A certified ethical hacker (CEH) completed a penetration test of the main headquarters of a
company almost two months ago, but has yet to get paid. The customer is suffering from financial
problems, and the CEH is worried that the company will go out of business and end up not
paying. What actions should the CEH take?

If a tester is attempting to ping a target that exists but receives no response or a response that
states the destination is unreachable, ICMP may be disabled and the network may be using TCP.
Which other option could the tester use to get a response from a host using TCP?

How can rainbow tables be defeated?

Which of the following is an advantage of utilizing security testing methodologies to conduct a
security audit?

A developer for a company is tasked with creating a program that will allow customers to update
their billing and shipping information. The billing address field used is limited to 50 characters.
What pseudo code would the developer use to avoid a buffer overflow attack on the billing address
field?

If the final set of security controls does not eliminate all risk in a system, what could be done next?

In keeping with the best practices of layered security, where are the best places to place intrusion
detection/intrusion prevention systems? (Choose two.)

What is one thing a tester can do to ensure that the software is trusted and is not changing or
tampering with critical data on the back end of a system it is loaded on?

Which of the following algorithms provides better protection against brute force attacks by using a
160-bit message digest?

Company A and Company B have just merged and each has its own Public Key Infrastructure
(PKI). What must the Certificate Authorities (CAs) establish so that the private PKIs for Company

A and Company B trust one another and each private PKI can validate digital certificates from the
other company?