ECSS

1. Which of the following programs infected computer systems by generating large amount of
network traffic with the intention of consuming more bandwidth?
a. MaliciousP
b. Net-Worm.Win32.Mytob.t
c. Rebooter.J
d. Downloader.MDW

2. Which of the following incident handling process responsible for defining the rules of human
labor cooperation, create a backup plan, and test plans for the company?
a. Preparatory Phase
b. Recovery Phase
c. Definition
d. End Phase

3. Metadata describes how, when, and by whom a particular set of data was collected and how the
data is formatted. Which of the following metadata type facilitates the navigation and
presentation of electronic resources?
a. Descriptive Metadata
b. Administrative Metadata
c. Formatted Metadata
d. Structural Metadata

4. Which of the following is a low-interaction honeypot honeypot is used rarely by capturing

information about the company or the community of hackers?
a. Production Honeypot
b. Research Honeypot
c. Honeynet
d. Honeyfarm

5. Which of the following attack allows attackers to bypass client-ID security mechanisms and gain
access privileges, and then inject malicious scripts into specific web pages?
a. Cross-Site Scripting (XSS)
b. Parameter/Form Tampering
c. Denial of Service
d. Buffer Overflow

6. Network security is not confined to internet related threats, but also includes internal threats.
Network security addresses the TCP/IP networks and also special-purpose protocols and
architectures. Which of the following data security threats over a network allow the stealing of
the original data by making up some false data for the receiver?
a. Data Modification
b. Data Interruption
c. Data Interception
d. Data Fabrication
7. A DoS attack is an incident in which a user or organization is deprived of the services of a resource
they would normally expect to have. At the data link layer, DoS attacks can be done easily. DoS
attacks at the application and transport layers are primarily the same, but the interaction between
the network, data-link and physical layers which increase the risk of a DoS attack on a wireless
network is different. An attacker can create a device that will saturate the 802.11 frequency bands
with noise. If the attacker can create enough RF noise to reduce the signal-to-noise ratio to an
unusable level, then the devices within the range of the noise will be effectively taken offline to
block the communication. What type of DoS attack is being discovered here?
a. Physical DoS Attack
b. Data-Link DoS Attack
c. Network DoS Attack
d. Application DoS Attack

8. Which of the following is the site to download and without the user's permission to display ads on
the browser malicious ads?
a. Adware
b. Trojans
c. Virus
d. Ransomware

9. WEP is a component of the IEEE 802.11 WLAN standards. Its primary purpose is to provide for the
confidentiality of data on wireless networks at a level equivalent to that of the wired LANs. In a
wireless LAN, the network can be accessed without physically connecting to the LAN. On what
layer of the OSI Model, WEP utilizes an encryption mechanism for minimizing unauthorized access
on the WLAN?
a. Network Layer
b. Physical Layer
c. Data Link Layer
d. Application Layer

10. A Bastion host is designed and configured to provide a limited range of services such as website
hosting, mail, etc. to attain security. Identify the type of Bastion host depicted in the following
figure.
 a. External Bastion Host
b. Internal Bastion Host
c. Single-homed Bastion Host
d. Multi-Homed Bastion Host

11. Which of the file system below acts as a client for a remote file access protocol, providing access
to files on a server?
a. Special Purpose File System
b. Database File System
c. Network File System
d. Disk File System

12. Which of the following tools provide auditing and inspection, and for the next enterprise security
defense emergency situations to identify a good solution?
a. Burp Suite
b. IP Sentry
c. Traffic IQ Professional
d. F-Secure

13. Basic Authentication is the most basic form of authentication available to web applications. The
basic authentication mechanism requires a simple sign-in with a user ID and password for each
realm. Basic authentication is wide open to which one of the following types of attacks?
a. Password-Based Attacks
b. Sniffer Attacks
c. Denial-of-Service Attacks
d. Eavesdropping Attacks

14. Which of the following steganography technique allows you to embed secret message in a
transform space of the signal?
a. Transform Domain Techniques
b. Spread Spectrum Techniques
c. Substitution Techniques
d. Cover Generation Technique

15. What is a self-replicating program that produces its own code by attaching copies of it into other
executable codes and infects a computer without permission or knowledge of the user?
a. Virus
b. Trojan
c. Rootkit
d. Worm

16. Some bastion servers incorporate auditing programs that check if an attack has been launched
against them. One can use the checksum program to audit. The checksum is calculated based on
the size of an executable program installed on the server. This program calculates the checksum
to see if there are any modifications. These changes in the checksum are the indications of an
attack. What type of Bastion host is used in testing new applications whose security flaws are not
yet known and to run services which are not secure?
 a. Non-routing Dual-homed Hosts
b. External Services Hosts
c. One-box Firewalls
d. Victim Machines

17. Blake is working on the company’s updated disaster and business continuity plan. The last section
of the plan covers computer and data incidence response. Blake is outlining the level of severity
for each type of incident in the plan. Unsuccessful scans and probes are at what severity level?
a. High-Level Incidents
b. Low-Level Incidents
c. Extreme-Level Incidents
d. Middle-Level Incidents

18. Which of the following is a low-tech way of gaining unauthorized access to systems?
a. Scanning
b. Enumeration
c. Sniffing
d. Social Engineering

19. Identify the attack represented in the diagram below:

a. Spoofing
b. Man-in-the-Middle Attack
c. TCP Session Hijacking
d. Denial of Service Attack

20. Which of the following protocol is designed to initiate the interactive sessions on an IP network
and provide real-time communication between participants to set-up, modify and terminate a
connection between two or more computers?
a. PGP
b. SIP
c. SSL
d. IPSec
21. VPNs provide a secure means of communication between hosts over an insecure medium. A VPN
makes use of the Internet as the transport backbone. A VPN can be deployed in two ways, Internal
LAN VPNs and Remote Access VPNs. Which of the following statements is true for a Remote Access
VPN?
a. VPN Gateway provides VPN termination
b. VPN Gateway acts as a firewall
c. Forwards the packets to the Internet
d. Encrypts packets that are intended to the other remotely located office

22. A firewall is a combination of a secure network hardware and software. It is used to protect
unauthorized access to an internal network or intranet from the Internet or other external
networks. It limits inbound and outbound access, and can analyze all traffic between the internal
network and the Internet. Users can configure the firewall to prevent or postpone the data packet
to a specific IP address and port. Which of the following tools serve as the Linux 2.4 kernel firewall?
a. Iptables
b. Ipchains
c. Firewalld
d. Openfirewall

23. It is a type of crime in which one person fraudulently converts the property of another for the
legal possession of that property.
Which of the following computer crime type best matches the description?
a. Embezzlement
b. Cyber Stalking
c. Drug Trafficking
d. Identity Theft

24. What is the term that is used to refer to a kind of electronic civil disobedience in which activists
take direct action by breaking into government or corporate computer systems as an act of
protest?
a. Scanning
b. Tracking
c. Hacktivism
d. Reconnaissance

25. Which of the following helps to determine a logical timeline of a security incident and the users
responsible and resides in registers, cache and RAM?
a. Non-Volatile Information
b. Volatile Information
c. Hard Drive
d. Registry

26. There are several ways an attacker can gain access to a network. The attacker must be able to
exploit a weakness or vulnerability in a system. Hacker attacks are categorized into four types.
Which of the following attacks does Session hijacking belong to?
a. Shrink Wrap Code Attacks
b. Application-Level Attacks
c. Operating System Attacks
 d. Misconfiguration Attacks

27. Hackers fall into various categories based on their activity profile. What category of hacker
individuals work both offensively and defensively at various times?
a. Gray Hats
b. Suicide Hackers
c. White Hats
d. Black Hats

28. Which of the following is a Linux Journaling file system?

a. EXT3
b. HFS
c. FAT
d. BFS

29. Which security protocol designed with the IEEE 802.11i hashes the initialization vector and uses
algorithms to enhance the security of the network?
a. WEP
b. WPA
c. EAP
d. TKIP

30. Firewall protection is provided by different types of firewalls. One of the firewall types works at
the session layer of OSI model or the TCP layer of TCP/IP, and monitors TCP handshaking between
packets to determine whether a requested session is legitimate. This level hides information about
the private networks they protect, but they do not filter individual packets. Identify the type of
firewall described above.
a. Application-Level Firewall
b. Stateful Multilayer Inspection Firewall
c. Circuit-Level Gateway Firewall
d. Packet Filtering Firewall

31. Networks are vulnerable to an attack, which occurs due to overextension of bandwidth,
bottlenecks, network data interception, etc.
Which of the following attack refers to a process in which an attacker changes his or her IP address
so that he or she appears to be someone else?
a. Denial-of-Service Attack
b. Port Scanning
c. Session Sniffing
d. IP Address Spoofing

32. Which one of the following digital data type is used for managing data for long-term storage and
maintaining records?
a. Residual Data
b. Metadata
c. Archival Data
d. Fragile Data
33. Password cracking techniques are used to recover passwords from computer systems. Attackers
use password cracking techniques to gain unauthorized access to vulnerable systems. Which of
the following techniques is the combination of brute force attack and the dictionary attack?
a. Syllable Attack
b. Rule-based Attack
c. Hybrid Attack
d. Replay Attack

34. Which of the following is defined as the application of the physical sciences to law in the search
for truth in civil, criminal and social behavioral matters to the end that injustice shall not be done
to any member of the society?
a. Forensic Science
b. Physical Science
c. Computer Science
d. Biological Science

35. Computer security logs contain information about the events occurring within systems and
networks. Which one of the following logs contains information about security software and other
applications running on the computer system?
a. Security Software Logs
b. Application Logs
c. Operating System Logs
d. Audit Logs

36. Among different types of proxy servers, which type allows the client system to connect to the
server without its knowledge, making it difficult to automatically detect the FTP or HTTPs
connection?
a. Non-Transparent Proxy
b. Transparent Proxy
c. Reverse Proxy
d. Anonymous Proxy

37. An Intrusion Detection System, also referred to as a “Packet-Sniffer”, intercepts packets travelling
along various communication mediums and protocol, usually TCP/IP. Which of the following
method detects an intrusion based on the fixed behavioral characteristics of the users and
components in a computer system?
a. Packet Detection
b. Protocol Anomaly Detection
c. Signature Recognition
d. Anomaly Detection

38. Which of the following wireless standards define Inter-Access Point Protocol?
a. 802.11g
b. 802.11h
c. 802.11f
d. 802.11k
39. One of the methods to defend against web server attacks is to audit the ports on the server
regularly to ensure that an insecure or unnecessary service is not active on the webserver. Which
of the following will limit inbound traffic for HTTPS?
a. Port 143
b. Port 443
c. Port 119
d. Port 80

40. VPN technology is structured on the basis of tunneling. It requires the setting up and upholding of
a logical network connection. The packets built in a particular VPN protocol design are put in a
nutshell inside another base or carrier protocol. They are then transmitted between the VPN client
and the server and de-encapsulated finally on the receiving side. Which of the following
statements best describes the function of voluntary tunneling?
a. VPN connection is managed between the client and a VPN server
b. Authenticates clients and relate them with certain VPN servers using logic built into the
broker’s device
c. Details of the VPN server’s connectivity from the VPN clients are concealed
d. Managing of connection setup is carried out by the VPN client

41. Which of the following is defined as the process of gathering information about a network that
may help in an attack on the network?
a. Enumeration
b. Authentication
c. Encapsulation
d. Integration

42. The company has implemented a backup plan. James is working as a network administrator for
the company and is taking full backups of the data every time, a backup is initiated. Alex, who is a
senior security manager talks to James about using a differential backup instead and asks him to
implement this once a full backup of the data is completed. What is/are the resources(s) Alex is
suggesting that James should use a differential backup?
a. Less expensive than full backup
b. Slower than a full backup
c. Faster than a full backup
d. More storage space than a full backup

43. Kelly is taking backups of the organization’s data. Currently, he is taking backups of only those files
which are created or modified after the last backup. What type of backup is Kelly using?
a. Normal Backup
b. Incremental Backup
c. Full Backup
d. Differential Backup

44. Steve, who works as a network administrator in a large company where IDS has already been
installed, observes a genuine attack that triggered the IDS to raise a threat alarm in their network
while going through the log information and reports it to the management. Which of the following
terms correctly defines this type of alarm raised by IDS?
a. False Negative
 b. True Positive
c. False Positive
d. True Negative

45. Each firm, such as a law firm or a computer forensics firm dealing with report writing has its own
established report format. An investigative report format has basically four sections.
Which section of investigative report format is dedicated to the background and summary?
a. Section 1
b. Section 2
c. Section 3
d. Section 4

46. ARP is Address Resolution Protocol which is used to map network layer IP addresses to data link
layer MAC addresses.

Using the diagram above, choose the appropriate option that justifies ARP spoofing:
a. The computer sends the data to the attacker’s system rather than the original destination
due to forged ARP replies
b. When a request is made for a MAC address, the user’s machine replies with a fake MAC
address
c. When an attacker requests the MAC address the Switch blocks the entire request
d. The host analyzes all the requests on the network and blocks the MAC address request

47. Which of the following contains extra material that is referred to in the report?
a. Acknowledgements
b. References
c. Summary
d. Appendices

48. Which of the following protocols encrypts all the information exchanged during the logon process
between the router and remote hosts?
a. Web Security Protocol – SSH
b. Web Security Protocol – SSL
c. VPN Security Protocol – PPTP
d. VPN Security Protocol – L2TP
49. In Digest authentication, the password is sent to the server in an encrypted form. The user
requests access from the server and the server replies with a digest session key. Upon receiving
the digest session key, the user sends the password in an encrypted form. Digest authentication
uses an encryption algorithm or hashing algorithm to encrypt the data. Which of the following
sets is included in the Digest type of authentication?
a. Password Based, Session Key and Encryption Key
b. Form Based, Token Based and Certificate Based
c. Encryption Key, Digest Session Key and Password Encryption
d. Face Recognition, Retina Scanning and Hand Geometry

50. To aid the working of IPSec, the sending and receiving devices must share a public key. This is
accomplished through a protocol known as Internet Security Association and Key Management
Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and
authenticate the sender using digital certificates.
Which of the following IPSec service offers authentication, integrity checking and encryption for
packets at the IP level?
a. PGP
b. SSL
c. AH
d. ESP

51. Jimmy is standing outside a secure entrance to a facility. He is pretending to have a tense
conversation on his cell phone as an authorized employee badges in. Jimmy, while still on phone,
grabs the door as it begins to close.
What just happened?
a. Tailgating
b. Masquerading
c. Whaling
52. Timothy works as a network administrator in a multinational organization. He decides to
implement a dedicated network for sharing storage resources. He uses a ________ as it separates
the storage units from the servers and the user network.
a. SCSA
b. SAN
c. SAS
d. NAS

53. From the Extensible Authentication Protocol (EAP) methods given below, identify the method
where authentication uses certificates for the server side and a simple method for the client side.
a. TTLS
b. MD5
c. LEAP
d. TLS

54. WPAN technologies allow users to set up ad hoc wireless communications for device such as PDAs,
cellular phones, or laptops that are used within a space surrounding a person ranging up to 10
meters. Plugging in and the ability to lock devices to prevent unauthorized access are two prime
advantages of WPAN. What are the two most widely used key WPAN technologies?
a. Bluetooth and NFC
 b. Bluetooth and IrDA
c. IrDA and NFC
d. Bluetooth and Zigbee

55. Which of the following types of firewall functionality by creating two communications, a client and
a firewall, between the second firewall and the server?
a. The Proxy Firewall
b. Stateful Firewall
c. Packet Filtering Firewall
d. End Firewall

56. Peter, e-mail address malicious hackers made, their news, blog, DNS lists and Web pages. He will
then send unsolicited bulk commercial e-mail (UCE) messages to these addresses. Commits the
following e-mail Peter?
a. Email Storm
b. Email Bombing
c. Email Scam
d. Spam