Free CEH practice test

A. × Incorrect: Broken Object Property Level Authorization because the API allows unauthorized modification of sensitive properties.

B. ✓ Correct: Injection because it involves inserting malicious code or data into an application, not modifying object properties.

C. × Incorrect: Cross-Site Scripting (XSS) because XSS attacks involve injecting scripts into web pages viewed by other users, not altering API responses directly.

D. × Incorrect: Server Side Request Forgery because this attack involves making unauthorized requests from the server to another system, unrelated to property modification.

A. ✓ Correct: Circumventing elevation control mechanisms directly aims to gain higher-level permissions, which is essential for executing critical tasks with elevated privileges.

B. × Incorrect: Establishing persistence involves maintaining access over time rather than immediately gaining elevated permissions.

C. × Incorrect: Reconnaissance activities focus on gathering information about the target environment and do not necessarily involve privilege escalation.

D. × Incorrect: Exfiltrating data pertains to transferring sensitive information out of a system, which is unrelated to gaining higher-level permissions.

A. × Incorrect: A digital certificate does not solely serve to manage keys; it binds public keys to identities.

B. ✓ Correct: A digital certificate verifies an entity's identity by associating its public key with verified information, ensuring secure communications in PKI.

C. × Incorrect: While certificates do include public keys, they are primarily used for verifying the holder’s identity and not just storing keys.

D. × Incorrect: Although certificates can be revoked, this is a management function rather than their primary purpose of binding identities to keys.

A. ✓ Correct: Lack of input validation allows attackers to inject malicious data into queries or commands, leading to injection vulnerabilities such as SQL injection.

B. × Incorrect: They can lead to unauthorized access but do not directly cause injection vulnerabilities if proper validation and sanitization are in place.

C. × Incorrect: Compromise the security of stored or transmitted data but do not contribute to injection vulnerabilities.

D. × Incorrect: Hinders detection and response efforts but does not prevent injection attacks from occurring.

A. ✓ Correct: It accurately reflects the concept of negative risk as defined by NIST SP 800-221, focusing on the potential for adverse impact.

B. × Incorrect: An actual breach would be considered a security incident rather than a potential event or circumstance.

C. × Incorrect: While vulnerabilities are important in assessing risks, they do not define negative risk as per NIST's guidelines.

D. × Incorrect: Mitigating threats and vulnerabilities is part of risk management but does not constitute the definition of negative risk.

A. ✓ Correct: Cloud computing enables on-demand network access to a shared pool of configurable resources, as per NIST's definition.

B. × Incorrect: Physical isolation contradicts the concept of sharing resources in cloud environments.

C. × Incorrect: High-performance computing clusters are not exclusive characteristics of cloud computing and do not align with its definition of shared resources.

D. × Incorrect: Secure file transmission via FTP does not relate to the on-demand network access and resource pooling aspects of cloud computing.

A. × Incorrect: PowerShell cmdlets like Invoke-Command typically require administrative privileges for remote execution on a target system.

B. ✓ Correct: Adversaries can abuse cloud management services to execute commands within virtual machines without needing direct administrative access, leveraging installed virtual machine agents.

C. × Incorrect: AppleScript requires local interaction and does not inherently support running scripts remotely on Windows systems.

D. × Incorrect: The Windows Command Shell generally requires administrative privileges for remote execution.

A. ✓ Correct: Authentication involves verifying a user's identity before granting access to resources, as per NIST SP 800-63-4.

B. × Incorrect: It refers to the process of determining what actions a user can perform after their identity has been verified.

C. × Incorrect: It does not specifically refer to the verification step required for authentication.

D. × Incorrect: As it describes an unrelated security concept.

A. ✓ Correct: Using hard-coded passwords can lead to sensitive data exposure if the source code or configuration files are compromised.

B. × Incorrect: Insecure design patterns relate more broadly to architecture flaws, not specifically cryptographic failures.

C. × Incorrect: Security misconfiguration involves improper settings in software and systems that could be exploited, but it is not a direct cryptographic failure.

D. × Incorrect: Vulnerable components refer to outdated or compromised libraries and dependencies, which do not directly involve cryptographic practices.

A. ✓ Correct: The core activity performed by a Certified Ethical Hacker (CEH) during an engagement involves identifying vulnerabilities, evaluating security measures, testing systems for weaknesses, and reporting findings to improve cybersecurity. This encompasses the full scope of ethical hacking activities as defined by EC-Council.

B. × Incorrect: They are creating incident response plans, but they are crucial for organizations, it falls under the responsibilities of roles such as Incident Handlers or SOC Analysts rather than Certified Ethical Hackers who focus on proactive security assessments.

C. × Incorrect: Conducting forensic investigations to recover data from compromised systems is more aligned with the Computer Hacking Forensic Investigator (CHFI) certification. The CEH's role does not primarily involve post-incident recovery but rather prevention and detection of vulnerabilities.

D. × Incorrect: Managing cloud security involves responsibilities related to securing cloud environments, which is covered by the Certified Cloud Security Engineer (C|CSE) certification. While a CEH may assess cloud-based systems for vulnerabilities, managing cloud security is not their primary focus.