CCNA Cryptography and Malware Analysis Questions

20 questions · Cryptography and Malware Analysis · All types, answers revealed

1
MCQhard

A security engineer needs to configure a web server to support Perfect Forward Secrecy (PFS) for HTTPS connections. Which of the following key exchange methods should be prioritized?

A.Diffie-Hellman (DH) key exchange
B.Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
C.Pre-Shared Key (PSK)
D.RSA key exchange
AnswerB

ECDHE generates ephemeral keys for each session, ensuring that compromise of long-term keys does not compromise past sessions.

Why this answer

ECDHE is prioritized for Perfect Forward Secrecy because it generates a unique, ephemeral session key for each TLS handshake using elliptic curve cryptography, ensuring that if the server's long-term private key is compromised, past session keys remain secure. Unlike static Diffie-Hellman, ECDHE does not reuse key material, and it offers stronger security per bit compared to traditional DH, making it the recommended choice for PFS in modern HTTPS configurations.

Exam trap

EC-Council often tests the misconception that any Diffie-Hellman variant automatically provides PFS, but candidates must remember that only ephemeral modes (DHE or ECDHE) guarantee forward secrecy, while static DH does not.

How to eliminate wrong answers

Option A is wrong because standard Diffie-Hellman (DH) key exchange can be used in ephemeral mode (DHE) to provide PFS, but the question asks for the method to be 'prioritized'; ECDHE is preferred over DH due to its smaller key sizes, faster computation, and equivalent security strength, so DH is not the top priority. Option C is wrong because Pre-Shared Key (PSK) is a symmetric key method that does not provide forward secrecy—if the PSK is compromised, all past sessions using that key are exposed. Option D is wrong because RSA key exchange is static; the client encrypts the pre-master secret with the server's RSA public key, so if the server's private key is later compromised, all recorded sessions can be decrypted, violating PFS.

2
MCQeasy

During a penetration test, a security analyst discovers that an organization's web application uses HTTP for login forms, potentially exposing credentials to interception. Which of the following is the BEST cryptographic control to implement to protect credentials in transit?

A.Implement password hashing with bcrypt on the server side.
B.Use digital signatures to sign the login request.
C.Enforce HTTPS using TLS 1.2 or higher.
D.Encrypt the password field using AES-256 before sending via HTTP.
AnswerC

TLS encrypts the entire communication channel, protecting credentials from interception.

Why this answer

HTTPS with TLS 1.2 or higher encrypts the entire HTTP session, including login credentials, preventing interception and man-in-the-middle attacks. This is the standard cryptographic control for protecting data in transit, as mandated by RFC 2818 and PCI DSS. TLS 1.2+ uses strong cipher suites like ECDHE-RSA-AES256-GCM-SHA384 to ensure forward secrecy and confidentiality.

Exam trap

The trap here is that candidates confuse encryption at rest (hashing) or partial encryption (AES on password field) with full-session encryption (TLS), or they think digital signatures provide confidentiality, when in fact they only ensure authenticity and integrity.

How to eliminate wrong answers

Option A is wrong because password hashing with bcrypt protects credentials at rest on the server, not during transit over the network. Option B is wrong because digital signatures provide integrity and non-repudiation but do not encrypt the login request, leaving the credentials visible to an interceptor. Option D is wrong because encrypting only the password field with AES-256 before sending over HTTP still leaves the rest of the request (e.g., session tokens, form data) in plaintext, and the encryption key must be shared insecurely, defeating the purpose.

3
MCQmedium

You are a security analyst for a medium-sized company. The company uses a custom web application for internal project management. The application uses AES-256-CBC for encrypting sensitive data stored in the database. Recently, the company experienced a data breach where an attacker exfiltrated the entire database. Although the data was encrypted, the attacker was able to decrypt some records. Investigation reveals that the encryption key is stored in a configuration file on the same server, and the initialization vector (IV) is hardcoded in the application code. Additionally, the application uses the same key for all records. Which of the following is the most effective remediation to prevent future decryption of stolen encrypted data?

A.Change the encryption mode from CBC to GCM to provide authentication
B.Store the encryption key in a hardware security module (HSM) and use the same key
C.Rotate the encryption key every 24 hours
D.Implement per-record encryption keys derived from a master key combined with a unique salt
AnswerD

Each record gets a unique key; compromise of one key does not affect others.

Why this answer

Option D is correct because using per-record encryption keys derived from a master key combined with a unique salt ensures that even if an attacker exfiltrates the entire database, each encrypted record requires a separate key derivation operation. Without the unique salt per record, the attacker cannot decrypt all records even if they compromise the master key. This approach mitigates the risk of a single key compromise leading to bulk decryption, which is the core vulnerability in the current setup where the same AES-256-CBC key and hardcoded IV are reused across all records.

Exam trap

The trap here is that candidates often focus on key storage or rotation (options B and C) as the primary solution, overlooking that the real vulnerability is the reuse of a single key across all records, which allows an attacker to decrypt the entire dataset with a single key compromise.

How to eliminate wrong answers

Option A is wrong because changing the encryption mode from CBC to GCM adds authentication (integrity) but does not address the fundamental issue of a single static key and IV being reused; an attacker who steals the database and the key can still decrypt all records regardless of the mode. Option B is wrong because storing the encryption key in an HSM while still using the same key for all records does not prevent an attacker from decrypting all stolen data if they compromise the application at runtime or obtain the key from the HSM via authorized access; the HSM protects the key at rest but does not mitigate the single-key reuse vulnerability. Option C is wrong because rotating the encryption key every 24 hours only limits the window of exposure for future records; it does not protect already exfiltrated encrypted data that was encrypted with the old key, and the attacker can still decrypt all records encrypted before the rotation if they have the old key.

4
MCQeasy

Refer to the exhibit. A security analyst runs netstat on a compromised Windows machine. Based on the output, which process is most likely associated with the malicious activity?

A.The process with PID 1234 is not identified
B.explorer.exe (PID 1234)
C.svchost.exe (PID 5678)
D.The process with PID 5678 is not identified
AnswerB

Explorer.exe is making connections to a suspicious IP on port 4444, which is abnormal.

Why this answer

Option B is correct because netstat output showing a suspicious external connection (e.g., to an unknown IP on port 4444) associated with PID 1234, which is identified as explorer.exe, indicates that the Windows shell process has been hijacked or injected with malicious code. Explorer.exe is not a typical network-listening process; its involvement in outbound connections to a non-standard port strongly suggests malware has injected a reverse shell or beacon into this legitimate system process to evade detection.

Exam trap

EC-Council often tests the misconception that svchost.exe is always the malicious process because it hosts many services, but the trap here is that explorer.exe can be hijacked for persistence and network communication, and candidates fail to recognize that a legitimate-looking process name does not guarantee it is benign.

How to eliminate wrong answers

Option A is wrong because the process with PID 1234 is identified as explorer.exe in the netstat output (the exhibit would show the process name), so claiming it is 'not identified' ignores the explicit mapping provided. Option C is wrong because svchost.exe (PID 5678) is a generic host process for Windows services; while it can be abused, the exhibit specifically ties the suspicious connection to PID 1234, not PID 5678. Option D is wrong because the process with PID 5678 is identified as svchost.exe in the output, so stating it is 'not identified' is factually incorrect and misreads the netstat -b or -o display.

5
MCQeasy

A security analyst receives an alert about a suspicious file hash. The analyst wants to check if the file is known malware by querying an online database of malware signatures. Which tool should the analyst use?

A.Nmap
B.John the Ripper
C.VirusTotal
D.Wireshark
AnswerC

VirusTotal accepts file hashes and returns detection results from many AV engines.

Why this answer

VirusTotal is a free online service that aggregates multiple antivirus engines and malware detection tools, allowing users to upload files or query file hashes against a vast database of known malware signatures. This directly matches the requirement to check if a file is known malware by querying an online database.

Exam trap

The trap here is that candidates may confuse tools like Nmap or Wireshark for malware analysis because they are commonly used in security investigations, but they lack the specific function of querying an online malware signature database.

How to eliminate wrong answers

Option A is wrong because Nmap is a network scanning tool used for discovering hosts and services on a network, not for querying malware signature databases. Option B is wrong because John the Ripper is a password cracking tool that performs brute-force or dictionary attacks on password hashes, not a malware signature lookup service. Option D is wrong because Wireshark is a network protocol analyzer used for capturing and inspecting network traffic packets, not for checking file hashes against malware databases.

6
MCQmedium

You are a security analyst for a financial institution. The company has deployed a network of 500 Windows 10 workstations and 50 servers running Windows Server 2019. All systems are protected by a next-generation firewall and an endpoint detection and response (EDR) solution. Recently, several employees reported that their workstations are running slowly and exhibiting unusual pop-up messages demanding a ransom note in Bitcoin. The EDR alerts show that a file named 'invoice.docm' was downloaded from an email attachment and executed on multiple workstations. The EDR also indicates that the file dropped a PowerShell script that connected to an external IP address and downloaded additional payloads. After the initial infection, the EDR detected that the ransomware binary 'encryptor.exe' was executed, which began encrypting files. However, the encryption process was stopped by the EDR before all files were encrypted. The incident response team needs to determine the source of the infection and prevent future occurrences. Which of the following is the most effective first step to identify the initial infection vector?

A.Reimage all affected workstations to remove the ransomware and then review email logs for the original phishing email.
B.Block the external IP address at the firewall to prevent further communication with the C2 server.
C.Enable macro security settings in Microsoft Office to block macros from running without explicit user consent, and enforce via Group Policy.
D.Disable PowerShell across all workstations via Group Policy to prevent script execution.
AnswerC

This directly addresses the initial infection vector by preventing macros from executing.

Why this answer

Option C is correct because enabling macro security settings in Microsoft Office and enforcing them via Group Policy directly addresses the initial infection vector: the 'invoice.docm' file, which is a macro-enabled document. Macros are the most common mechanism for delivering initial payloads in phishing attacks, and blocking them from running without explicit consent prevents the PowerShell script from being executed, stopping the attack chain at its source.

Exam trap

EC-Council often tests the distinction between containment/remediation steps and forensic identification steps; the trap here is that candidates choose a reactive measure like blocking IPs or disabling PowerShell instead of identifying the root cause (the macro-enabled document) as the first step in the incident response process.

How to eliminate wrong answers

Option A is wrong because reimaging workstations removes the ransomware but does not identify the initial infection vector; reviewing email logs is a secondary step that can be done without reimaging. Option B is wrong because blocking the external IP address at the firewall prevents further C2 communication but does not identify how the infection started; it is a containment measure, not a forensic step. Option D is wrong because disabling PowerShell across all workstations via Group Policy is overly broad and would break legitimate administrative scripts and automation; it does not address the macro-enabled document that triggered the PowerShell execution.

7
MCQmedium

An ethical hacker is analyzing a piece of malware that uses a custom encryption algorithm. The malware sample contains a hardcoded key that is 16 bytes long. The analyst observes that the encrypted data is the same length as the plaintext. Which encryption mode is most likely being used?

A.GCM
B.CFB
C.ECB
D.CBC
AnswerC

ECB encrypts each block independently; no IV, no expansion beyond padding.

Why this answer

ECB (Electronic Codebook) mode encrypts each block of plaintext independently using the same key, so the ciphertext length equals the plaintext length (assuming no padding is needed for exact block sizes). The hardcoded 16-byte key and identical input/output lengths strongly suggest ECB, as other modes typically add an IV or authentication tag, altering the output length.

Exam trap

The trap here is that candidates often forget that ECB does not use an IV or authentication tag, so they incorrectly assume all block cipher modes add overhead, leading them to choose CBC or GCM despite the length constraint.

How to eliminate wrong answers

Option A (GCM) is wrong because GCM produces an authentication tag (usually 16 bytes) in addition to ciphertext, making the output longer than the plaintext. Option B (CFB) is wrong because CFB is a stream cipher mode that requires an IV (initialization vector), which would add extra bytes to the output or be transmitted separately, contradicting the identical length observation. Option D (CBC) is wrong because CBC requires an IV (typically 16 bytes for AES) that must be included with the ciphertext, increasing the total output length beyond the plaintext length.

8
Drag & Dropmedium

Drag and drop the steps to configure a wireless network with WPA2-Enterprise authentication on a Cisco AP into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Set up RADIUS, create WLAN, configure AP to use RADIUS, enable, test.

9
MCQhard

During a forensic investigation, an analyst finds that a malware sample uses a technique to detect if it is running in a sandbox by checking the number of CPU cores. The malware terminates execution if the core count is less than 2. Which anti-analysis technique is this?

A.Code obfuscation
B.Anti-debugging
C.Anti-VM / sandbox evasion
D.Packing
AnswerC

Checking for low resource counts is a common sandbox evasion technique.

Why this answer

Option C is correct because checking the number of CPU cores is a classic anti-VM/sandbox evasion technique. Virtual machines and sandboxes often allocate minimal resources (e.g., a single core) to remain lightweight, so malware uses this check to detect an analysis environment and terminate execution to avoid detection.

Exam trap

EC-Council often tests the distinction between anti-debugging and anti-VM techniques; the trap here is that candidates confuse resource-based checks (like CPU cores) with debugger detection, but anti-debugging specifically targets debugger artifacts, not hardware resource enumeration.

How to eliminate wrong answers

Option A is wrong because code obfuscation involves transforming code to make it harder to read or reverse-engineer (e.g., using junk code or control flow flattening), not checking hardware resources like CPU cores. Option B is wrong because anti-debugging techniques target debuggers (e.g., checking for IsDebuggerPresent or NtGlobalFlag), not the number of CPU cores. Option D is wrong because packing compresses or encrypts the executable to hide its original code, but does not involve runtime checks of system resources.

10
MCQeasy

A security analyst suspects that a user's machine is infected with a keylogger. Which of the following is the most effective method to detect a hardware keylogger?

A.Check running processes for suspicious entries
B.Physically inspect the connection between the keyboard and the computer
C.Review USB device history in Event Viewer
D.Run an antivirus scan
AnswerB

Hardware keyloggers are physical devices inserted inline.

Why this answer

A hardware keylogger is a physical device inserted between the keyboard and the computer, typically at the PS/2 or USB connector. Unlike software-based keyloggers, it operates independently of the operating system, so it cannot be detected by process lists, event logs, or antivirus scans. The only reliable detection method is a physical inspection of the keyboard cable and connection point for any unusual inline devices.

Exam trap

The trap here is that candidates assume all keyloggers are software-based and can be detected by OS-level tools, but CEH specifically tests the distinction between hardware and software keyloggers, where physical inspection is the only definitive method for hardware variants.

How to eliminate wrong answers

Option A is wrong because checking running processes detects software keyloggers, not hardware keyloggers, which have no process or driver footprint in the OS. Option C is wrong because reviewing USB device history in Event Viewer may show connected devices but cannot identify a passive inline hardware keylogger that does not register as a new USB device. Option D is wrong because an antivirus scan relies on signature or behavioral analysis of executable code, and a hardware keylogger has no software component to scan.

11
MCQmedium

A company wants to secure its email communications using digital signatures. Which cryptographic key does the sender use to sign the email?

A.Sender's public key
B.Sender's private key
C.Recipient's private key
D.Recipient's public key
AnswerB

The sender signs with their private key.

Why this answer

Digital signatures use asymmetric cryptography where the sender signs the email with their private key. The recipient then verifies the signature using the sender's public key, ensuring authenticity and non-repudiation. This is defined in standards like S/MIME (RFC 5751) and OpenPGP (RFC 4880).

Exam trap

The trap here is that candidates confuse the roles of keys in encryption vs. signing, often selecting the sender's public key because they associate 'public' with sharing, but signing requires the private key to prove the sender's identity.

How to eliminate wrong answers

Option A is wrong because the sender's public key is used for verification by the recipient, not for signing; signing requires the private key to create a unique digital signature. Option C is wrong because the recipient's private key is used for decrypting messages encrypted with their public key, not for signing the sender's email. Option D is wrong because the recipient's public key is used for encrypting messages to the recipient, not for signing the sender's email.

12
MCQhard

You are a security analyst at a financial institution. The SOC has detected anomalous outbound traffic from a server in the DMZ to an unknown IP address on TCP port 8443. The server runs a custom application that normally communicates with internal databases on port 1433. The server's OS is Windows Server 2019. Preliminary analysis shows that a new service named 'UpdateSvc' was installed three days ago, set to start automatically, and runs under the LocalSystem account. The service binary is located at C:\Windows\System32\svchost.exe (the legitimate one). However, the service's 'ImagePath' registry key points to 'C:\Windows\System32\svchost.exe -k UpdateSvc'. Additionally, a scheduled task named 'HealthCheck' runs every hour and executes 'powershell.exe -EncodedCommand <base64>'. The encoded command decodes to a script that downloads a payload from the same unknown IP on port 8443 and executes it in memory. The server has antivirus installed that detected nothing. As the analyst, which of the following is the BEST immediate course of action?

A.Reimage the server immediately to ensure the malware is completely removed.
B.Uninstall the current antivirus and install a different endpoint protection solution, then perform a full scan.
C.Delete the 'UpdateSvc' service and the 'HealthCheck' scheduled task, then run a full antivirus scan.
D.Isolate the server from the network by disconnecting the network cable and blocking the IP at the firewall, then initiate incident response procedures.
AnswerD

Isolation stops the attack and preserves evidence for investigation.

Why this answer

Option D is correct because the immediate priority is to contain the threat by isolating the compromised server from the network (disconnecting the cable) and blocking the command-and-control IP at the firewall. This stops the ongoing outbound communication on TCP port 8443 and prevents further payload downloads or data exfiltration. Initiating incident response procedures ensures proper forensic collection and analysis, which is critical before any remediation steps like reimaging or deleting artifacts.

Exam trap

The trap here is that candidates focus on removing the malware artifacts (service and task) rather than containing the threat first, which is a fundamental incident response principle: isolate before eradicate.

How to eliminate wrong answers

Option A is wrong because reimaging the server immediately destroys volatile evidence (e.g., memory, running processes, network connections) that is essential for understanding the attack vector and scope. Option B is wrong because changing antivirus software mid-incident wastes time and does not address the active compromise; the malware is already evading detection via fileless execution (PowerShell in memory), so a scan is unlikely to find it. Option C is wrong because deleting the service and scheduled task without first isolating the server allows the attacker to reinstall them or escalate privileges, and the malware may have persistence mechanisms beyond these two artifacts.

13
Matchingmedium

Match each vulnerability assessment tool to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automated vulnerability scanning

Open-source vulnerability scanner

Cloud-based vulnerability management

Network vulnerability scanner

Web server vulnerability scanner

Why these pairings

These tools are used for identifying security weaknesses.

14
MCQmedium

Refer to the exhibit. An analyst suspects that the downloaded file 'update.exe' may have been tampered with. The vendor's official website lists the SHA256 hash as 4e7c2a8f9b3d1e5f6a0c8b7d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f. What should the analyst conclude?

A.The file has been tampered with because the hash is from a different file.
B.The SHA256 hash is not reliable; the analyst should use MD5 instead.
C.The file is authentic and has not been tampered with.
D.The file is malicious because the hash is too long.
AnswerC

The hash matches the official value, confirming integrity.

Why this answer

Option C is correct because the SHA256 hash provided by the vendor exactly matches the hash of the downloaded file. SHA256 is a cryptographically strong hash function that produces a fixed 256-bit (64-character hexadecimal) output. A matching hash confirms the file's integrity and authenticity, indicating it has not been tampered with.

Exam trap

The trap here is that candidates may mistakenly think a hash that matches is suspicious or that SHA256 is unreliable, when in fact a matching hash is the definitive proof of file integrity; the exam tests whether you understand that hash length and format are fixed and correct for SHA256.

How to eliminate wrong answers

Option A is wrong because the hash matches the vendor's official hash, so it is not from a different file; a mismatch would indicate tampering. Option B is wrong because SHA256 is more secure and collision-resistant than MD5; MD5 is deprecated due to known vulnerabilities and should not be used for integrity verification. Option D is wrong because the hash length (64 hex characters) is exactly correct for SHA256; a 256-bit hash is always 64 characters in hexadecimal representation, so it is not 'too long'.

15
MCQhard

A company's internal PKI uses an offline root CA and an online issuing CA. A security engineer needs to revoke a compromised certificate issued by the online CA. Which CRL distribution point should the engineer update?

A.The CRL published by the certificate authority that signed the issuing CA's certificate
B.The CRL published by the intermediate CA, if any
C.The CRL published by the online issuing CA
D.The CRL published by the offline root CA
AnswerC

The issuing CA is responsible for revoking certificates it issued.

Why this answer

The compromised certificate was issued by the online issuing CA, so only that CA has the authority to revoke it and publish the updated CRL. Clients validating the certificate will check the CRL distribution point (CDP) embedded in the certificate, which points to the issuing CA's CRL. Updating the CRL on the online issuing CA ensures that revocation status is immediately available to relying parties.

Exam trap

EC-Council often tests the misconception that the root CA must be involved in revocation of end-entity certificates, but in reality only the issuing CA that signed the certificate can revoke it and update its own CRL.

How to eliminate wrong answers

Option A is wrong because the CRL published by the CA that signed the issuing CA's certificate (the offline root CA) contains only revocation information for the issuing CA's certificate itself, not for end-entity certificates issued by the online CA. Option B is wrong because in this two-tier hierarchy there is no intermediate CA; even if one existed, the intermediate CA's CRL would cover certificates it issued, not those issued by the online issuing CA. Option D is wrong because the offline root CA is typically kept offline and does not publish a CRL for end-entity certificates; its CRL (if any) only covers subordinate CA certificates, not user or device certificates.

16
Multi-Selectmedium

A malware analyst is investigating a suspicious executable that appears to be a Trojan. The analyst runs the executable in a sandbox and observes the following behavior: it creates a hidden file in the %AppData% directory, modifies the Windows registry to add a startup entry, and attempts to connect to an external IP address on port 443 using HTTPS. Which TWO of the following techniques are likely being used by this malware?

Select 2 answers
A.Keylogging
B.Fileless execution
C.Persistence mechanism
D.Privilege escalation
E.Command and control communication
AnswersC, E

Adding a startup registry entry is a common persistence technique.

Why this answer

The malware adds a startup entry in the Windows registry (e.g., Run or RunOnce keys), which ensures the executable is automatically launched each time the user logs in. This is a classic persistence mechanism, as defined by MITRE ATT&CK technique T1547.003, because it maintains the malware's presence across system reboots.

Exam trap

EC-Council often tests the distinction between persistence and privilege escalation, where candidates mistakenly think modifying the registry requires elevated privileges, but HKCU keys are user-writable without admin rights.

17
Multi-Selectmedium

Which THREE of the following are types of cryptanalytic attacks? (Choose three.)

Select 3 answers
A.Differential cryptanalysis
B.Rainbow table attack
C.Linear cryptanalysis
D.Brute-force attack
E.Replay attack
AnswersA, C, D

Analyzes how differences in plaintext affect differences in ciphertext.

Why this answer

Differential cryptanalysis is a chosen-plaintext attack that analyzes how differences in plaintext pairs affect the resulting ciphertext differences, exploiting statistical biases to recover the encryption key. It is a fundamental cryptanalytic technique, particularly effective against block ciphers like DES.

Exam trap

EC-Council often tests the distinction between cryptanalytic attacks (which target the cipher's mathematical structure) and other attack types like hash precomputation or protocol-level attacks, so candidates mistakenly classify rainbow table or replay attacks as cryptanalytic.

18
Multi-Selecthard

An organization is investigating a potential malware infection. The security analyst observes unusual outbound connections to a known malicious IP address and finds a suspicious process running under a user's session. The analyst decides to perform memory analysis using Volatility. Which TWO commands would be most useful to identify the malicious process and its network connections?

Select 2 answers
A.volatility -f memory.dmp netscan
B.volatility -f memory.dmp pslist
C.volatility -f memory.dmp procdump
D.volatility -f memory.dmp svcscan
E.volatility -f memory.dmp malfind
AnswersA, B

Shows network connections; confirms outbound to malicious IP.

Why this answer

The `netscan` plugin in Volatility scans the memory dump for network connections and sockets, including TCP and UDP endpoints, which directly reveals outbound connections to the malicious IP. The `pslist` plugin lists all running processes by walking the process list in the kernel, allowing the analyst to identify the suspicious process by name or PID. Together, these two commands provide the process identity and its network activity, which is exactly what the scenario requires.

Exam trap

The trap here is that candidates may choose `malfind` (option E) because it sounds malware-specific, but it does not list all processes or network connections, whereas `pslist` and `netscan` directly answer the question of identifying the process and its outbound connections.

19
MCQmedium

During a penetration test, an ethical hacker finds that a web application transmits sensitive data in plaintext over HTTPS. Which of the following best describes this security issue?

A.Weak TLS cipher suite
B.Lack of application-layer encryption
C.SSL stripping attack
D.Man-in-the-middle attack
AnswerB

The data is encrypted in transit but not at rest or before being sent; the application does not encrypt sensitive fields.

Why this answer

The core issue is that the web application transmits sensitive data in plaintext over HTTPS, meaning the data is encrypted in transit by TLS but not encrypted at the application layer. This leaves the data vulnerable to exposure if the TLS termination point (e.g., a reverse proxy or load balancer) is compromised or if logs capture the plaintext payload. Application-layer encryption (e.g., encrypting the data before sending it over HTTPS) ensures end-to-end confidentiality, even if the TLS channel is broken or inspected.

Exam trap

The trap here is that candidates confuse 'encrypted in transit' (TLS) with 'encrypted at the application layer,' assuming HTTPS alone provides end-to-end data confidentiality, but the CEH exam tests the distinction between transport-layer and application-layer encryption.

How to eliminate wrong answers

Option A is wrong because a weak TLS cipher suite refers to the use of outdated or insecure cryptographic algorithms (e.g., RC4, DES) for the TLS handshake, which is not the issue here—the data is transmitted over HTTPS with presumably strong TLS, but the application itself does not encrypt the payload. Option C is wrong because an SSL stripping attack is a man-in-the-middle technique that downgrades HTTPS to HTTP, which is not described in the scenario; the question states the data is transmitted over HTTPS, not that the protocol is downgraded. Option D is wrong because a man-in-the-middle attack is an active interception technique (e.g., ARP spoofing, rogue access point) that could capture plaintext data, but the security issue described is the lack of application-layer encryption, not the presence of an active attack.

20
Multi-Selecteasy

Which TWO of the following are characteristics of a polymorphic virus? (Choose two.)

Select 2 answers
A.Remains constant in code to ensure replication
B.Mutates its code to evade signature detection
C.Uses encryption with a variable key
D.Spreads via network shares
E.Resides in the boot sector of a hard drive
AnswersB, C

Polymorphic viruses change their code pattern each time they replicate.

Why this answer

Option B is correct because a polymorphic virus mutates its code—typically by using a mutation engine—while preserving its original functionality. This mutation changes the virus's signature each time it replicates, allowing it to evade signature-based detection by antivirus software. Option C is correct because polymorphic viruses commonly use encryption with a variable key; the virus body is encrypted, and the decryption routine mutates, so the encrypted payload looks different with each infection.

Exam trap

The trap here is that candidates often confuse 'polymorphic' with 'metamorphic' or assume that all viruses that use encryption are polymorphic, but the key distinction is that polymorphic viruses use a variable key and mutate the decryption routine, whereas simple encrypted viruses use a fixed key and do not change their decryptor.

Ready to test yourself?

Try a timed practice session using only Cryptography and Malware Analysis questions.