on any other portion of the message.
-
Question 3 of 10
3. Question
An encryption cipher is only a portion of what is necessary to allow messages to be encrypted between endpoints. There are multiple components, and all of them are called a cipher suite. Which of the following statements best defines a cipher suite?
Correct
A cipher suite is a complete set of methods needed to secure a network connection through SSL/TLS. One cipher suite typically consists of one key exchange, one authentication, one bulk encryption, and one MAC algorithm.
Incorrect
A cipher suite is a complete set of methods needed to secure a network connection through SSL/TLS. One cipher suite typically consists of one key exchange, one authentication, one bulk encryption, and one MAC algorithm.
-
Question 4 of 10
4. Question
The replacement algorithm for Data Encryption Standard (DES) was the Advanced Encryption Standard (AES). It is a block cipher that uses multiple key lengths and a block length of 128 bits. The Rijndael cipher was used a the basis for the AES. To date, the only possible way to attack AES is to use a side-channel attack. Which of the following sentences describes the side-channel attack?
Correct
A side-channel attack relies on using something other than a weakness in the algorithm. Instead, the implementation becomes the target. Information can be leaked as a result of power consumption, processor utilization, or electromagnetic leaks. This is not the sort of attack that someone would be able to accomplish without an extensive understanding of cryptography and how systems work.
Incorrect
A side-channel attack relies on using something other than a weakness in the algorithm. Instead, the implementation becomes the target. Information can be leaked as a result of power consumption, processor utilization, or electromagnetic leaks. This is not the sort of attack that someone would be able to accomplish without an extensive understanding of cryptography and how systems work.
-
Question 5 of 10
5. Question
Keys can be stored inside a data structure called a certificate. The certificate structure is defined by X.509, which is a part of a larger X.500 standard used to define digital directory services. As part of a digital directory, encryption certificates can be stored. Which of the following sentences best describes the public key infrastructure (PKI)?
Correct
The public key infrastructure (PKI) is a set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of the PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking, and confidential email.
Incorrect
The public key infrastructure (PKI) is a set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of the PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking, and confidential email.
-
Question 6 of 10
6. Question
Certificate revocation is the act of invalidating a TLS/SSL before its scheduled expiration date. A certificate should be revoked immediately when its private key shows signs of being compromised. It should also be revoked when the domain for which it was issued is no longer operational. Revoked certificates are managed through the use of the Certificate Revocation List (CRL). Which of the following sentences defines CRL?
Correct
The Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted. It is described in RFC 5280 and is generated and published periodically, often at a defined interval.
Incorrect
The Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted. It is described in RFC 5280 and is generated and published periodically, often at a defined interval.
-
Question 7 of 10
7. Question
Certificates may be managed using a certificate authority (CA), which is a trusted third party that verifies the identity of the certificate holder. A CA is not the only way to verify identity; you can also use Pretty Good Privacy (PGP). Which of the following sentences best describes PGP?
Correct
Pretty Good Privacy (PGP) uses a web of trust to perform verification. The idea is that keys are all uploaded to a web server. Someone who knows the person who has uploaded the key will sign that key as a demonstration that they know the person and are willing to say that the key really belongs to the user it purports to belong to.
Incorrect
Pretty Good Privacy (PGP) uses a web of trust to perform verification. The idea is that keys are all uploaded to a web server. Someone who knows the person who has uploaded the key will sign that key as a demonstration that they know the person and are willing to say that the key really belongs to the user it purports to belong to.
-
Question 8 of 10
8. Question
When it comes to remediation against distributed denial of service attacks, there aren’t a lot of options. One effective approach is to use a load balancing service. Which of the following sentences best defines a load balancing service?
Correct
The load balancing service is a method for improving the availability and performance of software applications that are run across multiple servers. This tool boosts application availability by routing client request traffic away from servers that are congested or malfunctioning and elevates performance by balancing request traffic across healthy servers so that no server is over-burdened.
Incorrect
The load balancing service is a method for improving the availability and performance of software applications that are run across multiple servers. This tool boosts application availability by routing client request traffic away from servers that are congested or malfunctioning and elevates performance by balancing request traffic across healthy servers so that no server is over-burdened.
-
Question 9 of 10
9. Question
The slowhttptest program is a highly configurable tool that simulates some application layer Denial of Service attacks. It works on the majority of Linux platforms, OSX, Cygwin, Unix-like environment, and command-line interface for Microsoft Windows. This program can be used to conduct HTTP attacks and the Apache killer attack. Which of the following statements is true about the Apache killer attack?
Correct
During the apache killer attack, the program slowhttptest sends requests asking for overlapping ranges of bytes. This causes memory consumption on the server because of a bug in the Apache server program. This is where the program makes a request of a large file from the webserver and then reads the file in from the server in small segments. The attacking program can then wait long periods of time between reads. This keeps the connection open for a long time, holding up a connection that might otherwise be used by a legitimate user.
Incorrect
During the apache killer attack, the program slowhttptest sends requests asking for overlapping ranges of bytes. This causes memory consumption on the server because of a bug in the Apache server program. This is where the program makes a request of a large file from the webserver and then reads the file in from the server in small segments. The attacking program can then wait long periods of time between reads. This keeps the connection open for a long time, holding up a connection that might otherwise be used by a legitimate user.
-
Question 10 of 10
10. Question
A buffer overflow attack takes advantage of a memory structure called the stack. The goal of this attack is to inject a section of code, called shellcode, that the attacker wants to be executed. The place in the stack where the return address is kept needs to point to the space in memory where the shellcode now resides. A way to protect your system against this attack is by using Address Space Layout Randomization (ASLR). Which of the following sentences best defines ASLR?
Correct
Address space layout randomization (ASLR) is a computer security technique which involves randomly positioning the base address of an executable and the position of libraries, heap, and stack, in a process’s address space. The random mixing of memory addresses performed by ASLR means that an attack no longer knows at what address the required code is actually located.
Incorrect
Address space layout randomization (ASLR) is a computer security technique which involves randomly positioning the base address of an executable and the position of libraries, heap, and stack, in a process’s address space. The random mixing of memory addresses performed by ASLR means that an attack no longer knows at what address the required code is actually located.