CEH Practice Test

A. ✓ Correct: Malicious code is correct because it directly corresponds to the definition provided by NIST.

B. × Incorrect: Data encryption key is incorrect because encryption keys are used for securing data and not for harmful purposes.

C. × Incorrect: Network intrusion detection is incorrect because this term refers to a security measure that identifies unauthorized access attempts, not malicious software.

D. × Incorrect: User access control is incorrect as it pertains to managing user permissions in systems but does not describe malware.

A. × Incorrect: Impact metrics quantify the effect on confidentiality, integrity, or availability if a vulnerability were exploited is incorrect because

B. ✓ Correct: Exploitability metrics measure how easily a vulnerability can be exploited and how likely it is to occur in practice.

C. × Incorrect: Temporal metrics reflect changes over time as vulnerabilities are discovered and mitigated is incorrect because

D. × Incorrect: Environmental metrics allow organizations to customize scores based on their specific environment is incorrect because

A. ✓ Correct: Insufficient Binary Protections is correct as it directly pertains to preventing tampering and reverse engineering.

B. × Incorrect: Security Misconfiguration is incorrect because it is correct under M8, not M7.

C. × Incorrect: Insecure Communication is incorrect because it is correct under M5, not M7.

D. × Incorrect: Inadequate Privacy Controls is incorrect because they are correct under M6, not M7.

A. × Incorrect: To ensure compliance with industry standards is incorrect because while compliance with industry standards may be a secondary benefit, the primary purpose of security controls as defined by NIST is to protect information assets from threats.

B. ✓ Correct: To protect information assets from threats is correct because it aligns directly with the definition provided in NIST's glossary on security controls, which emphasizes protection against confidentiality, integrity, and availability risks.

C. × Incorrect: To monitor and log user activities is incorrect because monitoring user activities can be part of broader cybersecurity measures but does not encapsulate the primary purpose of a security control as defined by NIST.

D. × Incorrect: To encrypt data transmissions is incorrect because while data encryption may be employed within security controls, it represents only one aspect of protection rather than the comprehensive goal described in the definition.

A. ✓ Correct: Abuse Elevation Control Mechanism is correct because mITRE groups misuse of built-in privilege-elevation controls, including setuid and setgid, sudo and su, and UAC bypass, under Abuse Elevation Control Mechanism.

B. × Incorrect: Network Service Discovery is incorrect because it is reconnaissance of services, not privilege elevation.

C. × Incorrect: Phishing for Information is incorrect because it is a social-engineering collection technique, not abuse of local elevation controls.

D. × Incorrect: Data Encrypted for Impact is incorrect because describes ransomware-style impact behavior, not privilege escalation.

A. ✓ Correct: Authentication involves verifying a user's identity before granting access to resources, as per NIST SP 800-63-4.

B. × Incorrect: Authorization is incorrect because it refers to the process of determining what actions a user can perform after their identity has been verified.

C. × Incorrect: User verification is incorrect because it does not specifically refer to the verification step required for authentication.

D. × Incorrect: Access control is incorrect because as it describes an unrelated security concept.

A. × Incorrect: Remove unused dependencies is incorrect because removing unused dependencies alone does not address all risks associated with outdated components.

B. ✓ Correct: Continuously inventory and update components is correct because continuously inventorying and updating client-side and server-side components is a core control for vulnerable and outdated components.

C. × Incorrect: Securing configurations is incorrect because it is important, but this question is about managing vulnerable component versions.

D. × Incorrect: Regularly scan for vulnerabilities is incorrect because since it suggests that regular scanning alone can prevent all risks associated with outdated components.

A. × Incorrect: Using strong encryption for data transmission is incorrect because it does not prevent broken authentication issues; it only secures data during transit.

B. ✓ Correct: Allowing brute force attacks on login endpoints directly violates secure authentication practices, making an API vulnerable to unauthorized access through repeated password guessing attempts.

C. × Incorrect: Implementing rate limiting on API requests is incorrect because helps mitigate abuse but does not address the core issue of broken authentication mechanisms that allow such attacks in the first place.

D. × Incorrect: Enforcing multi-factor authentication is incorrect because enhances security by requiring additional verification steps, thus preventing broken authentication vulnerabilities.

A. ✓ Correct: Adequacy of system controls is correct because they is a security audit verifies whether system controls are adequate for the policies and protections they are supposed to enforce.

B. × Incorrect: Ownership of each application source repository is incorrect because source repository ownership can matter to governance, but it is not the NIST definition's core audit target.

C. × Incorrect: Vendor approval of security products is incorrect because vendor approval of tools is a procurement concern, not the purpose of a security audit.

D. × Incorrect: Color-coding of network diagrams is incorrect because network diagram formatting may help documentation but does not verify security controls.

A. ✓ Correct: To gain higher-level permissions is correct because circumventing elevation control mechanisms directly aims to gain higher-level permissions, which is essential for executing critical tasks with elevated privileges.

B. × Incorrect: To establish persistence on a system is incorrect because establishing persistence involves maintaining access over time rather than immediately gaining elevated permissions.

C. × Incorrect: To perform reconnaissance activities is incorrect because reconnaissance activities focus on gathering information about the target environment and do not necessarily involve privilege escalation.

D. × Incorrect: To exfiltrate data is incorrect because exfiltrating data pertains to transferring sensitive information out of a system, which is unrelated to gaining higher-level permissions.

A. × Incorrect: The process of verifying a user's identity is incorrect because identity verification is a prerequisite for authorization but does not encompass the concept of granting access rights itself.

B. ✓ Correct: The right or permission granted to a system entity to access a resource is correct because this definition directly aligns with NIST's glossary on authorization, defining it as 'the right or permission granted to a system entity to access a resource'.

C. × Incorrect: The act of installing security patches on systems is incorrect because installing security patches is unrelated to the process of authorizing access to resources.

D. × Incorrect: The procedure for creating new user accounts is incorrect because creating new user accounts involves identity management but does not address the concept of granting specific permissions and rights.

A. ✓ Correct: A lack of threat modeling is correct because it directly impacts the ability to anticipate and prevent security issues during the design phase.

B. × Incorrect: Improper error handling is incorrect but relevant as it can lead to information leakage, a symptom rather than a cause of insecure design.

C. × Incorrect: Weak password policies are incorrect; while important for secure implementation, they do not address broader design flaws.

D. × Incorrect: Inadequate logging is incorrect; though crucial for detection and response, it does not prevent insecure design.

A. ✓ Correct: Fuzzing API requests and analyzing responses is correct because oWASP notes that fuzzing is usually used to identify additional hidden properties, then crafted API requests and response analysis determine whether those properties can be changed.

B. × Incorrect: Reviewing only static source comments is incorrect because static comments may help code review, but OWASP is describing active API request and response testing.

C. × Incorrect: Capturing unrelated network broadcasts is incorrect because unrelated network broadcasts do not reveal hidden object properties in an API response.

D. × Incorrect: Disabling authorization checks during testing is incorrect because disabling authorization checks would create an unsafe test condition rather than evaluate the API as implemented.

A. ✓ Correct: A potential for unauthorized access or denial of service is correct because it accurately reflects the NIST definition of a threat, emphasizing its potential adverse impact on organizational operations and assets.

B. × Incorrect: An actual attack on an information system is incorrect because it is an actual attack would be considered an incident rather than a potential event or circumstance as defined by NIST.

C. × Incorrect: A weakness that can be exploited by attackers is incorrect because while vulnerabilities can be exploited by attackers, this choice describes a weakness which is related to but distinct from the concept of a threat.

D. × Incorrect: The process of identifying vulnerabilities is incorrect because identifying vulnerabilities is part of risk assessment and not the definition of a threat itself.

A. × Incorrect: Content Injection (T1659) is incorrect because it involves injecting malicious content into systems through online network traffic, not necessarily by compromising a website for users to visit.

B. ✓ Correct: Drive-by Compromise (T1189) involves adversaries gaining access to a system when a user visits a compromised website during normal browsing activity, as described in the MITRE ATT&CK Initial Access tactic.

C. × Incorrect: Exploit Public-Facing Application (T1190) is incorrect because it involves exploiting weaknesses in Internet-facing hosts or systems for initial access, not through normal browsing of compromised websites.

D. × Incorrect: External Remote Services (T1133) is incorrect because they involve using external remote services like VPNs to gain network access, not by visiting a compromised website.

A. × Incorrect: To update system configurations is incorrect because updating system configurations is a maintenance task, not an incident response activity.

B. ✓ Correct: To remediate violations of security policies is correct because nIST SP 800-61r3 defines incident response as remediation or mitigation of security policy violations.

C. × Incorrect: To train staff on new software is incorrect because training staff on new software is unrelated to addressing security incidents.

D. × Incorrect: To conduct regular audits is incorrect because conducting regular audits is a preventive measure, not an immediate response action.

A. ✓ Correct: Allowing unauthorized users to modify or view sensitive data because this directly corresponds to a broken access control vulnerability where security controls fail to enforce proper authorization rules.

B. × Incorrect: Ensuring all user accounts have strong passwords is incorrect because they are important for authentication but does not address the issue of broken access control, which pertains to improper authorization and permissions management.

C. × Incorrect: Implementing encryption for data at rest and in transit is incorrect because enhances data protection but does not prevent unauthorized users from accessing or modifying sensitive information due to broken access controls.

D. × Incorrect: Disabling unused network services is incorrect because they are a good practice for reducing attack surfaces but does not address the specific issue of broken access control vulnerabilities related to improper authorization.

A. × Incorrect: Protocol is incorrect because attacks exploit vulnerabilities in network protocols, not specific applications or services.

B. × Incorrect: Volumetric is incorrect because attacks aim to overwhelm bandwidth by sending large volumes of traffic, not targeting specific applications.

C. ✓ Correct: Application attacks target weaknesses within specific applications or running services, such as HTTP requests or database queries.

D. × Incorrect: Network is incorrect because this choice does not match any of the described DDoS attack types.

A. ✓ Correct: Formal description and evaluation of system vulnerabilities is correct because nIST frames vulnerability assessment as formally describing and evaluating vulnerabilities in an information system.

B. × Incorrect: Rules of engagement for ethical hacking activity is incorrect because rules of engagement define authorization and boundaries for testing, not the assessment definition itself.

C. × Incorrect: A complete network topology diagram is incorrect because it is a topology diagram may support planning but does not evaluate vulnerabilities.

D. × Incorrect: Automatic deployment of security patches is incorrect because patch deployment is remediation that can follow an assessment rather than the assessment activity.

A. ✓ Correct: Adding roles or permissions to a cloud account maintains persistent access is correct because adding additional roles or permissions to a cloud account allows adversaries to maintain persistent access by ensuring they can continue to exploit vulnerabilities even if credentials change, aligning with the MITRE ATT&CK Persistence tactic (T1098).

B. × Incorrect: Modifying SSH authorized_keys files on individual hosts is incorrect because as it pertains to manipulating SSH authorized_keys files on individual hosts rather than managing roles in cloud environments.

C. × Incorrect: Manipulating email delegate permissions gains unauthorized email access is incorrect because it involves email delegate permissions which are specific to gaining unauthorized access to email accounts and not directly related to system persistence.

D. × Incorrect: Changing account credentials is for maintaining access is incorrect because since it describes modifying account credentials, which is more about maintaining access through credential management rather than role-based control.

A. × Incorrect: Data encryption is incorrect because ensures confidentiality, not integrity or authenticity.

B. ✓ Correct: Data integrity is correct because it is a digital signature ensures that the data has not been altered since its creation.

C. × Incorrect: Network security is incorrect because it involves other measures beyond ensuring data integrity.

D. × Incorrect: User authentication is incorrect because it can be part of the verification process but does not ensure data integrity.

A. ✓ Correct: Implementing secure installation processes is correct because it is a repeatable secure installation and hardening process helps prevent web applications from being deployed with unsafe defaults or missing controls.

B. × Incorrect: Using default settings for all configurations is incorrect because relying on default settings is one of the behaviors that can create security misconfiguration.

C. × Incorrect: Disabling error handling completely is incorrect because removes operational visibility and does not create a secure configuration.

D. × Incorrect: Removing all user accounts is incorrect because they would break legitimate use and is not a practical hardening practice.

A. × Incorrect: Inadequate physical security measures is incorrect because while physical security measures can be important, they do not capture a primary risk associated with IoT devices as defined by NIST.

B. × Incorrect: Lack of encryption for data transmission is incorrect because although encryption for data transmission is crucial, it does not encompass the broader security concern of remote access and control.

C. ✓ Correct: Potential for unauthorized remote access and control is correct because unauthorized remote access and control represent significant risks due to the connectivity and management capabilities inherent in IoT devices.

D. × Incorrect: Insufficient user authentication mechanisms is incorrect because while user authentication is important, it does not fully capture the risk associated with remote management and monitoring.

A. ✓ Correct: To identify hosts and their associated vulnerabilities - Correct as per NIST SP 800-115

B. × Incorrect: To patch known security issues - Incorrect; vulnerability scanning identifies but does not fix issues directly

C. × Incorrect: To establish rules of engagement - Incorrect; ROE is a legal framework for ethical hacking, unrelated to technical scans

D. × Incorrect: To conduct penetration testing - Incorrect; penetration testing involves exploiting vulnerabilities found through other means

A. ✓ Correct: ARP Cache Poisoning positions itself between networked devices is correct because aRP Cache Poisoning involves poisoning Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices, enabling follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.

B. × Incorrect: DHCP Spoofing redirects traffic by spoofing DHCP is incorrect because dHCP Spoofing redirects network traffic by spoofing Dynamic Host Configuration Protocol (DHCP) traffic and acting as a malicious DHCP server on the victim network.

C. × Incorrect: Evil Twin deceives users with fake Wi-Fi access points is incorrect because evil Twin involves hosting seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks, supporting follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.

D. × Incorrect: LLMNR/NBT-NS Poisoning spoofs name resolution is incorrect because lLMNR/NBT-NS Poisoning and SMB Relay involves responding to LLMNR/NBT-NS network traffic to spoof an authoritative source for name resolution.

A. ✓ Correct: Phishing is correct because nIST defines phishing as a technique for attempting to acquire sensitive data through deceptive means such as fraudulent emails or websites.

B. × Incorrect: SQL Injection is incorrect because it involves exploiting vulnerabilities in web applications rather than deception.

C. × Incorrect: Cross-site Scripting (XSS) is incorrect because attacks involve injecting malicious scripts into trusted sites, not directly acquiring sensitive data through deception.

D. × Incorrect: Buffer Overflow is incorrect because attacks exploit memory allocation issues to execute arbitrary code, not deceive individuals.

A. ✓ Correct: Lack of input validation allows attackers to inject malicious data into queries or commands, leading to injection vulnerabilities such as SQL injection.

B. × Incorrect: Inadequate access controls is incorrect because they can lead to unauthorized access but do not directly cause injection vulnerabilities if proper validation and sanitization are in place.

C. × Incorrect: Weak encryption algorithms is incorrect because compromise the security of stored or transmitted data but do not contribute to injection vulnerabilities.

D. × Incorrect: Insufficient logging and monitoring is incorrect because hinders detection and response efforts but does not prevent injection attacks from occurring.

A. × Incorrect: Encryption prevents unauthorized access to data is incorrect because encryption does not prevent resource consumption issues; it secures data.

B. ✓ Correct: Denial of service occurs when resources are exhausted or overwhelmed is correct because unrestricted resource consumption can lead to denial of service as resources become exhausted or overwhelmed.

C. × Incorrect: Authentication verifies user identity and does not control resource limits is incorrect because authentication verifies user identity but does not control how many resources a user consumes.

D. × Incorrect: Digital signatures ensure the integrity of transmitted data is incorrect because digital signatures ensure the integrity and authenticity of data but do not prevent excessive API usage.

A. × Incorrect: The efficiency of data processing is incorrect because it relates more to performance testing than security assessment through penetration testing.

B. ✓ Correct: Whether intra or intercomponent vulnerabilities can be exploited is correct because penetration testing focuses on identifying and assessing exploitable vulnerabilities in intra or intercomponent interactions.

C. × Incorrect: Compatibility with different operating systems is incorrect because it is tested through other methods such as cross-platform testing, not specifically through penetration testing.

D. × Incorrect: User satisfaction levels is incorrect because it is typically measured through user feedback surveys and usability studies, not security assessments.

A. × Incorrect: Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network is incorrect because this choice describes a technique involving exploitation of remote services, which involves taking advantage of software vulnerabilities rather than using legitimate credentials for logging into remote services.

B. × Incorrect: This option refers to using legitimate credentials and preexisting sessions with remote services rather than exploiting software vulnerabilities is incorrect because this option refers to internal spearphishing campaigns where adversaries compromise accounts and use them to trick other victims, not directly related to using credentials for remote service access.

C. × Incorrect: This choice involves transferring tools between compromised systems, which does not directly relate to exploiting software vulnerabilities is incorrect because this choice involves transferring tools between systems in a compromised environment, which does not involve logging into remote services with legitimate credentials.

D. ✓ Correct: Adversaries may take control of preexisting sessions with remote services by using valid credentials to log into these services for lateral movement.