John, a professional hacker, is attacking an organization, where he is trying to destroy the connectivity between an AP and client to make the target unavailable to other wireless devices. Which of the following attacks is John performing in this case?
Correct Answer: C
In a disassociation attack, the attacker sends disassociation frames to a wireless access point (AP) using a spoofed MAC address of a client or to the client pretending to be the AP. This forces the target to disconnect and often reconnect, causing a disruption in the wireless connectivity. Such attacks can be used to create a denial-of-service condition for the client, making the network resource unavailable. The primary objective of this attack is not to eavesdrop but to disrupt the normal operation of the wireless connection between the client and the AP. References:The concept of disassociation attacks and their impact on wireless network connectivity is covered in cybersecurity training materials and incident response courses, including those related to the ECIH v3 certification. These materials explain the techniques used in various network attacks, including how disassociation attacks are performed and mitigated.
212-89 Exam Question 107
In which of the following types of insider threats an insider who is uneducated on potential security threats or simply bypasses general security procedures to meet workplace efficiency?
Correct Answer: B
A negligent insider is an individual within an organization who, due to a lack of knowledge on security threats or in an attempt to increase workplace efficiency, inadvertently bypasses security procedures or makes errors that compromise security. This type of insider threat is not malicious in intent; rather, it stems from carelessness, oversight, or a lack of proper security training. Such insiders might click on phishing links, mishandle sensitive information, or use unsecured networks for work-related tasks, thereby exposing the organization to potential security breaches. This contrasts with compromised insiders (who are manipulated by external parties), professional insiders (who misuse their access for personal gain), and malicious insiders (who intentionally aim to harm the organization). References:The Incident Handler (ECIH v3) courses and study guides discuss different types of insider threats, emphasizing the importance of security awareness training to mitigate the risks associated with negligent insiders.
212-89 Exam Question 108
Mei, a forensic analyst, is analyzing logs from a compromised blog platform. She finds evidence that an attacker posted content using a valid account, and later, users who visited the blog were redirected to a phishing site containing session cookies in the URL. What kind of attack does this best describe?
Correct Answer: C
The EC-Council Incident Handler (ECIH) curriculum explains that Stored Cross-Site Scripting (Stored XSS) occurs when malicious scripts are permanently stored on a web server (e.g., within blog posts, comments, or database entries). When users access the infected content, the malicious script executes in their browser. In this scenario, the attacker posted malicious content using a valid account, and subsequent users were redirected to a phishing site containing session cookies in the URL. This indicates that malicious code was embedded and stored within the blog platform, affecting multiple visitors. Reflected XSS (Option A) requires the victim to click a crafted link and is not persistently stored. Man-in-the- middle (Option B) involves interception of communications. Directory traversal (Option D) involves accessing restricted directories on a server. ECIH highlights that stored XSS attacks are particularly dangerous because they impact all users who access the compromised content and can lead to session hijacking, credential theft, and redirection to phishing sites. Therefore, the attack described is Stored XSS.
212-89 Exam Question 109
Which stage of the incident response and handling process involves auditing the system and network log files?
Correct Answer: B
Auditing the system and network log files is a crucial step in the incident triage phase of the incident response and handling process. During incident triage, incident handlers assess and prioritize incidents based on their severity, impact, and the urgency of the response required. Part of this assessment involves reviewing log files to understand the nature of the incident, its scope, and the systems or networks affected. This information helps in categorizing the incident and deciding on the appropriate response actions. Unlike containment, which aims to limit the damage, incident disclosure, which involves communicating about the incident, or incident eradication, which focuses on removing the threat, incident triage is about evaluating and prioritizing the incident based on detailed log analysis among other factors. References:The Incident Handler (ECIH v3) courses and study guides emphasize the role of incident triage in the early stages of the incident response process, highlighting the importance of log file analysis in assessing and prioritizing incidents.
212-89 Exam Question 110
If the browser does not expire the session when the user fails to logout properly, which of the following OWASP Top 10 web vulnerabilities is caused?
Correct Answer: C
When a browser does not expire a session after the user fails to logout properly, it is indicative of a vulnerability related to broken authentication. Broken authentication is a security issue where attackers can exploit flaws in the authentication mechanism to impersonate other users or take over their sessions. Failure to properly manage session lifetimes, such as not expiring sessions on logout, can allow an attacker to reuse old sessions or session IDs, potentially gaining unauthorized access to user accounts. This vulnerability is classified under A2: Broken Authentication in the OWASP Top 10, which lists the most critical web application security risks. The OWASP Top 10 serves as a guideline for developers and web application providers to understand and mitigate common security risks. References:The OWASP Top 10 is a widely recognized standard for web application security, often referenced in cybersecurity training and certifications, including the EC-Council's Incident Handler (ECIH v3) curriculum, which covers identification and mitigation of various web application vulnerabilities, including broken authentication.