CompTIA Security+ (SY0-601) Exam Questions

Page 3 of 50

41.

Which category of security control is a firewall?

  • Technical

  • Managerial

  • Administrative

  • Operational

Correct answer: Technical

Security controls can be classified into four categories, including:

  • Managerial: Managerial/administrative controls are policies, procedures, or guidelines. An organization's managerial controls are developed first and used as the basis for designing and implementing other security controls.
  • Operational: Operational controls help an organization maintain normal operations. Backups or a policy stating that a system should be regularly reset are examples of operational controls.
  • Technical: Technical/logical controls implement access management for a particular resource. Firewalls, passwords, encryption, and group policies are all examples of technical controls.
  • Physical: Physical controls help to manage or prevent physical access to an organization's building, systems, etc. Fences, locked doors, etc. are examples of physical controls.

42.

A law firm needs to communicate securely with other firms that are working with them on a rather large case. They are transferring sensitive information and need authentication, integrity, nonrepudiation, privacy, and data security for their electronic communications. 

What is an IETF standard that provides cryptographic security for electronic messages such as email?

  • S/MIME

  • POP

  • SNMP

  • SPF

Correct answer: S/MIME

Developed by RSA Security, Secure/Multipurpose Internet Mail Extensions (S/MIME) provides security for, mainly, email messages. It is used for authentication, message integrity, and nonrepudiation of origin. S/MIME uses RSA for asymmetric encryption and AES for symmetric encryption. It has the capability of encrypting email at rest and in transit. It requires a PKI to distribute and manage certificates.

POP is used for retrieving emails from a server. SNMP is used to monitor and administer network devices. SPF is used to prevent email spoofing.

43.

An organization needs a firewall that can inspect all network connections AND has the ability to look into the packet payload. Which firewall type should they use for this purpose?

  • Application-layer

  • Stateful

  • Packet-filtering

  • WAF

Correct answer: Application-layer

An application-layer firewall has the same capabilities as a stateful firewall but can also look inside a packet's payload. This enables it to filter traffic based on application-layer data, such as the HTTP method or FTP command it contains.

A packet-filtering firewall is stateless, meaning that it stores no information about the current status of a network connection. It determines whether traffic can enter or leave the network based on the content of the packet headers. A stateful firewall retains information about the current state of network connections. This enables it to identify packets that are out of sequence or invalid, such as a TCP SYN/ACK packet without a corresponding SYN. However, it can't inspect the contents of a network packet. A web application firewall (WAF) is a specialized application-layer firewall focused on HTTP connections to/from a corporate web server.

44.

Which of the following steps validates that a piece of code will work within the greater system where it will be used?

  • Continuous integration

  • Continuous validation

  • Continuous monitoring

  • Continuous deployment

Correct answer: Continuous integration

DevOps automates parts of the software development and deployment process, including:

  • Continuous monitoring monitors a production application for attacks, errors, or other issues.
  • Continuous validation ensures that code is operating properly.
  • Continuous integration validates that components of a system work together properly.
  • Continuous delivery automates the process of sending the latest version of code to the customer.
  • Continuous deployment enables continuous delivery by automatically building release versions of software based on new updates.

45.

An administrator needs to keep a user from deleting any of their email files after an incident. What term describes the actions of the administrator in this situation?

  • Legal hold

  • Chain of custody

  • Acquisition

  • Quarantine

Correct answer: Legal hold

A legal hold describes a situation where evidence must be held. The Federal Rules of Civil Procedure (FRCP) requires organizations to put information under a legal hold if they reasonably anticipate any litigation or government investigation.

A chain of custody is a document that keeps track of evidence. Acquisition refers to gathering evidence from a compromised system. A quarantine is an isolated area in a system.

46.

Which of the following forms of data protection is MOST commonly used to protect credit card data on receipts, websites, etc.?

  • Masking

  • Encryption

  • Tokenization

  • Rights management

Correct answer: Masking

Some commonly-used data protection solutions include:

  • Masking, which replaces sensitive data with an asterisk or similar character. For example, all but the last four digits of credit card numbers are often masked on receipts, websites, etc.
  • Encryption, which scrambles data in a way that makes it unreadable and unusable without knowledge of the decryption key.
  • Tokenization, which replaces sensitive data with a non-sensitive token. A lookup table maps the token to the sensitive data for retrieval when needed.
  • Rights management, which places security controls in place to prevent data loss. For example, an email may disallow forwarding or screenshots, and copy-paste may be disabled when a device is showing sensitive information.

47.

What is a specific advantage of using IaC when moving an application to a live environment?

  • Ease of deployment

  • Risk transference

  • Patch availability

  • Availability

Correct answer: Ease of deployment

Ease of deployment is essential, especially if a solution is complex. Ease of deployment can be achieved when using infrastructure at code (IaC) because it is scripted and also avoids human errors.

Risk transference involves using a third party to handle an organization's risky activity. Patch availability refers to having a system to automatically patch systems. Availability is the concept of having data or a system available at all times.

48.

Which type of encryption targets an entire database?

  • TDE

  • CLE

  • Volume encryption

  • Partition-level encryption

Correct answer: TDE

Database encryption typically encrypts either the entire database or individual columns. Transport data encryption (TDE) is used to encrypt the entire database at the file level.

Column-level encryption (CLE) encrypts specific columns of a database. Volume encryption encrypts an entire logical volume of a drive. Partition-level encryption encrypts an entire partition of a drive.

49.

A group of salespeople within an organization routinely travel, and there have been times when laptops were lost during these trips. Management is concerned that data could be stolen from these devices despite being password-protected. They are Windows-based laptops and are ultraportable. 

What Windows application lets an administrator control whole disk encryption on a system?

  • BitLocker

  • Tripwire

  • Bitdefender

  • Splunk

Correct answer: BitLocker

BitLocker is an encryption application included with Windows. The administrator can control BitLocker settings through the group policy editor. BitLocker requires a USB to store the encrypted keys, and the hard drive must be configured with at least two partitions, one for the operating system and one for the encrypted data.

Tripwire is a file integrity monitoring solution. Bitdefender is antivirus software. Splunk is a security orchestration, automation, and response system.

50.

Which of the following steps ensures that after new code is developed and tested, it is automatically put into production?

  • Continuous deployment

  • Continuous integration

  • Continuous validation

  • Continuous monitoring

Correct answer: Continuous deployment

DevOps automates parts of the software development and deployment process, including:

  • Continuous monitoring monitors a production application for attacks, errors, or other issues.
  • Continuous validation ensures that code is operating properly.
  • Continuous integration validates that components of a system work together properly.
  • Continuous delivery automates the process of sending the latest version of code to the customer.
  • Continuous deployment enables continuous delivery by automatically building release versions of software based on new updates.

51.

After a server's hard drive fails, it typically takes about 30 minutes to get the drive repaired or replaced to fix the issue. Which of the following does this measure?

  • MTTR

  • MTBF

  • RTO

  • RPO

Correct answer: MTTR

Mean time to repair/recovery (MTTR) is the average time it takes to recover a system from a failure.

The MTBF identifies the average time between failures; systems that have a high MTBF are considered more reliable. The recovery time objective (RTO) is the amount of time that is acceptable before services are restored. The recovery point objective (RPO) is the acceptable latency period of data, or the maximum tolerable time that data can remain inaccessible after a disaster.

52.

As the final networking components are configured and tested, the production environment is now complete for Acme Inc. and their new payment processing service. They want to use a form of monitoring that will take a snapshot of the entire environment and its normal operating procedures and send an alert if anything is performing oddly. 

What type of monitoring method are they using?

  • Anomaly-based

  • Signature-based

  • Heuristic

  • TTP

Correct answer: Anomaly-based

Anomaly-based monitoring systems are also known as statistical anomaly-based monitoring systems. They establish a performance baseline based on a set of normal network traffic evaluations. The baseline should be taken when servers are under normal load.

Signature-based detection relies on a known hash or signature of an attack. Heuristic uses pre-defined algorithms. TTP uses known tactics, techniques, and procedures of an attacker.

53.

An administrator is investigating unusual network traffic originating from several workstations in the HR department. Upon further inspection, the administrator notices that the workstations are making many thousands of requests to a specific web forum. As the administrator is searching for more information, they discover that the web forum in question is currently unavailable, for unknown reasons. 

Which of the following is likely the reason for what is occurring?

  • The workstations are part of a botnet that is carrying out a DDoS against the web forum

  • A keylogger is sending information back to the attacker

  • A DNS attack is being perpetrated against the web forum

  • A buffer overflow attack has taken down the web forum

Correct answer: The workstations are part of a botnet that is carrying out a DDoS against the web forum

A botnet is a group of infected machines all serving under a command and control center. It consists of bots, or zombies, which are infected servers or workstations that perform the operations as commanded by the bot herder. These botnets are often used to launch distributed denial-of-service (DDoS) attacks.

Keyloggers do not cause excessive traffic. DNS attacks involve altering the system that a DNS query directs users to. A buffer overflow attack does not require multiple systems sending requests.

54.

A company has servers in the cloud that they want to keep updated with their operating system's latest security patches as soon as possible. However, the company is worried that the patches may affect the functionality of their servers. 

What type of solution should they implement for this?

  • Test the patches in a sandbox

  • Test the patches in each instance individually

  • Run the patch in half the instances

  • Run the patch in all instances, then roll back if necessary

Correct answer: Test the patches in a sandbox

New patches can be tested in a sandbox environment before being pushed to other systems. If the server passes all tests, then the patch can be applied.

Testing patches in each instance individually would not be necessary because each instance is identical. Running the patch in half the instances could cause instabilities. Running the patch without testing and then rolling back can be more time-consuming and destructive.

55.

A company wants to make it easier for cybersecurity personnel to respond to common types of incidents by making pre-defined procedures that staff can follow. What type of document should they create for this?

  • Playbook

  • DRP

  • BCP

  • Electronic code book

Correct answer: Playbook

Playbooks are pre-defined steps that can be taken in order to respond to a cybersecurity incident. This can ensure that common issues, such as DDoS attacks, are dealt with in a consistent manner.

A disaster recovery plan (DRP) is a comprehensive report on how an organization will restore services after an outage. A business continuity play (BCP) is a comprehensive report on how an organization can continue operating during an incident. An electronic code book is a mode of operations for block ciphers.

56.

A company with sensitive customer information is upgrading its systems and needs to replace some hard drives. They will send the hard drives to a third party and need to be certain that the data was removed in compliance with legal requirements. 

What should they receive from the third party to verify this?

  • Certification

  • Shredded pieces of the drives

  • Ashes of the drives

  • Chemically broken-down parts of the drives

Correct answer: Certification

Certification of disposal can ensure that there is an audit trail of the drives to be destroyed. It can be used to show that the company is handling data management responsibly.

Shredding, burning, and chemical decomposition are methods of sanitizing drives but do not verify that the data was not accessed before destruction.

57.

Which of the following attacks is OS-based?

  • An attacker exploits a vulnerability in how a system handles file permission to gain root access to the system

  • An attacker tricks a user on the internet to perform an action on a website where they are already authenticated

  • An attacker crafts input for a web form that is SQL code designed to change data in the backend database

  • An attacker impersonates a manager at a company in order to convince an employee to give them sensitive information

Correct answer: An attacker exploits a vulnerability in how a system handles file permission to gain root access to the system

Operating systems (OSs) act as intermediaries between hardware and software programs. An exploit concerning weaknesses with file permissions is an OS-based attack.

An attacker tricking a user on the internet to perform an action on a website where they are already authenticated is a web-based CSRF attack. An attacker crafting input for a web form that is SQL code designed to change data in the backend database is a web-based SQL injection attack. An attacker impersonating a manager at a company in order to convince an employee to give them sensitive information is an example of social engineering.

58.

When a secure hashing algorithm is included with a system that offers non-repudiation, what can be implemented?

  • Digital signatures

  • Steganography

  • Tokenization

  • Open public ledgers

Correct answer: Digital signatures

On their own, hashing functions do not offer non-repudiation, so they cannot guarantee that a message originated from the claimed sender. When hashing is combined with public key cryptography, it can then offer non-repudiation and be used for digital signatures.

Steganography is used to hide messages in other media. Tokenization is used to replace sensitive data with tokens. An open public ledger is used to keep track of transactions. 

59.

What technique adds a hash value to each DNS record so that the data can be verified?

  • DNSSEC

  • IPSec

  • LDAPS

  • DHCP

Correct answer: DNSSEC

DNSSEC can provide integrity to DNS by adding a digital signature to each DNS record. This lets the client know that they have the correct DNS information for the server and that it hasn't been tampered with.

IPSec is used to encrypt and authenticate data packets. LDAPS is used for accessing a directory information service. DHCP is used to allocate IP addresses automatically.

60.

In order for an organization to make informed decision-making and to give stakeholders confidence that they have a good security posture, which activity needs to be completed related to the risk management process?

  • Risk reporting

  • Risk transference

  • Risk avoidance

  • Risk exception

Correct answer: Risk reporting

Risk reporting involves presenting risks about an organization to management and stakeholders. It helps them make strategic decisions.

Risk transference is the process of having a third party handle a risk. Risk avoidance is the process of not engaging in a risky activity. Risk exception is the temporary allowance of a risk.