Chapter 3 - Ethical Hacking Test
Questions and Correct Answers
Security Terms ✅Assets
An asset is anything of value to the organization. It includes people, equipment,
resources, and data.
Vulnerability
A vulnerability is a weakness in a system, or its design, that could be exploited by a
threat.
Threat
A threat is a potential danger to a company's assets, data, or network functionality.
Exploit
An exploit is a mechanism that takes advantage of a vulnerability.
Mitigation
Mitigation is the counter-measure that reduces the likelihood or severity of a potential
threat or risk. Network security involves multiple mitigation techniques.
Risk
Risk is the likelihood of a threat to exploit the vulnerability of an asset, with the aim of
negatively affecting an organization. Risk is measured using the probability of the
occurrence of an event and its consequences.
An attack vector ✅An attack vector is a path by which a threat actor can gain access to
a server, host, or network. Attack vectors originate from inside or outside the corporate
network.
For example, threat actors may target a network through the internet, to disrupt network
operations and create a denial of service (DoS) attack.
Internal attack vector ✅An internal user, such as an employee, can accidentally or
intentionally:
Steal and copy confidential data to removable media, email, messaging software, and
other media.
Compromise internal servers or network infrastructure devices.
Disconnect a critical network connection and cause a network outage.
Connect an infected USB drive into a corporate computer system.
,Internal threats have the potential to cause greater damage than external threats
because internal users have direct access to the building and its infrastructure devices.
Employees may also have knowledge of the corporate network, its resources, and its
confidential data.
Data Loss ✅Data is likely to be an organization's most valuable asset. Organizational
data can include research and development data, sales data, financial data, human
resource and legal data, employee data, contractor data, and customer data.
Data loss or data exfiltration is when data is intentionally or unintentionally lost, stolen,
or leaked to the outside world. The data loss can result in:
Brand damage and loss of reputation
Loss of competitive advantage
Loss of customers
Loss of revenue
Litigation/legal action resulting in fines and civil penalties
Significant cost and effort to notify affected parties and recover from the breach
Data Loss Vectors ✅Email/Social Networking
Intercepted email or IM messages could be captured and reveal confidential
information.
Unencrypted Devices
If the data is not stored using an encryption algorithm, then the thief can retrieve
valuable confidential data.
Cloud Storage Devices
Sensitive data can be lost if access to the cloud is compromised due to weak security
settings.
Removable Media
One risk is that an employee could perform an unauthorized transfer of data to a USB
drive. Another risk is that a USB drive containing valuable corporate data could be lost.
Hard Copy
Confidential data should be shredded when no longer required.
Improper Access Control
Passwords or weak passwords which have been compromised can provide a threat
actor with easy access to corporate data.
DLP ✅Network security professionals must protect the organization's data.
, Various Data Loss Prevention (DLP) controls must be implemented which combine
strategic, operational and tactical measures.
Describe the term Hacker ✅Hacker is a common term used to describe a threat actor.
Originally the term referred to someone who was a skilled computer expert such as a
programmer and a hack was a clever solution.
The term later evolved into what we know of it today.
The terms white hat hacker, black hat hacker, and gray hat hacker are often used to
describe a type of hacker.
Hacker types ✅White Hat Hackers
These are ethical hackers who use their programming skills for good, ethical, and legal
purposes.
White hat hackers may perform network penetration tests in an attempt to compromise
networks and systems by using their knowledge of computer security systems to
discover network vulnerabilities.
Security vulnerabilities are reported to developers for them to fix before the
vulnerabilities can be exploited.
Gray Hat Hackers
These are individuals who commit crimes and do arguably unethical things, but not for
personal gain or to cause damage.
Gray hat hackers may disclose a vulnerability to the affected organization after having
compromised their network.
Black Hat Hackers
These are unethical criminals who compromise computer and network security for
personal gain, or for malicious reasons, such as attacking networks.
Hacking started in the 1960s ✅Hacking started in the 1960s with phone freaking, or
phreaking, which refers to using audio frequencies to manipulate phone systems.
At that time, telephone switches used various tones to indicate different functions.
Early hackers realized that by mimicking a tone using a whistle, they could exploit the
phone switches to make free long-distance calls.
In the mid-1980s, computer dial-up modems were used to connect computers to
networks.
Hackers wrote "war dialing" programs which dialed each telephone number in a given
area in search of computers.
When a computer was found, password-cracking programs were used to gain access.
Hacking Terms ✅Script Kiddies
Questions and Correct Answers
Security Terms ✅Assets
An asset is anything of value to the organization. It includes people, equipment,
resources, and data.
Vulnerability
A vulnerability is a weakness in a system, or its design, that could be exploited by a
threat.
Threat
A threat is a potential danger to a company's assets, data, or network functionality.
Exploit
An exploit is a mechanism that takes advantage of a vulnerability.
Mitigation
Mitigation is the counter-measure that reduces the likelihood or severity of a potential
threat or risk. Network security involves multiple mitigation techniques.
Risk
Risk is the likelihood of a threat to exploit the vulnerability of an asset, with the aim of
negatively affecting an organization. Risk is measured using the probability of the
occurrence of an event and its consequences.
An attack vector ✅An attack vector is a path by which a threat actor can gain access to
a server, host, or network. Attack vectors originate from inside or outside the corporate
network.
For example, threat actors may target a network through the internet, to disrupt network
operations and create a denial of service (DoS) attack.
Internal attack vector ✅An internal user, such as an employee, can accidentally or
intentionally:
Steal and copy confidential data to removable media, email, messaging software, and
other media.
Compromise internal servers or network infrastructure devices.
Disconnect a critical network connection and cause a network outage.
Connect an infected USB drive into a corporate computer system.
,Internal threats have the potential to cause greater damage than external threats
because internal users have direct access to the building and its infrastructure devices.
Employees may also have knowledge of the corporate network, its resources, and its
confidential data.
Data Loss ✅Data is likely to be an organization's most valuable asset. Organizational
data can include research and development data, sales data, financial data, human
resource and legal data, employee data, contractor data, and customer data.
Data loss or data exfiltration is when data is intentionally or unintentionally lost, stolen,
or leaked to the outside world. The data loss can result in:
Brand damage and loss of reputation
Loss of competitive advantage
Loss of customers
Loss of revenue
Litigation/legal action resulting in fines and civil penalties
Significant cost and effort to notify affected parties and recover from the breach
Data Loss Vectors ✅Email/Social Networking
Intercepted email or IM messages could be captured and reveal confidential
information.
Unencrypted Devices
If the data is not stored using an encryption algorithm, then the thief can retrieve
valuable confidential data.
Cloud Storage Devices
Sensitive data can be lost if access to the cloud is compromised due to weak security
settings.
Removable Media
One risk is that an employee could perform an unauthorized transfer of data to a USB
drive. Another risk is that a USB drive containing valuable corporate data could be lost.
Hard Copy
Confidential data should be shredded when no longer required.
Improper Access Control
Passwords or weak passwords which have been compromised can provide a threat
actor with easy access to corporate data.
DLP ✅Network security professionals must protect the organization's data.
, Various Data Loss Prevention (DLP) controls must be implemented which combine
strategic, operational and tactical measures.
Describe the term Hacker ✅Hacker is a common term used to describe a threat actor.
Originally the term referred to someone who was a skilled computer expert such as a
programmer and a hack was a clever solution.
The term later evolved into what we know of it today.
The terms white hat hacker, black hat hacker, and gray hat hacker are often used to
describe a type of hacker.
Hacker types ✅White Hat Hackers
These are ethical hackers who use their programming skills for good, ethical, and legal
purposes.
White hat hackers may perform network penetration tests in an attempt to compromise
networks and systems by using their knowledge of computer security systems to
discover network vulnerabilities.
Security vulnerabilities are reported to developers for them to fix before the
vulnerabilities can be exploited.
Gray Hat Hackers
These are individuals who commit crimes and do arguably unethical things, but not for
personal gain or to cause damage.
Gray hat hackers may disclose a vulnerability to the affected organization after having
compromised their network.
Black Hat Hackers
These are unethical criminals who compromise computer and network security for
personal gain, or for malicious reasons, such as attacking networks.
Hacking started in the 1960s ✅Hacking started in the 1960s with phone freaking, or
phreaking, which refers to using audio frequencies to manipulate phone systems.
At that time, telephone switches used various tones to indicate different functions.
Early hackers realized that by mimicking a tone using a whistle, they could exploit the
phone switches to make free long-distance calls.
In the mid-1980s, computer dial-up modems were used to connect computers to
networks.
Hackers wrote "war dialing" programs which dialed each telephone number in a given
area in search of computers.
When a computer was found, password-cracking programs were used to gain access.
Hacking Terms ✅Script Kiddies
