CE | Cybersecurity Essentials v3 | 1.6.2 Cybersecurity Threats, Vulnerabilities, and Attacks Quiz Exam Answers Full 100% 2025

The Cybersecurity Essentials v3 (CE) | 1.6.2 Cybersecurity Threats, Vulnerabilities, and Attacks Quiz is a critical assessment for learners diving into the fundamentals of cybersecurity. This exam evaluates your understanding of key concepts, including the nature of cybersecurity threats, the identification of system vulnerabilities, and the mechanisms behind various types of attacks. To ensure you achieve a perfect score, we’ve compiled the most accurate and verified answers for 2025, helping you not only pass the quiz with confidence but also solidify your grasp of these essential cybersecurity principles.

Questions and Answers

In this section, we provide a curated list of questions with clear and concise answers to enhance your learning experience. Each question is carefully selected to cover key concepts, while the answers, highlighted in red, are designed to stand out for easy identification. This approach not only makes it simple to find the correct answers but also helps reinforce your understanding of the topics. Whether you’re preparing for exams, expanding your knowledge, or revising critical concepts, this format ensures a streamlined and effective learning process

1. What type of attack occurs when data goes beyond the memory areas allocated to an application?

  • Buffer overflow
  • RAM injection
  • RAM spoofing
  • SQL injection

The correct answer is Buffer overflow.

A buffer overflow is a vulnerability that occurs when a program writes more data to a buffer, a temporary storage area in memory, than it can hold. Buffers have fixed sizes, and when a program does not properly validate the input or manage memory allocations, excess data can overwrite adjacent memory locations. This can lead to unpredictable program behavior, crashes, or the opportunity for attackers to exploit the overflow to execute malicious code.

In a buffer overflow attack, an attacker intentionally sends more data than the buffer can handle, often crafted to include malicious code. When the overflow occurs, the extra data spills into adjacent memory, potentially overwriting critical control information such as return pointers. By manipulating these pointers, attackers can redirect program execution to their malicious code, gaining control over the application or system. This can result in unauthorized access, privilege escalation, data corruption, or system crashes.

Buffer overflow vulnerabilities typically occur in software written in languages like C and C++, which do not automatically check for buffer boundaries. To prevent such attacks, developers should implement secure coding practices, such as input validation, bounds checking, and using safer libraries. Regular code audits and employing modern protections like Address Space Layout Randomization (ASLR) can also mitigate risks.

2. Which of the following statements describes a distributed denial of service (DDoS) attack?

  • A botnet of zombies, coordinated by an attacker, overwhelms a server with DoS attacks
  • An attacker monitors network traffic to learn authentication credentials
  • One computer accepts data packets based on the MAC address of another computer
  • An attacker sends an enormous quantity of data that a server cannot handle

The correct answer is: A botnet of zombies, coordinated by an attacker, overwhelms a server with DoS attacks.

A distributed denial-of-service (DDoS) attack involves multiple compromised computer systems, often part of a botnet, working together to flood a target server, network, or service with an overwhelming amount of traffic or requests. These compromised systems, referred to as “zombies,” are controlled by the attacker and launch simultaneous attacks on the target.

The purpose of a DDoS attack is to disrupt normal operations, rendering the target unavailable to legitimate users. By overwhelming the server’s resources, such as bandwidth, memory, or CPU capacity, the target cannot respond to legitimate requests. This makes DDoS attacks highly effective at causing downtime for websites, services, or networks.

DDoS attacks differ from traditional denial-of-service (DoS) attacks because they originate from multiple sources, making them harder to block and trace back to the attacker.

3. Employees in an organization report that the network access is slow. Further investigation reveals that one employee downloaded a third-party scanning program for the printer.

What type of malware may have been introduced?

  • Phishing
  • Worm
  • Trojan horse
  • Spam

The correct answer is: Worm.

A worm is a type of malicious software designed to replicate itself and spread across networks without requiring user interaction. Once a worm infiltrates a network, it consumes bandwidth and system resources as it continues to propagate, which can significantly slow down network performance.

In this scenario, the third-party scanning program could have been a carrier for a worm. When the employee downloaded and executed the program, the worm could have activated, starting its process of replication and spreading across the organization’s network. This could explain the slow network performance reported by employees.

Unlike other types of malware like Trojan horses, which require user interaction to execute malicious functions, or phishing, which aims to steal sensitive information, worms are autonomous and focus on replication and spreading, often causing network disruptions as a result.

4. Employees in an organization report that they cannot access the customer database on the main server. Further investigation reveals that the database file is now encrypted. Shortly afterward, the organization receives a threatening email demanding payment for the decryption of the database file.

What type of attack has the organization experienced?

  •  Man-in-the-middle attack
  • Trojan horse
  • DoS attack
  • Ransomware

The correct answer is: Ransomware.

A ransomware attack involves malicious software that encrypts files or entire systems on a victim’s computer or network, rendering the data inaccessible. In this case, the attackers have encrypted the organization’s customer database on the main server and are demanding payment to provide the decryption key.

Ransomware attacks are typically carried out through malicious email attachments, software vulnerabilities, or compromised websites. Once executed, the ransomware encrypts critical files and displays a ransom note, often demanding payment in cryptocurrency to ensure anonymity.

Unlike other attacks such as a man-in-the-middle attack (which intercepts communications), a Trojan horse (which disguises itself as legitimate software), or a DoS attack (which disrupts service availability), ransomware specifically targets the victim’s data for financial extortion.

Organizations can mitigate ransomware risks by implementing robust backup solutions, maintaining up-to-date security software, training employees on cybersecurity best practices, and employing network segmentation to limit the spread of malware.

5. A penetration test carried out by an organization identified a backdoor on the network. What action should the organization take to find out if their systems have been compromised?

  • Look for usernames that do not have passwords
  • Look for policy changes in Event Viewer
  • Scan the systems for viruses
  • Look for unauthorized accounts

The correct answer is: Look for unauthorized accounts.

When a penetration test identifies a backdoor on the network, it suggests that an attacker may have exploited a vulnerability to gain unauthorized access. To determine if the systems have been compromised, the organization should check for unauthorized accounts that may have been created by the attacker to maintain persistent access to the network.

Attackers often use backdoors to bypass standard authentication mechanisms and may create hidden accounts with elevated privileges. By reviewing account activity and identifying any accounts that were not authorized or created by the organization, administrators can assess the extent of the breach.

Additional steps to take include:

  • Auditing Event Viewer logs for unusual activity, such as changes in policies or user privileges.
  • Scanning for viruses or malware that may have facilitated the backdoor.
  • Validating existing user accounts and ensuring no default or weak credentials are in use.

These actions help ensure the network is secure and any unauthorized changes are addressed promptly.

6. What non-technical method could a cybercriminal use to gather sensitive information from an organization?

  • Pharming
  • Ransomware
  • Social engineering
  • Man-in-the-middle

The correct answer is: Social engineering.

Social engineering is a non-technical attack method that exploits human psychology to gather sensitive information, such as passwords, confidential corporate data, or financial details. Cybercriminals use manipulation, trust, or deception to trick employees into divulging critical information or performing actions that compromise security.

For example, a cybercriminal might:

  • Pretend to be a trusted colleague or IT support technician to convince an employee to share login credentials.
  • Build familiarity with an employee through casual conversations and later request sensitive details.
  • Use phishing emails, phone calls, or even physical presence to elicit information.

Social engineering is highly effective because it targets the human element, which is often the weakest link in an organization’s security defenses. Training employees to recognize and respond appropriately to suspicious behavior is critical to mitigating this type of attack.

7. A secretary receives a phone call from someone claiming that their manager is about to give an important presentation but the presentation files are corrupted.

The caller sternly asks that the secretary email the presentation right away to a personal email address. The caller also states that the secretary is being held personally responsible for the success of this presentation.

What type of social engineering tactic is the caller using?

  • Urgency
  • Familiarity
  • Intimidation
  • Trusted partners

The correct answer is: Intimidation.

Intimidation is a social engineering tactic where the attacker uses fear, pressure, or threats to manipulate the victim into taking immediate action. In this scenario, the caller places undue pressure on the secretary by blaming them for the manager’s success and sternly demanding immediate action. The caller’s approach is designed to create anxiety, forcing the secretary to act without verifying the legitimacy of the request.

This tactic often exploits emotions like fear of consequences or failure, bypassing rational decision-making and leading to a potential security compromise. To counter such tactics, employees should be trained to verify unusual requests, even under pressure, and report suspicious communications to the appropriate security team.

8. All employees in an organization receive an email stating that their account password will expire immediately and that they should reset their password within five minutes.

Which of the following statements best describes this email?

  • It is an impersonation attack
  • It is a DDoS attack
  • It is a hoax
  • It is a piggyback attack

The correct answer is: It is a hoax.

A hoax is a deceptive act designed to trick recipients into believing false information. In this scenario, the email falsely claims that account passwords will expire immediately, creating a sense of urgency and fear to manipulate employees into taking unnecessary actions. While the email itself might not contain malicious links or attachments, it can still disrupt operations, cause confusion, and lead to wasted time and effort.

Such emails may also serve as a precursor to other attacks, such as phishing, where recipients are directed to fake websites to “reset” their passwords, potentially compromising sensitive information. To handle such situations, employees should verify such messages with their IT or security team and be trained to recognize and report suspicious emails.

9. Which best practices can help defend against social engineering attacks?

Select three correct answers

  • Do not provide password resets in a chat window
  • Educate employees regarding security policies
  • Deploy well-designed firewall appliances
  • Enable a policy that states that the IT department should supply information over the phone only to managers
  • Resist the urge to click on enticing web links
  • Add more security guards

The three correct answers are:

  • Do not provide password resets in a chat window
    Allowing password resets through chat increases the risk of attackers posing as legitimate users to gain unauthorized access. Ensuring secure and verified methods for password resets is critical in defending against social engineering.
  • Educate employees regarding security policies
    Training employees on security policies and recognizing social engineering tactics is one of the most effective defenses. Awareness empowers employees to identify and resist suspicious requests or behaviors.
  • Resist the urge to click on enticing web links
    Cybercriminals often use enticing links as part of phishing schemes to lure users into compromising sensitive information. Teaching employees to avoid clicking on such links from untrusted or unknown sources is a key preventive measure.

These practices focus on minimizing human error and enhancing awareness, which are vital in combating social engineering attacks.

10. What do you call an impersonation attack that takes advantage of a trusted relationship between two systems?

  • Sniffing
  • Man-in-the-middle
  • Spamming
  • Spoofing

The correct answer is: Spoofing.

A spoofing attack occurs when a cybercriminal impersonates a trusted system or entity by falsifying data, such as MAC addresses, IP addresses, or ARP (Address Resolution Protocol) messages. This deception exploits the trust between systems to bypass authentication and gain unauthorized access.

For example:

  • IP spoofing allows attackers to masquerade as a trusted source to intercept or inject data into a network.
  • ARP spoofing tricks devices on a local network into associating the attacker’s MAC address with the IP address of another device, enabling data interception or traffic redirection.

Spoofing attacks often serve as the foundation for more complex attacks, such as man-in-the-middle attacks, where the attacker not only impersonates but also intercepts and alters communications between two parties. To prevent spoofing, organizations can implement security measures like network segmentation, encryption, and intrusion detection systems.

11. A cybercriminal sends a series of maliciously formatted packets to a database server, which causes the server to crash.

What do you call this type of attack?

  • Packet injection
  • DoS
  • SQL injection
  • Man-in-the-middle

The correct answer is: DoS (Denial-of-Service).

A Denial-of-Service (DoS) attack aims to make a server, network, or service unavailable to legitimate users by overwhelming it with maliciously crafted or excessive traffic. In this scenario, the cybercriminal sends maliciously formatted packets to a database server, causing it to crash and preventing normal operation.

This type of attack exploits vulnerabilities in the target system by sending data it cannot process, leading to resource exhaustion, system instability, or crashes. DoS attacks differ from DDoS (Distributed Denial-of-Service) attacks, where multiple systems coordinate to flood the target.

Preventative measures against DoS attacks include implementing traffic monitoring systems, patching known vulnerabilities, and using firewalls or intrusion prevention systems to filter malicious packets.

12. The awareness and identification of vulnerabilities is a critical function of a cybersecurity specialist. Which of the following resources can they use to identify specific details about vulnerabilities?

  • Infragard
  • CVE national database
  • ISO/IEC 27000 model
  • NIST/NICE framework

The correct answer is: CVE national database.

The Common Vulnerabilities and Exposures (CVE) national database is a widely used resource for identifying and learning about specific vulnerabilities in software, hardware, and firmware. Sponsored by US-CERT and maintained by the MITRE Corporation, the CVE database provides:

  • Standardized identifiers for vulnerabilities (e.g., CVE-2024-XXXX).
  • Descriptions of vulnerabilities, including their nature and potential impacts.
  • References to additional information, such as advisories, patches, or related vulnerability reports.

The CVE database is a critical tool for cybersecurity specialists to track and remediate vulnerabilities efficiently, ensuring consistency across security tools and processes. It enables organizations to prioritize patching and defenses against the most critical threats.

1.1.14 What Do You Think?

Physical threats are often overlooked when considering cybersecurity, but physical security is in fact critical when we want to prevent an organization from falling victim to cybercrime.

With this in mind, take a few moments to think about potential physical threats to @Apollo’s offices.

Write a few examples in the box below, then select Submit. Then select Show Answer to reveal some common examples of threats to an organization’s physical facilities domain and compare your response.

Answer:

What did you come up with? The physical facilities domain includes all the services used by an organization — including heating, ventilation and air conditioning, water and fire detection, as well as the physical security measures employed to safeguard an organization’s premises.

Examples of threats to an organization’s physical facilities domain include:

Natural threats such as extreme weather and geological hazards.
Someone gaining unauthorized access to the premises.
Power interruptions or outages.
Social engineering attacks that attempt to find out about an organization’s security policies and procedures.
Breaches of electronic perimeter defenses.
Theft.
An unlocked data center.
A lack of surveillance on the premises.

1.1.16 Domain Checker

All of this has you thinking…

You know that attackers will seek to take advantage of any vulnerabilities that exist in @Apollo’s domains, but first you need to identify what those domains are.

Can you complete the sentences below by selecting the correct term from each of the dropdowns?

When you have made all of your choices, select Submit.
Employees  (User domain) gain access to the @Apollo offices with an electronic staff ID card
(Physical facilities domain). They use a desktop, laptop, tablet or smartphone
(Device domain) to log into @Apollo’s network
(LAN domain).
@Apollo offers customers access to a suite of centrally hosted eLearning modules for a subscription fee. It is a
SaaS provider, operating on a
Public cloud domain.

  • @Apollo employees have access to the organization’s information system and form part of the user domain.
  • They can enter any of the @Apollo offices using electronic staff ID cards. These are used to safeguard the organization’s premises and therefore fall into the physical facilities domain.
  • Any desktop computer, laptop, tablet or smartphone used to access @Apollo’s network is part of the device domain.
  • @Apollo’s internal network, which is made up of a collection of these and other devices, forms the LAN domain.
  • @Apollo happens to be a SaaS provider, offering customers access to a suite of centrally hosted eLearning modules for a subscription fee.
  • So, @Apollo operates on the public cloud domain.

1.2.4 Watch Out!

You are investigating a suspicious email that has been sent to @Apollo’s remote workers today. It looks like the email has been sent by Guru, asking employees to click on a link to download a virtual private network that will secure their Wi-Fi connection while working at home. Although the email looks legitimate, clicking on the link installs malware on the employee’s device.

What type of social engineering attack is being used here?

Select the correct answer, then Submit.

  • Identity fraud
  • Pretexting
  • Quid pro quo

The attacker in this case has attempted to gain access to employee devices by impersonating Guru — a trustworthy person known to @Apollo’s employees — and by sending a legitimate-looking email with a believable pretext.

1.2.10 Spot the Attack

There have been a few unusual incidents at @Apollo recently that have sparked some concerns that the organization is being targeted by cybercriminals.

Can you identify what type of attack these incidents may be describing?

Select an option from each of the dropdowns, then Submit.

  • A friend sends you a text message to congratulate you on your new position at @Apollo after they saw your status update on your social profile. You have not updated this information. ==> Impersonation
  • A colleague tells you that a man asked them to hold the front door on the way into the office this morning, because he had forgotten his ID card. Your colleague had never seen this man before. ==> Tailgating
  • A customer has reported that malware infected her computer after she visited @Apollo’s website. Further investigation revealed that the customer accidentally mistyped the website address. ==> Typosquatting

Cybercriminals often impersonate other people and post on their social media pages to gain access to the personal information of said people or others, or undermine their credibility.

Cybercriminals can tailgate into an organization by targeting an authorized person who is careless about the rules of entry.

Cybercriminals can also target individuals who incorrectly enter a website address into their browser. This typosquatting attack aims to make people think they are visiting a legitimate website, though it is in fact malicious, tricking them into giving away personal or financial information.

It looks as if @Apollo could be under cyber attack so stay alert!

1.3.8 Spot the Attack

Several employees at @Apollo have reported performance issues on their computers, with applications running slow and notable popup ads appearing. Guru has asked you to investigate. You consult a network monitoring tool, which also reveals abnormal traffic on the network.

Based on your findings, what type of attack do you think @Apollo might be involved with?

Select the correct answer, then Submit.

  • DNS attack
  • DDoS attack
  • DoS attack
  • Layer 2 attack

It turns out that an attacker was in the process of creating a botnet of zombies at @Apollo.

A DDoS attack uses a botnet consisting of several ‘zombie’ agents to overwhelm a target. In this case, @Apollo’s workstations were being turned into zombies to carry out such an attack. Signs that you have been infected by a botnet include performance issues, programs and applications not working properly and/or advertisements popping up on screen.

It was only a matter of time before the attacker would have instructed the handler systems to take part in a DDoS attack. Good work!

1.3.14 Confirm Your Details

You have just received an email from @Apollo’s HR department asking you to add your bank account details to your file by clicking on a link in the email. It stresses that this must be completed by the end of the day for you to be included in this month’s payroll.

Although the email looks like it has been sent internally, closer inspection reveals a slight variation in the email domain of the sender’s address. You could be a victim of what type of attack?

Select the correct answer, then Submit.

  • Domain hijacking
  • Man-in-the-middle
  • Impersonation
  • Trojan horse

It looks like you could be a victim of an impersonation attack. In this case, the criminal has used a spoofed email to try and trick you into disclosing your personal information.

Spoofed emails might look like the real thing but clicking on links could download viruses on your device or redirect you to malicious websites that prompt you to enter your personal information.

Always keep an eye out for the signs to make sure that you don’t get spoofed, paying particular attention to:

  • The sender’s email domain.
  • The URL of the link.
  • The language, spelling and grammar.
  • The graphics.

1.4.8 Risky Business

You are enjoying a coffee in the local cafe and decide to catch up on your emails while you wait for your friend to arrive. You try to log on to the cafe’s Wi-Fi but the connection looks very weak. Fortunately, there is a second Wi-Fi with a similar name, so you log on to that.

However, unbeknownst to you, an attacker sits nearby, having created a Wi-Fi hotspot on their mobile, which they have paired with their laptop. They are monitoring the online activity of everyone who connects to this Wi-Fi, including you — that wasn’t the cafe’s Wi-Fi after all!

What type of attack is this?

Select the correct answer, then Submit.

  • Radio frequency jamming
  • Evil twin
  • Bluesnarfing
  • Bluejacking

This is an example of an evil twin attack. The attacker has set up a Wi-Fi hotspot to look like a better connection option for anyone looking to access the cafe’s Wi-Fi. Once you are connected to the evil access point, the attacker can analyze your network traffic and execute MitM attacks.

Always use a virtual private network (VPN) to stay secure on public networks, especially if you are accessing personal data or confidential organizational information.

1.5.8 What Do You Think?

Guru has asked for your opinion. It looks like an attacker has targeted a vulnerability in @Apollo’s online messaging service, which is used to facilitate communications between employees working across different sites. When an employee makes a voice call, it floods the memory of the application, effectively giving the attacker control over the employee’s device. What type of attack is this?

Select the correct answer, then Submit.

  • Resource exhaustion attack
  • Buffer overflow
  • Remote code execution
  • Cross-site scripting

You appear to have a good understanding of the different attack types which cybercriminals have at their disposal.

In this case, the attacker has carried out a buffer overflow attack. By writing the limits of @Apollo’s online messaging service beyond the buffer, they can effectively gain access to employee devices every time a voice call is made using this application.

1.5.14 Gone Phishing…

@Apollo has a number of security policies that require employees to report any suspicious activities to the cybersecurity team for further investigation.

Guru has asked you to review some recent activities to see if any indicate a security issue. Can you identify what type of attack each scenario is describing?

Select an option from each of the dropdowns, then Submit.

  • An employee received an email that looked like it came from an @Apollo supplier asking them to click a link to claim a discount ==> Phishing
  • An employee received an automated phone call from the bank advising that @Apollo’s account had been compromised and that they must call a specific number to reset the password ==> Vishing
  • An employee received a text message advising that one of @Apollo’s software subscriptions is expiring and that they must update the details immediately ==> Smishing

Criminals have a range of methods that aim to trick users into divulging their personal and financial information. You need to be aware of these and know what signs to look out for so that you and your organization do not fall victim to attack.