CompTIA Security+ (SY0-601) Exam Questions

Page 2 of 50

21.

Which of the following consequences of non-compliance is non-tangible?

  • Reputational damage

  • Fines

  • Loss of license

  • Sanctions

Correct answer: Reputational damage

An organization that falls into non-compliance can face reputational damage because they lose the trust of others. This is non-tangible because it is not easily quantified.

Fines, loss of licenses, and sanctions are tangible consequences of non-compliance.

22.

A security administrator at Acme Inc. is auditing and, if necessary, implementing various controls around the organization. They have reviewed the encryption, antivirus software, intrusion detection and prevention systems and firewalls, and have audited user permissions. 

Which of the following control categories is this administrator auditing?

  • Technical

  • Operational

  • Managerial

  • Physical

Correct answer: Technical

Technical controls use technology to close gaps and reduce vulnerabilities in an organization. An administrator installs and configures the technical controls, after which the technical controls operate autonomously to protect and secure the systems.

Operational controls include log monitoring and vulnerability management. Managerial controls include risk assessments and change management procedures. Physical controls help to manage or prevent physical access to an organization's building, systems, etc.

23.

Which type of device is typically hardened through the use of firewalls, antivirus software, and security policies?

  • Workstation

  • Switch

  • Smartphone

  • Router

Correct answer: Workstation

Workstations require extensive hardening techniques because they are complex and users interact with the data on them on a regular basis. Typical hardening techniques include installing antivirus protection, using host-based firewalls, and having extensive security policies.

Switches and routers do not require antivirus software as they operate at lower levels of the OSI model. Smartphones are more controlled environments and do not generally need firewalls or antivirus software.

24.

An email comes through to the HR managers of a company that addresses them individually by name. The request is for personnel files and appears to relate to the questions that might be used for password reset authentication. 

What type of attack is being performed?

  • Spear phishing

  • Smishing

  • Vishing

  • Watering hole

Correct answer: Spear phishing 

Spear phishing takes phishing to a new level. Instead of sending random emails to random employees, the attacker researches the organization and sends emails to specific groups of people. These attacks tend to incorporate personal details such as a victim's name or other specific details to make the attack seem more authentic.

A smishing attack is done through text messages. A vishing attack is done through voice mail. A watering hole attack is done by compromising a site that the target visits frequently.

25.

Which type of attacker is primarily motivated by demonstrating their hacking prowess?

  • Unskilled attackers

  • APTs

  • Insider threats

  • Hacktivists

Correct answer: Unskilled attackers

Unskilled attackers, or script kiddies, use preexisting tools to perform attacks. Their typical motivation is to improve their reputation as hackers.

Advanced persistent threats (APTs) have the resources and skills required to pose a long-term threat to an organization. Insider threats are trusted parties who may intentionally harm or steal from the company or may inadvertently take actions that place the company at risk. Hacktivists perform attacks to promote their cause.

26.

Outages have been occurring with recent applications of various patches to the servers. The administrators are growing frustrated with the restoration work required after a failed patch and want to ensure that this does not continue. 

Which of the following methods should they implement?

  • Testing the patches in a sandboxed environment

  • Applying the patches to a small subset of production servers

  • Applying the patches one server at a time

  • Taking system images before the patches and restoring them immediately upon issue

Correct answer: Testing the patches in a sandboxed environment

The ideal solution would be to test the patches in a sandboxed environment, having a test server that takes the patch and is then evaluated for whether it has been impacted in the event that a patch is bad. There have been cases in which Microsoft updates have taken down Windows server installations, which required extensive restoration. Situations like that can be averted simply by testing the patches in a development sandbox before applying them to the whole organization.

27.

A receptionist at Acme Inc. receives a call from an individual who says he is on location with an executive who is about to give a presentation to Acme's largest customer, but that the files are corrupt and they need replacement files immediately. Initially, the receptionist tries to decline, but the individual states that, without the files, the customer will retract their business, and Acme Inc. will lose millions of dollars.

Which of the following social engineering principles is this an example of?

  • Intimidation

  • Authority

  • Consensus

  • Scarcity

Correct answer: Intimidation

Often combined with impersonation, intimidation is when an attacker essentially pressures the victim into providing the information through bullying tactics or other similarly aggressive measures. This is most effective when used with impersonation, but it isn't always combined.

Authority is a technique where the attacker impersonates a manager or other person in charge. Consensus is a technique where the attacker tries to convince the victim that everyone else is already doing something. Scarcity is a technique in which the attacker makes it appear that if the victim does not act now, then something will run out.

28.

Which type of certificate is created and used by a root CA?

  • Self-signed

  • Third-party

  • EV

  • Wildcard

Correct answer: Self-signed

A root certificate authority (CA) needs to create its own certificate and sign it itself. All other systems will get their certificate from the root CA.

Third-parties do not sign a root CA. An Extended Validation (EV) certificate is signed by a CA to verify the identity of owners of issued certificates. A wildcard certificate is a certificate valid for any subdomains.

29.

An administrator is working at a growing organization. The owner approaches the administrator with the concern that new employees may not want to follow the rules and could potentially install prohibited applications such as music streaming or file-sharing software. 

What can the administrator use to specify specific programs that should NOT be installed on workstations?

  • Block list

  • Allow list

  • Quarantines

  • URL filtering

Correct answer: Block list

Application block listing specifically blocks certain applications from being installed. For instance, if an administrator found that Skype was causing a problem with data leakage, they could specifically block it from being installed on any machine.

An allow list specifically allows certain programs to be installed, which can be easier to maintain than a block list. A quarantine is an area where programs can be isolated from a system or network. URL filtering is used to prevent access to certain websites.

30.

A hotel chain decided that they wanted to force users to use their on-premises Wi-Fi and pay for it. To do so, they employed devices that were capable of committing denial-of-service attacks against customers' personal Wi-Fi access points.

Which of the following devices did they MOST likely use?

  • Jammer

  • Crimper

  • Captive portal

  • VPN

Correct answer: Jammer

Jammers can be used to interrupt a wireless signal. They can be purchased online to attack a wireless access point and initiate a denial of service. They create random noise on the Wi-Fi channel or attempt to disassociate clients from the device.

Crimpers are devices for attaching connectors to cables. A captive portal is a web page that gatekeeps internet access until a client performs certain actions. A VPN is an encrypted tunnel between two points on a network.

31.

Which of the following is a widely accepted international public key infrastructure (PKI) standard to verify that a public key is matched to the user, host, or application that is contained within the certificate?

  • X.509

  • X.500

  • X.25

  • X.700

Correct answer: X.509

Most certificates are based on the X.509 standard, which is the common PKI standard developed by the ITU-T that often incorporates the single sign-on authentication method. An X.509 certificate contains information regarding the identity of the recipient. Standard information in an X.509 certificate would be as follows:

  • Version
  • Serial number
  • Algorithm information
  • Issuer name
  • Length of certificate validity
  • Name of the identity the certificate is issued to
  • Public key
  • Extensions (optional)

X.500 standards relate to directory services. The X.25 standard relates to packet switching. X.700 protocols relate to OSI for communications.

32.

Which of the following is a common attack used to fraudulently obtain private information through methods such as email?

  • Phishing

  • DDoS

  • Brute force

  • Pretexting

Correct answer: Phishing

Phishing is the attempt to fraudulently obtain private information. A phisher masquerades as someone else and sends the victim a request for information using methods such as email.

A DDoS is an attack that sends excessive traffic. Brute force is used to crack passwords. Pretexting is used to create a situation before using an impersonation attack.

33.

There are reports that a server on the network has been compromised and may be sending malicious traffic over the network to other devices to further the attack. The administrators want to view the network traffic so that they can get an idea of what to expect.

Which of the following would the administrators want to use in order to view traffic on the network?

  • Protocol analyzer

  • Wi-Fi analyzer

  • NetFlow analyzer

  • Network mapper

Correct answer: Protocol analyzer

Protocol analyzers are also called sniffers. They intercept network traffic and allow an administrator or a hacker to view packet data. Data cannot be read if it's encrypted. The ability to see the traffic on the network should not be underestimated, especially during instances of troubleshooting and locating potentially malicious activity. It enables a view of the streaming traffic in real time, which is not offered by many switches or routers unless they are high-end. Items such as plaintext passwords being transmitted over the network, potential sources of flood attacks, and more can be discovered.

A Wi-Fi analyzer gives information about wireless networks. A NetFlow analyzer is a tool from Cisco that analyzes traffic between network devices. A network mapper is a tool for enumerating the devices on a network.

34.

Which of the following password policies involves storing a user's previous password hashes?

  • Password reuse

  • Password length

  • Password complexity

  • Password resemblance

Correct answer: Password reuse

  • Password reuse policies ensure that a user doesn't use any of the previous X passwords when setting a new password. Password histories store the previous X password hashes to ensure that a user doesn't reuse the same password. 
  • Password length rules improve security by exponentially increasing the space of possible passwords.
  • Password complexity rules commonly mandate a combination of uppercase and lowercase letters, numbers, and special characters.
  • Password resemblance refers to preventing users from setting a new password that is different from but similar to a past one. For example, changing Password!1 to Password!2. This is difficult to safely enforce because it requires access to the plaintext versions of a user's past passwords.

35.

A security analyst is performing threat hunting. They notice that a user is logged in twice on a system to use an application that is not usually used on two devices at once. What type of indicator of compromise is the security analyst observing?

  • Concurrent session usage

  • Account lockout

  • Impossible travel

  • Resource consumption

Correct answer: Concurrent session usage

Threat hunters search for specific indicators of compromise. Concurrent session usage refers to one user account being logged in more than one time simultaneously.

Account lockout refers to a user not being able to log in due to multiple failed attempts. Impossible travel refers to a user being logged in simultaneously from different locations. Resource consumption refers to system, disk, or network usage that is higher than usual.

36.

Which type of hardening technique is typically used for devices that use an RTOS?

  • Changing default passwords

  • Implementing strong physical security controls

  • Hiding SSIDs

  • Installing antimalware software

Correct answer: Changing default passwords

A real-time operating system (RTOS) is used in mission-critical settings. Hardening techniques include changing default settings such as passwords and using encryption. 

Strong physical controls are used with stationary systems such as servers or ICS/SCADA. Hiding SSIDs is used with wireless access points. RTOS devices do not require antimalware software as they do not have a typical attack surface.

37.

An organization has decided to accept a risk (i.e., do nothing). This decision is MOST related to which of the following?

  • Risk appetite

  • Inherent risk

  • Residual risk

  • Control risk

Correct answer: Risk appetite

Risk appetite is the amount of residual risk that an organization is willing to accept after performing risk mitigation.

Inherent risk is the natural risk that is associated with a particular activity or business process. Residual risk is the amount of risk left over after a risk mitigation technique has been applied. Control risk or risk control is the process of identifying risks and threats to assets and defining controls to secure them.

38.

What type of activity does a SIEM system perform?

  • Log aggregation

  • Threat blocking

  • Policy enforcement

  • Automated quarantine

Correct answer: Log aggregation

Security information and event management (SIEM) systems aid an organization by aggregating logs from various systems. This lets an organization correlate events to detect potential anomalies.

Threat blocking is performed by tools such as IPSs. Policy enforcement is performed by tools such as NAC. Automated quarantining can be performed by tools such as UTMs.

39.

A financial analyst is working on a laptop issued to them by their company. What account type should they be using?

  • User

  • Administrator

  • Service

  • Guest

Correct answer: User

A computer can have a few different types of accounts. A user account is an unprivileged account assigned to general users of the system. Even more privileged users should use a user account for non-privileged tasks.

Administrator/root accounts have full control over the system and should be used sparingly only by administrators who need this level of control. Service accounts are used by software and processes on a system that shouldn't be run under user accounts. Guest accounts have minimal access and privileges on a system and are intended for temporary access.

40.

A company needs to maintain strict control over its users' policies to comply with regulations. What process can help them keep users' workstations standardized for this purpose?

  • Configuration enforcement

  • Snapshots

  • Platform diversity

  • Application allow list

Correct answer: Configuration enforcement

Configuration enforcement allows for standardization, vulnerability mitigation, compliance adherence, and automation. It is ideal for a situation where users' environments need to be strictly maintained for compliance reasons.

Snapshots are a backup technique that keep track of a system's state. Platform diversity refers to having multiple system types in case one type is breached. An application allow list only permits specified applications to be installed.