CompTIA Security+ (SY0-601) Exam Questions

Page 10 of 50

181.

Payroll in HR is reviewing their payroll and invoice payment processes that involve large sums of money. They want to prevent fraud and provide enhanced accountability. They have decided to incorporate a second employee into the process, so it can't be done by one person. 

Which type of access control is being used?

  • Separation of duties

  • Least privilege

  • Implicit deny

  • Job rotation

Correct answer: Separation of duties

This access control limits the power of one user to control processes. The more people involved, the less chance that the job could be compromised. Separating the duties makes it difficult for fraud to be carried out, as collusion between two individuals is more unlikely.

The principle of least privilege ensures that users only have the minimum amount of privileges to perform their duties. Implicit deny is used to ensure the strongest levels of security by default. Job rotation is used to ensure that multiple users can accomplish a task.

182.

An attacker gains access to an older company's network and begins footprinting the environment. The attacker discovers that the network is still using NTLM for authentication due to the presence of Windows XP and Server 2003 machines. The attacker is able to intercept the authentication stream and resend the encoded password to gain access to various systems. 

Which of the following MOST likely occurred in this scenario?

  • Pass the hash attack

  • Dictionary attack

  • Birthday attack

  • Rainbow table attack

Correct answer: Pass the hash attack

A pass the hash attack is when an attacker is able to determine the hash of a user's password and then essentially tricks the system into believing that the attacker actually entered a valid password. Any authentication protocol that sends hashes unencrypted over the network is susceptible to this attack, especially Microsoft LAN Manager (LM) and NT LAN Manager (NTLM).

A dictionary attack uses dictionary words and similar variants to crack a password. Birthday attacks use probability to help crack passwords. A rainbow table attack uses pre-computed hash tables.

183.

A manufacturing company has sensitive systems and data that they want to protect from network intrusions, and they want to ensure that they can stop any attacks while they're happening. 

What should they use to inspect network traffic and redirect it if it looks suspicious?

  • IPS

  • IDS

  • Proxy server

  • Jump server

Correct answer: IPS

A network intrusion prevention system (NIPS) inspects traffic. If the traffic is considered suspicious, the system will redirect and quarantine it. It can also permit or disallow traffic based on a set of rules.

An intrusion detection system (IDS) detects malicious activity but does not try to stop it. A proxy is a server that handles requests on behalf of a client. A jump server centralizes management of other servers.

184.

Some control goals deal with an event after it occurs, but there are a few that work before the event has happened. Controls such as cable locks, hardware locks, and warning signs act to discourage the threat. 

Which of the following control types would these be examples of?

  • Deterrent

  • Corrective

  • Detective

  • Compensating

Correct answer: Deterrent

Deterrent controls act to discourage a threat before it has an opportunity to create a security incident. For example, cable locks and hardware locks discourage opportunistic thieves from taking advantage of unsecured hardware and locations. Security guards are also an excellent example because simply having one posted in a location is a significant deterrent to potential threats.

Corrective controls fix issues that have already occurred. Detective controls identify events that have occurred. Compensating controls mitigate risks that were made as exceptions to security policies.

185.

Which best practice involves providing only the access needed for a specific job function?

  • Least privilege

  • Separation of duties

  • Implicit deny

  • Multi-factor authentication

Correct answer: Least privilege

In the least privilege access model, users are given only those privileges needed to do their job. This practice is also beneficial for network resources since users have limited use of resources. It reduces overhead on the network.

The principle of separation of duties refers to dividing important tasks between multiple people. Implicit deny refers to configuring access control lists to reject requests by default unless given specific instructions to allow something. Multi-factor authentication is a method of improving authentication by using multiple factors.

186.

Which concept ensures that CAs can be the basis for authenticity and integrity?

  • Root of trust

  • Federation

  • Public ledger

  • Secure enclave

Correct answer: Root of trust

Certificate authorities (CAs) use a hierarchical structure, with the root CA taken offline unless needed. The top-most CA needs to be secured in order for all subordinate CAs to be trusted.

A federation allows users to access multiple systems with a single set of credentials. A public ledger is a distributed list secured by a blockchain consensus mechanism. A secure enclave is a secure execution environment on Apple devices.

187.

A DLP system notices that a regular user account has started trying to access numerous sensitive files. What category of IoC is being triggered?

  • Blocked content

  • Account lockout

  • Concurrent session usage

  • Impossible travel

Correct answer: Blocked content

Blocked content is one category for indicators of compromise (IoC). If an account is suddenly trying to access numerous resources, then the account may have been compromised by an attacker.

Account lockout is an IoC that can occur if too many failed login attempts occur. Concurrent session usage is an IoC if the number of users suddenly spikes. Impossible travel can be an IoC if the user appears to log in from two separate geographic locations.

188.

Which process is used by both sides of a legal case to search through a company's emails, documents, and other digital artifacts?

  • E-discovery

  • Root cause analysis

  • Attestation

  • Due diligence

Correct answer: E-discovery

E-discovery is used after a legal hold has been sent to an organization which requires it to preserve data. E-discovery allows for electronic artifacts to be searched through during legal proceedings.

Root cause analysis is the search for the cause of an incident. Attestation is the process of affirming that something is valid. Due diligence is the process of checking that a third party is legitimate.

189.

An online financial institution wants to monitor an application for potential security issues. Where can they look to find useful information about this?

  • Application logs

  • CPU usage report

  • Memory utilization report

  • System baseline

Correct answer: Application logs

Applications create log files that can contain useful information related to security, error messages, and user activity. Monitoring these log files is a major part of security operations.

CPU usage, memory utilization, and system baselining are used to monitor systems.

190.

In modern cryptography, what is the biggest factor for ensuring encryption will not be compromised?

  • Length of keys

  • Secrecy of encrypting algorithm

  • Method of operation

  • Obfuscation of source code

Correct answer: Length of keys

In modern cryptography, the algorithms are widely available for public review. The burden for keeping data secure falls on the use of long keys that would take computers too much time to crack.

Encryption algorithms are usually open for view. Methods of operation refers to block ciphers or stream ciphers. Obfuscation of source code is used to discourage non-authorized users from using the code.

191.

Which of the following roles is typically held by an IT admin responsible for implementing security controls for data?

  • Data custodian

  • Data owner

  • Data controller

  • Data protection officer

Correct answer: Data custodian

There are a few important roles and responsibilities with regard to data security and regulatory compliance. These include:

  • Data owner: The data owner performs data classification and sensitivity labeling and is responsible for determining how it should be protected.
  • Data controller: The EU's GDPR defines the role of the data controller, who determines how data should be collected and processed.
  • Data processor: Data processor is another GDPR term and describes the individual who follows the guidance of the data controller to actually perform data processing.
  • Data custodian/steward: A data custodian/steward is typically an IT employee who is responsible for actually implementing the security controls that the data owner determines are necessary to protect the data.
  • Data protection officer (DPO): The GDPR also defines the role of a DPO, who is the person ultimately responsible for developing data protection policies and ensuring that the organization is compliant with the regulations.

192.

Which of the following refers to breaking a network into smaller subnetworks based on business purposes?

  • Segmentation

  • Isolation

  • Containment

  • Microsegmentation

Correct answer: Segmentation

Segmentation breaks the network into chunks, based on their roles. All cross-segment traffic flows through a firewall for inspection and is subject to access control lists (ACLs).

Isolation refers to disconnecting critical systems from the rest of the network to reduce the risk that they will be infected during a cyberattack. Containment refers to disconnecting a compromised system from the network to prevent malware or other threats from spreading to other systems. Microsegmentation defines network boundaries around individual applications or systems, enabling more granular security.

193.

Recent storms have been causing the power to go out at Acme Inc.'s headquarters. The administrator is lamenting that these outages are causing data loss on the servers. What can be used to keep a system powered on in case of a power outage so the administrator can power it down as intended?

  • UPS

  • SSL

  • RAID

  • SSH

Correct answer: UPS

An uninterruptible power supply (UPS) takes the functionality of a surge protector and combines it with a battery backup. When the power goes out, the system stays on, so the administrator can power down the device as it is intended to be powered down.

SSL is used for sending secure data over a network. RAID is used to improve resiliency and/or performance of disks. SSH is used to encrypt communications between systems.

194.

Which of the following could be used to block a malicious download on a website that a user is browsing?

  • Content filter

  • URL filter

  • Firewall rule

  • DLP

Correct answer: Content filter

In response to an incident, an organization may make various configuration changes to improve security, including:

  • Firewall Rules: Firewall rules can be created, modified, or updated to block traffic from certain IP addresses or suspicious ports in response to a security incident. For example, an organization may block the IP addresses of bots performing a DDoS attack.
  • Mobile Device Management (MDM): MDM solutions enable an organization to centrally manage and secure laptops and mobile devices. MDM solutions can enforce policies, perform application allowlisting, and implement remote wipe.
  • Data Loss Prevention (DLP): DLP solutions can help to prevent sensitive data from leaking outside an organization's systems via email, USB, etc.
  • Content/URL Filters: Content filters block malicious content in websites or emails, while URL filters prevent visits to known bad URLs.
  • Certificate Updates or Revocation: An organization may update or revoke a certificate if it has expired or has been compromised. For example, an organization might need to update a certificate for its web server to make HTTPS connections or revoke a compromised code signing certificate that could be used to generate malicious versions of its applications.

195.

Which of the following vulnerabilities occurs when an attacker tries to place more data into a memory location than an application has allocated for it?

  • Buffer overflow

  • Pointer dereference

  • Memory leak

  • Race condition

Correct answer: Buffer overflow

A buffer overflow occurs when data written to memory goes outside of the memory block allocated to it.

Pointer/object dereference issues occur when a pointer is dereferenced that points to the wrong value or to NULL. A memory leak is an issue with memory management where the application holds onto memory it is no longer using, which can cause it to run out. A race condition takes advantage of the sequence of events when a CPU processes instructions.

196.

What physical control can be added to a building's parking lot and other dark areas to make them feel more secure?

  • Lighting

  • Bollards

  • Sensors: ultrasonic

  • Access badges

Correct answer: Lighting

Good lighting can deter intruders into an area, which will increase feelings of safety.

Bollards are used to prevent vehicles from entering an area. Ultrasonic sensors are primarily used for proximity detection. Access badges are used to authenticate users for entering a building.

197.

A RAID is expected to need repairs once per year. Which of the following does that metric measure?

  • MTBF

  • MTTR

  • RTO

  • RPO

Correct answer: MTBF

Mean time between failures (MTBF) is the average time between failures of a system or component. It measures the reliability of a system.

Mean time to repair/recovery (MTTR) is the average time it takes to recover a system from a failure. The recovery time objective (RTO) is the amount of time an organization can tolerate having a system down before it is repaired. The recovery point object (RPO) is the amount of data that can be lost during an outage.

198.

A company has a satellite office that needs a constant connection to the headquarters' network. What type of solution should they implement to create a secure network channel between locations?

  • Site-to-site VPN

  • Remote access VPN

  • Managed switch

  • Network emulator

Correct answer: Site-to-site VPN

VPNs can be implemented as remote access or site-to-site VPNs. A site-to-site VPN is used for a constant, secure connection between two remote networks.

Remote access VPNs are used when remote workers need a secure connection to access certain services. A managed switch is a switch with advanced features such as VLANs and QoS. A network emulator is software that simulates a network environment without the need for network hardware.

199.

What is the relationship between a data controller and a data processor?

  • The data processor carries out services on behalf of the data controller

  • The data processor makes decisions that the data controller must perform

  • The data processor has ownership of the data, while the data controller is the subject of the data

  • The data processor is the subject of the data, while the data controller is the owner of the data

Correct answer: The data processor carries out services on behalf of the data controller

The data controller makes decisions about how the data should be processed. The data processor carries out processing of the data on behalf of the data controller.

The data owner is responsible for the data. The individuals whose data was collected are the data subjects.

200.

After an incident, an investigator keeps track of a piece of evidence in a chain-of-custody document to ensure that the evidence is intact and unaltered. What purpose does this achieve in a court of law?

  • Admissibility

  • Provenance

  • Attestation

  • Nonrepudiation

Correct answer: Admissibility

Admissibility refers to the ability of evidence to be used in court. A chain-of-custody document helps achieve this.

Provenance is about establishing a history of ownership of something as it changes hands over time. Attestation involves providing evidence to verify some other information. Nonrepudiation is the assurance that a party involved in some communication cannot deny the authenticity of a message.