CompTIA Security+ (SY0-601) Exam Questions

Page 5 of 50

81.

An attacker intercepts a user's authentication mechanism to a system and reuses it to gain unauthorized access to the system. What type of attack is being done in this scenario?

  • Credential replay

  • DDoS

  • CSRF

  • Downgrade attack

Correct answer: Credential replay

A credential replay, or session replay, intercepts and reuses authentication credentials to gain unauthorized access. This can involve capturing usernames and passwords or session tokens.

A distributed denial of service (DDoS) attempts to take down a system by flooding it with network traffic. A cross-site request forgery (CSRF) attack involves tricking a user into making unintended requests to a web application where they are authenticated. A downgrade attack is an attack that forces a server to negotiate to use a weaker protocol.

82.

After completing a risk assessment, a company is determining their risk management strategies. In regard to installing screen filters to discourage shoulder surfing, the company has decided they will not implement this control and has received formal approval from management for this decision. 

What type of risk management strategy are they taking toward screen filters?

  • Accept: exemption

  • Accept: exception

  • Transfer

  • Avoid

Correct answer: Accept: exemption

When a company accepts a risk, they acknowledge the risk but choose not to mitigate it. If the risk is accepted and it is signed off by management, it is an exemption.

An accepted risk that is an exception is less formal than an exemption. A risk that is transferred is shifted to another organization. A risk that is avoided involves the risky activity being eliminated.

83.

Which of the following categories of controls is made up of policies, guidelines, and procedures?

  • Managerial

  • Operational

  • Technical

  • Physical

Correct answer: Managerial

Security controls can be classified into four categories, including:

  • Managerial: Managerial/administrative controls are policies, procedures, or guidelines. An organization's managerial controls are developed first and used as the basis for designing and implementing other security controls.
  • Operational: Operational controls help an organization maintain normal operations. Backups or a policy stating that a system should be regularly reset are examples of operational controls.
  • Technical: Technical/logical controls implement access management for a particular resource. Firewalls, passwords, encryption, and group policies are all examples of technical controls.
  • Physical: Physical controls help to manage or prevent physical access to an organization's building, systems, etc. Fences, locked doors, etc. are examples of physical controls.

84.

A grocery store contracts with a third party to develop their mobile application. Each time they want to add a new feature to the app, they want to send over a formal document that outlines the individual tasks to be performed, along with timelines. 

What type of document should they use for this?

  • SOW

  • MOU

  • SLA

  • BPA

Correct answer: SOW

A statement of work (SOW) is a document that outlines how a particular task should be completed. It can include the deadline, deliverables, and payment information.

A memorandum of understanding (MOU) is a document that shows the intent of two organizations to work together. A service level agreement (SLA) is a document that outlines how a vendor provides its services. A business partnership agreement (BPA) describes the roles and responsibilities of each partner, as well as how they divide profits.

85.

MD5 is a common hashing algorithm that was determined to be vulnerable with the advent of increased computing power but is still used to verify the integrity of files, emails, etc. Of the following vulnerabilities, which is MD5 MOST susceptible to?

  • Collision

  • Man-in-the-middle

  • Brute force

  • Decryption

Correct answer: Collision

A collision happens when two files receive the same MD5 hash, reducing their integrity. MD5 is also vulnerable to rainbow table attacks and pre-image attacks. Despite these vulnerabilities, MD5 is still used to verify files that have been downloaded from the internet, executable files, sensitive information, and more.

Man-in-the-middle attacks are likely in unencrypted networking protocols such as HTTP. Brute force attacks are likely with weak passwords. Decryption is likely with weak encryption protocols.

86.

The identities of an organization's customers are tracked using ID numbers rather than names or other personal data. This is an example of which of the following privacy-enhancing technologies?

  • Tokenization

  • Data masking

  • Anonymization

  • Data minimization

Correct answer: Tokenization

An organization can use a few different privacy-enhancing technologies to protect sensitive data, including:

  • Data Minimization: Data minimization involves collecting and storing only sensitive data that the organization actually needs. This is the most effective method of protecting sensitive data because an organization can't breach/leak data it doesn't have.
  • Data Masking: Data masking involves replacing sensitive data with non-sensitive characters. For example, receipts commonly have all but the last four digits of a credit card number masked with asterisks/dots.
  • Tokenization: Tokenization replaces sensitive data with a non-sensitive token that can be used on systems that don't actually need the original data. A lookup table mapping tokens to data is kept to look up the original data when needed.
  • Anonymization: Anonymization totally removes personally identifiable information (PII) from a user's records. However, true anonymization is difficult to achieve since data may be deanonymized using external data sources.
  • Pseudo-Anonymization: Pseudo-anonymization is when PII is replaced by a random token.

87.

Which type of security control includes policies and procedures that employees should follow?

  • Directive

  • Deterrent

  • Corrective

  • Compensating

Correct answer: Directive

Directive controls are used to inform employees about how they can achieve security objectives. Some examples include policies and standard operating procedures.

Deterrent controls try to dissuade an attacker from starting an attack. Corrective controls fix issues that have already occurred. Compensating controls mitigate risks that were introduced due to exceptions that were made.

88.

An organization is looking to adopt a cloud model to augment its internal network through a VPN connection with the cloud. The executives are concerned that sensitive information sent to and from the cloud might be a target for attackers. 

What should always be implemented when transferring data between the internal network and the cloud?

  • Encryption

  • Permissions

  • Security groups

  • High availability

Correct answer: Encryption

Encryption scrambles data so that it cannot be read by anyone but the intended recipient. Only the person with the decryption key can read the message. Implementing encryption in the cloud ensures that eavesdropping is not effective.

Permissions do not protect data in transit. Security groups are used to create rules for network traffic. High availability is used to add resilience.

89.

Which threat vector can be identified by performing regular scans on internal networks?

  • Open service ports

  • Watering holes

  • Memory leaks

  • Removable devices

Correct answer: Open service ports

Systems should not have any extra services running that they don't need. By scanning all systems on a network, systems with open service ports can be identified and then fixed.

Watering holes are compromised sites that a user frequently visits. Memory leaks are detected by analyzing applications. Removable devices are detected by scanning the device such as a USB or DVD.

90.

Terraforma Landscaping is overhauling their workstation and server environment to be better protected, but they realize they are not aware of what threats they may encounter. What can they use to determine the number of threats against their organization's network and computers?

  • Risk assessment

  • Incident response

  • Compliance monitoring

  • User guidance and training

Correct answer: Risk assessment

Risk assessment is the attempt to determine the number of threats or hazards that could possibly occur in a given amount of time to your computers and networks. Risk assessment takes into account current and future threats.

Incident response is used when handling security breaches. Compliance monitoring is used to ensure processes meet standards. User guidance and training is used for implementing security awareness.

91.

Which of the following is commonly used by VMs and tools like Windows System Restore and macOS's Time Machine?

  • Snapshot

  • Full backup

  • Partial backup

  • Differential backup

Correct answer: Snapshot

The three main types of backups are:

  • Full: Makes a backup of everything and clears the archive bit on all files.
  • Incremental: Backs up only the files that have been changed since the last incremental or full backup (i.e., only those with archive bits set) and clears the archive bits.
  • Differential: Backs up only the files that have been changed since the last full backup. Does not change the archive bits.

Snapshots are used to save the state of a computer at a particular point in time. These are common in VMs, but also used by Windows System Restore and macOS's Time Machine.

92.

After deploying a new business system application, a security administrator discovered a potentially misconfigured piece of software that may lead to a weakness. They are concerned that there may be more, but they do not want to impact the system's performance as it is already in use in the organization. 

Which of the following should they perform?

  • Vulnerability scan

  • Penetration test

  • PING sweep

  • Risk assessment

Correct answer: Vulnerability scan

Vulnerability scans can not only detect and locate vulnerabilities and missing security controls, but even potentially misconfigured systems. Because these misconfigurations, typically default settings, can leave vulnerabilities in a system, they are quickly spotted by these types of scanners. Misconfigurations are relatively easy to fix, so it is effective to document and resolve them quickly.

A penetration test actively tries to exploit weaknesses. A PING sweep is used to discover systems within an IP address range. A risk assessment identifies all risks facing an organization.

93.

An organization is rolling out a DLP system, and they have already configured it on the network. They want to ensure that all the gaps are covered, so they run it on all servers and computers in the environment. 

What type of DLP system runs on every server and computer on the network to avoid data leakage from each system?

  • Endpoint

  • Dissolvable agent

  • Network

  • Remediation

Correct answer: Endpoint

Endpoint systems run on individual client and server computers. They control data leakage and alert an administrator if an attempted confidentiality breach occurs. They can sometimes take too many resources, in which case a network-based DLP is preferred.

A dissolvable agent is used with NAC. A network DLP is positioned at points on a network where data must travel through to exit. A remediation server is used with NAC.

94.

Users at Smith Industries are reporting an unusual wireless access point that is showing up on their laptops. A few users have reportedly connected to it and have been receiving warnings while accessing local intranet sites. 

What is the name for an unauthorized wireless access point that is able to access the network?

  • Rogue access point

  • Cross-site scripting

  • Watering hole

  • Wi-Fi analyzer

Correct answer: Rogue access point

Any access point to the network should require authentication through a username and password. A rogue access point is when an attacker is able to attach a Wi-Fi access point that allows an unauthorized person to access the network from a wireless device.

Cross-site scripting is an attack in which an attacker inserts malicious code into a web page. A watering hole attack is when an attacker compromises a site frequently visited by the targeted user. A Wi-Fi analyzer scans nearby wireless networks.

95.

What type of artifact is created by a site survey to keep track of how strong wireless signals are at different points of a location?

  • Heat map

  • Hot site

  • SFP

  • GBIC

Correct answer: Heat map

A heat map is a document that shows the wireless signal at different points at a site. It can be made by taking measurements at different points and overlaying them on a floorplan.

A hot site is a backup location that has a current copy of all data and can be switched to in case of an incident. Small form-factor pluggables (SFPs) and gigabit interface converters (GBICs) are hot-swappable network interfaces.

96.

Which concept is used in risk analysis to describe the numerical chance of a specific event occurring?

  • Probability

  • Impact

  • Threshold

  • Likelihood

Correct answer: Probability

Probability shows the possibility of a risk materializing. It is usually quantified as a number between 0 and 10, with 10 being the highest.

Impact is the consequences from an event happening. A threshold is the amount of risk an organization is willing to take. Likelihood describes the chances of an event occurring in qualitative terms.

97.

An attacker starts their attack by using open-source intelligence to identify a target. They then use a spear-phishing email with a malicious link enticing the recipient to click on it. The user is curious and visits the site, where they are prompted for a username and password. The user enters the credentials, which are promptly sent to the attacker, who uses them to gain access to the organization's network.

Which of the following could have prevented this attack?

  • User education

  • Antivirus

  • Strict firewall rules

  • Strict spam filters

Correct answer: User education

Untrained users can pose a significant threat to an organization's network security. One click can provide attackers with access, especially when the user is tricked into providing their network credentials. This would appear to the organization as a legitimate login, so it would be difficult to detect without more sophisticated hardware and software.

Antivirus is used to prevent and detect malware. Firewall rules are used to block certain types of traffic. Spam filters are used to block unwanted emails.

98.

Which of the following types of log files is MOST likely to include information on HTTP sessions?

  • Web

  • Application

  • Network

  • System

Correct answer: Web

An incident response strategy may use various types of log files, including:

  • Network: Routers, switches, and similar devices can log messages and forward them to a syslog server.
  • System: The Windows system log file stores information about issues with the operating system such as failed drivers or a system shutdown.
  • Application: The Windows application log file allows applications to record data regarding events.
  • Security: The Windows security log file stores security-related event information such as failed logon attempts.
  • Web: The web log file stores information about web requests, such as those to HTTP servers.
  • DNS: DNS log files record important DNS server events, such as zone transfers.
  • Authentication: Authentication logs record successful and failed log on attempts.
  • Dump Files: Dump files are created when an application crashes, recording information that can be used to fix the issue.
  • VoIP and Call Managers: VoIP and call manager logs record information about VoIP calls performed on the system.
  • SIP Traffic: Session Initiation Protocol (SIP) logs record information about VoIP calls and videoconferencing performed on the network.

99.

An email appears in a user's inbox indicating that they have won a free tablet; however, it has limited availability, so the user must act soon, or it may be too late. Which of the following phishing principles is this an example of?

  • Scarcity

  • Familiarity

  • Trust

  • Authority

Correct answer: Scarcity

Scarcity exploits the human emotion of feeling lucky and then suggests that there is a limited quantity, so the user feels the need to act quickly. These scams are often coupled with urgency to make the user think the "offer" is going to expire.

Familiarity relies on the target liking the organization the attacker pretends to represent. Trust relies on a connection with the individual. Authority relies on users obeying someone who claims to be in a higher position.

100.

Which type of sensor detects movement by sensing frequency alterations?

  • Microwave

  • Ultrasonic

  • Infrared

  • Pressure

Correct answer: Microwave

Microwave sensors emit microwaves and then detect the reflected waves. If the reflected waves have a change in frequency, it indicates that there is movement.

Ultrasonic sensors use sound waves and rely on echoes. Infrared sensors use heat signatures. Pressure sensors detect touches or changes in air pressure.