Certified Ethical Hacker (CEH) UPDATED
Exam Questions and CORRECT Answers
Confidentiality - CORRECT ANSWER- The measures taken to prevent disclosure of
information or data to unauthorized individuals or systems.
Integrity - CORRECT ANSWER- The methods and actions taken to protect the information
from unauthorized alteration or revision - whether the data is at rest or in transit.
Hash - CORRECT ANSWER- A one-way mathematical algorithm that generates a specific,
fixed-length number.
Bit Flipping - CORRECT ANSWER- A type of integrity attack where the attacker
manipulates bit in the ciphertext to generate a predictable outcome in the plaintext once it is
decrypted.
Availability - CORRECT ANSWER- Refers to communications and data being ready for use
when legitimate users need them.
Denial of Service (DoS) Attacks - CORRECT ANSWER- Designed to prevent legitimate
users from having access to computer resources.
Ethical Hacker - CORRECT ANSWER- Someone who employs the same tools and
techniques a criminal might use, with the customer's full support and approval, in order to secure
a network or system.
Cracker - CORRECT ANSWER- Also known as a malicious hacker, uses their skills for
either personal gain or destructive purposes.
White Hats - CORRECT ANSWER- These are the ethical hackers, hired by a customer for
the specific goal of testing and improving security.
,Black Hats - CORRECT ANSWER- These are the bad guys; the crackers, illegally using
their skills for either personal gain or malicious intent.
Gray Hats - CORRECT ANSWER- The hardest group to categorize; these people are neither
good nor bad.
Penetration Test - CORRECT ANSWER- A clearly defined, full-scale test of the security
controls of a system or network in order to identify security risks and vulnerabilities and has
three main phases.
Black box testing - CORRECT ANSWER- The ethical hacker has zero knowledge of the
target of evaluation (TOE). Simulates an outside attacker, takes the most time to complete, and is
the most expensive option.
White box testing - CORRECT ANSWER- The exact opposite of black box testing; pen
testers have full knowledge of the network/system. Simulates a knowledgeable, internal threat.
Gray box testing - CORRECT ANSWER- Also known as partial knowledge testing; assumes
only that the attacker is an insider. This type of testing is very valuable because it can
demonstrate privilege escalation from a trusted employee.
Asset - CORRECT ANSWER- An item of economic value owned by an organization or
individual.
Threat - CORRECT ANSWER- Any agent, circumstance, or situation that could cause harm
or loss to an IT asset.
Vulnerability - CORRECT ANSWER- Any weakness that could be exploited by a threat to
cause damage to an asset.
, United State Code Title 18, Section 1029 - CORRECT ANSWER- Criminalizes the misuse
of credentials; including selling devices that make fake credentials and those who traffic the
faked credentials
United States Code Title 18, Section 1030 - CORRECT ANSWER- Targets hackers
themselves and criminalizes unauthorized access to computer systems or data. Also addresses
and criminalizes the spread of viruses and malware.
The SPY Act - CORRECT ANSWER- Criminalizes the collection of personal information
without the user's consent, the redirection of web servers, and the sending of spam.
Freedom of Information Act - CORRECT ANSWER- Serves the people's right to know
certain pieces of information not deemed to be classified.
Privacy Act of 1974 - CORRECT ANSWER- States that government agencies cannot
disclose personal information about an individual without the person's consent.
Federal Information Security Management Act (FISMA) - CORRECT ANSWER- Requires
government agencies to create security plans, have them accredited at least once every three
years, and periodically asses the security.
USA Patriot Act of 2001 - CORRECT ANSWER- Dramatically increased the government's
ability to monitor, intercept, and maintain records on many forms of communication.
Attack Types - CORRECT ANSWER- Operating System Attacks
Application-level Attacks
Shrink-wrap Code Attacks
Misconfiguration Attacks
Operating system attacks - CORRECT ANSWER- Target operating systems that were
installed with all the defaults left unchanged.
Exam Questions and CORRECT Answers
Confidentiality - CORRECT ANSWER- The measures taken to prevent disclosure of
information or data to unauthorized individuals or systems.
Integrity - CORRECT ANSWER- The methods and actions taken to protect the information
from unauthorized alteration or revision - whether the data is at rest or in transit.
Hash - CORRECT ANSWER- A one-way mathematical algorithm that generates a specific,
fixed-length number.
Bit Flipping - CORRECT ANSWER- A type of integrity attack where the attacker
manipulates bit in the ciphertext to generate a predictable outcome in the plaintext once it is
decrypted.
Availability - CORRECT ANSWER- Refers to communications and data being ready for use
when legitimate users need them.
Denial of Service (DoS) Attacks - CORRECT ANSWER- Designed to prevent legitimate
users from having access to computer resources.
Ethical Hacker - CORRECT ANSWER- Someone who employs the same tools and
techniques a criminal might use, with the customer's full support and approval, in order to secure
a network or system.
Cracker - CORRECT ANSWER- Also known as a malicious hacker, uses their skills for
either personal gain or destructive purposes.
White Hats - CORRECT ANSWER- These are the ethical hackers, hired by a customer for
the specific goal of testing and improving security.
,Black Hats - CORRECT ANSWER- These are the bad guys; the crackers, illegally using
their skills for either personal gain or malicious intent.
Gray Hats - CORRECT ANSWER- The hardest group to categorize; these people are neither
good nor bad.
Penetration Test - CORRECT ANSWER- A clearly defined, full-scale test of the security
controls of a system or network in order to identify security risks and vulnerabilities and has
three main phases.
Black box testing - CORRECT ANSWER- The ethical hacker has zero knowledge of the
target of evaluation (TOE). Simulates an outside attacker, takes the most time to complete, and is
the most expensive option.
White box testing - CORRECT ANSWER- The exact opposite of black box testing; pen
testers have full knowledge of the network/system. Simulates a knowledgeable, internal threat.
Gray box testing - CORRECT ANSWER- Also known as partial knowledge testing; assumes
only that the attacker is an insider. This type of testing is very valuable because it can
demonstrate privilege escalation from a trusted employee.
Asset - CORRECT ANSWER- An item of economic value owned by an organization or
individual.
Threat - CORRECT ANSWER- Any agent, circumstance, or situation that could cause harm
or loss to an IT asset.
Vulnerability - CORRECT ANSWER- Any weakness that could be exploited by a threat to
cause damage to an asset.
, United State Code Title 18, Section 1029 - CORRECT ANSWER- Criminalizes the misuse
of credentials; including selling devices that make fake credentials and those who traffic the
faked credentials
United States Code Title 18, Section 1030 - CORRECT ANSWER- Targets hackers
themselves and criminalizes unauthorized access to computer systems or data. Also addresses
and criminalizes the spread of viruses and malware.
The SPY Act - CORRECT ANSWER- Criminalizes the collection of personal information
without the user's consent, the redirection of web servers, and the sending of spam.
Freedom of Information Act - CORRECT ANSWER- Serves the people's right to know
certain pieces of information not deemed to be classified.
Privacy Act of 1974 - CORRECT ANSWER- States that government agencies cannot
disclose personal information about an individual without the person's consent.
Federal Information Security Management Act (FISMA) - CORRECT ANSWER- Requires
government agencies to create security plans, have them accredited at least once every three
years, and periodically asses the security.
USA Patriot Act of 2001 - CORRECT ANSWER- Dramatically increased the government's
ability to monitor, intercept, and maintain records on many forms of communication.
Attack Types - CORRECT ANSWER- Operating System Attacks
Application-level Attacks
Shrink-wrap Code Attacks
Misconfiguration Attacks
Operating system attacks - CORRECT ANSWER- Target operating systems that were
installed with all the defaults left unchanged.
