CompTIA Security+ Sy0-501 Practice Test 01

A distributed denial-of-service (DDoS) attack includes attacks from multiple systems with the goal of depleting the target’s resources and this scenario indicates multiple connection attempts from different IP addresses. A DoS attack comes from a single system, and an SYN flood is an example of a DoS attack. While the DDoS attack may be an amplification attack (an attack that significantly increases the amount of traffic sent to the victim), the scenario doesn’t give enough details to identify this as an amplification attack. Salting is a method used to prevent brute force attacks to discover passwords.

The password policy should be changed to increase the minimum password length of passwords. These passwords are only four and five characters long, which is too short to provide adequate security. They are complex because they include a mixture of at least three of the following character types: uppercase letters, lowercase letters, numbers, and special characters. Password history and password reuse should be addressed if users are reusing the same passwords, but the scenario doesn’t indicate this is a problem.

Ransomware attempts to take control of the user’s system or data and then demands a ransom to return control. Keyloggers capture a user’s keystrokes and store them in a file. This file can be automatically sent to an attacker or manually retrieved depending on the keylogger. It’s possible that Marge’s computer was infected with a Trojan, which created a backdoor. However, not all Trojans or backdoor accounts demand payment as ransom.

Dumpster diving is the practice of looking for documents in the trash dumpsters, but shredding or incinerating documents ensures dumpster divers cannot retrieve any paper documents. Shoulder surfers attempt to view something on a monitor or other screen, not papers. Tailgating refers to entering a secure area by following someone else. Vishing is a form of phishing using the phone.

Secure File Transfer Protocol (SFTP) is the best choice. File Transfer Protocol (FTP) is the best choice to send large files if they don’t contain sensitive data. These files contain proprietary data so they should be encrypted and SFTP encrypts the files using Secure Shell (SSH). Simple Network Management Protocol version 3 (SNMPv3) is used to manage network devices, not transfer files. The Secure Real-time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for streaming media.

Encryption is the best choice to provide confidentiality of any type of information, including Personally Identifiable Information (PII) stored in a database. Hashing will support a use case of supporting integrity. Digital signatures will support the use of supporting non-repudiation. A smart card will support a use case of supporting authentication.

Failover devices increase availability. A failover cluster uses redundant servers to ensure services will continue to operate even if one of the servers fails. Obfuscation methods attempt to make something unclear or difficult to understand and are not related to failover devices. Integrity methods ensure that data has not been modified. Confidentiality methods such as encryption prevent the unauthorized disclosure of data.

The administrator should create an account for Jasper and add it to the Accounting group. Because the organization uses groups, it makes sense that they have an Accounting group. The Guest account should be disabled to prevent the use of generic accounts. This scenario describes role-based access control, not rule-based access control. Jasper does not require administrator privileges, so his account should not be added to the Administrators group.

Virtualization provides increased availability because it is much easier to rebuild a virtual server than a physical server after a failure. Virtualization supports a reduced budget because virtual servers require less hardware, less space in a data center, less power, and less heating and air conditioning. Failover clusters are more expensive. Bollards are physical barriers that block vehicles. Hashing provides integrity, not availability.

Layered security (or defense in depth) implements multiple controls to provide several layers of protection. In this case, the antivirus software provides one layer of protection while the firewall and the intrusion detection system (IDS) provide additional layers. Implicit deny blocks access unless it has been explicitly allowed. Least privilege ensures that users are granted only the access they need to perform their jobs, and no more. A flood guard attempts to block SYN flood attacks.

Load balancing shifts the load among multiple systems and can increase the site’s availability by adding additional nodes when necessary. A failover cluster also provides high availability, but there is no such thing as a fail-open cluster. Certificates help ensure confidentiality and integrity but do not assist with availability. A web application firewall helps protect a web server against attacks, but it does not increase availability from normal client requests.

Virtualization provides a high degree of flexibility when testing security controls because testers can easily rebuild virtual systems or revert them using a snapshot. Baselines provide a known starting point but aren’t flexible because they stay the same. Hardening techniques make systems more secure than their default configuration. Patch management programs ensure patches are deployed but do not test security controls.

Typo squatting (or URL hijacking) uses a similar domain name to redirect traffic. In this scenario, the last two letters in comptia are swapped in the malicious domain name, and that site is attempting to download malware onto the user systems. A smurf attack is unrelated to web sites. Fuzzing tests an application’s ability to handle random data. A replay attack attempts to replay data with the intent of impersonating one of the parties.

You can disable the service set identifier (SSID) broadcasting to prevent users from easily discovering the wireless networks. None of the other methods hide the network. Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) provides stronger security for Wi-Fi Protected Access II (WPA2) and WPA2 Enterprise adds authentication for a wireless network. Media access control (MAC) address filtering can restrict access to the wireless network.

A virtual local area network (VLAN) provides separation for traffic and can be configured to separate Voice over IP (VoIP) traffic and data traffic. Network access control (NAC) solutions inspect clients for health after they connect to a network. A demilitarized zone (DMZ) provides a layer of protection for Internet-facing systems, while also allowing clients to connect to them. Secure Real-time Transport Protocol (SRTP) provides encryption and authentication for Real-time Transport Protocol (RTP) traffic. RTP is used for audio/video streaming, such as in video teleconferencing applications.

A mail gateway is placed between an email server and the Internet and mail gateways typically include data loss prevention (DLP) capabilities. They can inspect the contents of outgoing traffic looking for keywords and block any traffic containing proprietary data. A unified threat management (UTM) device includes content inspection, but this most often blocks specific types of traffic or specific file types. A mail gateway is more focused on email. Proxy servers are typically used for web traffic. They don’t include the ability to filter email.

The most likely cause is that the Remote Authentication Dial-In User Service (RADIUS) server certificate expired. An 802.1x server is implemented as a RADIUS server and Protected Extensible Authentication Protocol (PEAP) requires a certificate, which is a key clue in this question. If the Domain Name System (DNS) or Dynamic Host Configuration Protocol (DHCP) failed, it would affect both wired and wireless users. Media access control (MAC) address filtering might cause this symptom if all MAC addresses were blocked, but the scenario states that there weren’t any network configuration changes.

Authentication should be increased, such as by forcing users to use stronger passwords. The scenario indicates that attackers are somehow obtaining customer credentials and using them to conduct fraudulent transactions. Identification is simply claiming an identity, and having customers come into the bank to obtain their credentials increases identification, but this didn’t help. Accounting is typically performed by reviewing logs, but the current logs are documenting the fraud. Authorization indicates what customers can do, but there isn’t any indication that authorization is a problem.

You can use tracert to track packet flow through a network and if an extra router has been added to your network, tracert will identify it. You can use ping to check connectivity with a remote system, but it doesn’t show the route. The ipconfig command will show the network settings on a Windows computer, but it doesn’t identify failed routers. Netstat shows active connections and other network statistics on a local system, but it doesn’t identify network paths.

This is an example of single sign-on (SSO) capabilities because you can log on once and access all the resources without entering your credentials again. The same sign-on requires you to reenter your credentials for each new site, but you use the same credentials. Security Assertion Markup Language (SAML) is an SSO solution used for web-based applications and the bank might be using SAML, but other SSO solutions are also available. Kerberos is used in an internal network.

This recommendation is enforcing separation of duties principle, which prevents any single person from performing multiple job functions that might allow the person to commit fraud. Discretionary access control specifies that every object has an owner, but doesn’t separate duties. Devices such as routers use a rule-based access control model, but it doesn’t separate duties. Job rotation policies rotate employees into different jobs, but they don’t necessarily separate job functions.

A vulnerability scan identifies vulnerabilities that attackers can potentially exploit, and vulnerability scanners perform passive testing. A penetration test actively tests the application and can potentially compromise the system. A port scan only identifies open ports. A sniffer can capture traffic for analysis, but it doesn’t check for security controls.

Disabling unnecessary services is one of several steps you can take to harden a server. It is a preventive control because it helps prevent an incident. Identifying the initial baseline configuration is useful to determine the security posture of the system, but by itself, it doesn’t prevent attacks. Monitoring logs and trend analysis are detective controls, not preventive controls. A backup and restoration plan is a corrective control.

You can create security groups, place users into these groups, and grant access to the folders by assigning appropriate permissions to the security groups. For example, the security groups might be Sales, Marketing, and HR, and you place users into the appropriate group based on their job. This is an example of using group-based privileges. Assigning permissions to each user individually has a high administrative overhead. Waiting for users to ask will also increase administrative overhead. Although delegating authority to assign permissions might work, it doesn’t provide the same level of security as centrally managed groups, and without groups, it will still have a high administrative overhead for someone.

A zero-day attack takes advantage of an undocumented exploit or an exploit that is unknown to the public. A buffer overflow attack sends unexpected data to a system to access system memory or cause it to crash. Although some buffer overflow attacks are unknown, others are known. If the server isn’t kept up to date with patches, it can be attacked with a known buffer overflow attack. A man-in-the-browser attack is a type of proxy Trojan horse that takes advantage of vulnerabilities in web browsers, not web servers. Session hijacking takes over a user’s session and isn’t related to an attack on a server.

A chain of custody was not maintained because the hard drive was left unattended for several hours before capturing an image. Witnesses were not mentioned, but are not needed if the chain of custody was maintained. The order of volatility does not apply here, but the hard drive is not volatile. The analysis would occur after capturing an image, but there isn’t any indication it wasn’t done or wasn’t complete.

A Trusted Platform Module (TPM) includes an encryption key burned into the chip, and this key provides a hardware root of trust. Data loss prevention (DLP) systems detect unauthorized data transfers. Sandboxing provides an isolated area on a system, typically used for testing. A hardware security module (HSM) is an external security device used to store cryptographic keys, but a TPM is a chip within the system.

A redundant array of inexpensive disks (RAID) subsystem is a relatively low-cost solution for fault tolerance for disks. RAID also increases data availability. Load balancing adds in additional servers, which are significantly more expensive than RAID. Round robin scheduling is one of the methods used in load balancing. A warm site is a separate location, which can be expensive.

The security administrator is most likely looking for a backdoor because Trojans commonly create backdoors, and a backdoor allows unauthorized personnel to access data on the system. Logic bombs and rootkits can create backdoor accounts, but Trojans don’t create logic bombs and would rarely install a rootkit. The computer might be joined to a botnet, but a botnet is a group of computers.

At this stage, the first response is incident identification. The preparation phase is performed before an incident and includes steps to prevent incidents. After identifying this as a valid incident (malware infection), the next steps are containment, eradication, recovery, and lessons learned.

It’s important to keep a chain of custody for any confiscated physical items and the chain of custody is a record of everyone who took possession of the asset after it was first confiscated. Hashes should be taken before capturing an image, but they are not required before confiscating equipment. Users, not witnesses, sign an acceptable use policy (AUP). Security personnel should be aware of the order of volatility, but there isn’t any way to maintain the order.

This was most likely an advanced persistent threat (APT) because it was a sophisticated attack and originated from a foreign country. A hacktivist launches attacks to further a cause, but the scenario didn’t mention any cause. Competitors might launch attacks, but they would typically focus on proprietary data rather than customer data. An insider would not launch attacks from a foreign country.

Closed-circuit television (CCTV) or a similar video surveillance system can monitor the entrance and record who enters and exits the area. A mantrap prevents tailgating, but it doesn’t necessarily identify individuals. An access list is useful if a guard is identifying users and allowing access based on the access list, but the access list does not identify users. Bollards are a type of barricade that protects building entrances.

Integrity provides assurances that data has not been modified and integrity is commonly enforced with hashing. Confidentiality prevents unauthorized disclosure of data but doesn't address modifications of data. Availability ensures systems are up and operational when needed and uses fault tolerance and redundancy methods. Authentication provides proof that users are who they claim to be.

A demilitarized zone (DMZ) is a logical buffer zone for servers accessed from public networks such as the Internet, and it provides a layer of security for servers in the DMZ. A wiring closet or server room provides physical security for networking equipment. A honeypot is a fake server used to lure attackers and a honeynet is a fake network. Proxy servers cache data retrieved from web servers.

A URL filter blocks access to specific web sites based on their URLs. Proxy servers and unified threat management (UTM)
devices include URL filters. UTM devices also include a content inspection to identify and filter out different types of files and traffic, and malware inspection to identify and block malware. A web application firewall (WAF) protects a web server from incoming attacks.

A data loss prevention (DLP) solution can detect documents sent to a printer that contain Personally Identifiable Information (PII) and prevent them from printing. A hardware security module (HSM) and a Trusted Platform Module (TPM) both provide full disk encryption, but cannot block documents sent to a printer. A virtual local area network (VLAN) segments traffic and can help protect a supervisory control and data acquisition (SCADA) system, but isn’t selective about documents sent to a printer.

A honeypot can divert malicious attacks to a harmless area of your network, such as away from production servers holding valid data. An intrusion prevention system (IPS) can block attacks, but it doesn’t divert them. A proxy server can filter and cache content from web pages, but it doesn’t divert attacks. A web application firewall (WAF) is an additional firewall designed to protect a web application.

This practice enforces a job rotation policy where employees rotate into different jobs and are designed to reduce potential incidents. A separation of duties policy prevents any single person from performing multiple job functions to help prevent fraud, but it doesn’t force users to switch roles. A mandatory vacation policy requires employees to take time away from their job. An acceptable use policy informs users of their responsibilities when using an organization’s equipment.

Using group-based privileges is the best choice to meet the needs of this scenario. For example, you can create a DB_Group and a Web_Group, assign appropriate privileges to the groups, and add intern accounts to the groups based on their assignments. Generic accounts such as the Guest account should not be used. User-based privileges take too much time to manage because you’d have to implement them separately.

The generators are likely controlled within a supervisory control and data acquisition (SCADA) system and isolating them within a virtual local area network (VLAN) will protect them from unauthorized access. An internal Certificate Authority (CA) issues and manages certificates within a Public Key Infrastructure (PKI), but there aren’t any indication certificates are in use. Wi-Fi Protected Access II (WPA2) secures wireless networks but doesn’t protect SCADA networks. Patch management processes help ensure systems are kept up to date with patches, but this doesn’t apply in this scenario.

A mantrap controls access to a secure area and only allows a single person to pass at a time. The scenario describes the social engineering tactic of tailgating, not the control to prevent it. Some sophisticated mantraps include identification and authorization systems, such as biometric systems or smart cards and PINs. However, biometrics and smart cards used for physical security do not restrict passage to one person at a time unless they are combined with a mantrap.

A certificate revocation list (CRL) can meet this need because CRLs are cached. If the public Certificate Authority (CA) is not reachable due to any type of connection outage or CA outage, the cached CRL can be used as long as the cache time has not expired. The Online Certificate Status Protocol (OCSP) works in real-time where the client queries the CA with the serial number of the certificate. If the CA is unreachable, the certificate cannot be validated. A private CA is used within an organization and cannot validate certificates from a public CA. You request a certificate with a certificate signing request (CSR), but the CSR doesn’t validate an issued certificate.

Infrastructure as a Service (IaaS) is a cloud computing option where the vendor provides access to a computer, but customers must manage the system, including keeping it up to date with current patches. A community cloud is shared among several organizations, but the scenario doesn’t indicate the resources are shared. Software as a Service (SaaS) provides access to applications, such as email, but not to the operating system. An IaaS solution can be a public, private, or hybrid solution. A hybrid cloud is a combination of two or more public, private, and/or community clouds.

Buffer overflow attacks often cause an application to crash and expose system memory. Attackers then write malicious code into the exposed memory and use different techniques to get the system to run this code. None of the other attacks insert malicious code into memory. An Address Resolution Protocol (ARP) poisoning attack attempts to mislead systems about the source media access control (MAC) address. Privilege escalation techniques attempt to give an attacker more rights and permissions. In a replay attack, the attacker intercepts data and typically attempts to use the intercepted data to impersonate a user or system.

A privacy impact assessment attempts to identify potential risks related to Personally Identifiable Information (PII) and ensure the organization is complying with applicable laws and regulations. A privacy threshold assessment helps an organization identify PII within a system and determine if a privacy impact assessment is needed. A threat assessment is part of a risk assessment and helps identify potential threats. A supply chain assessment is part of a risk assessment and helps identify potential problems in the supply chain that might impact an organization’s mission.

A port scanner identifies open ports on a system and is commonly used to determine what services are running on the system. A penetration test attempts to exploit a vulnerability. A protocol analyzer (also called a sniffer) could analyze traffic and discover protocols in use, but this would be much more difficult than using a port scanner.

An anomaly-based (also called heuristic-based or behavior-based) intrusion detection system (IDS) compares current activity with a previously created baseline to detect any anomalies or unusual traffic on a network. A network-based firewall will block and allow traffic, but it does not detect unusual traffic. Signature-based IDS systems use signatures similar to antivirus software. A honeynet is a group of servers configured as honeypots. A honeynet is designed to look valuable to an attacker and can divert attacks.

Network access control (NAC) inspects clients for health, including having up-to-date virus definition files and can restrict network access to unhealthy clients to a remediation network. A network intrusion detection system (NIDS) can detect incoming attacks, but doesn’t inspect internal clients. A data loss prevention (DLP) system typically examines outgoing traffic looking for confidential data. A demilitarized zone (DMZ) is a buffer zone between the Internet and an internal network.

Netcat can easily be used for banner grabbing and banner grabbing will provide her information on the operating system and get some information on services and applications used by the server. Security information and event management (SIEM) system provides a centralized solution for collecting, analyzing, and managing data from multiple sources. Tcpdump is a command-line tool used to capture packets, but it doesn’t query systems for data. A gray box test indicates the tester has some knowledge of the target, but it doesn’t indicate the type of test used by a tester.