CompTIA Security+ (SY0-601) Exam Questions

Page 8 of 50

141.

Which of the following types of NIDS requires frequent updates to be effective?

  • Signature-based

  • Anomaly-based

  • Heuristic-based

  • Behavior-based

Correct answer: Signature-based

A signature-based NIDS maintains a database of signatures that describe unique features of known threats. Based on these signatures, it can detect attack traffic with a very low false positive rate. However, it is blind to zero-day attacks and requires frequent signature updates.

An anomaly, or behavior-based, detection IDS will develop a baseline of normal behavior and look for deviations from this baseline. This can detect zero-day attacks but can also be prone to false positives. A heuristic or rule-based system will have predefined rules used to detect potentially suspicious or malicious behavior. For example, a system may be configured to alert on an excessive volume of a certain type of packet because this traffic pattern is known to be associated with a DDoS attack.

142.

A penetration tester was hired by Smith Industries to evaluate their web application for security. Test results indicate that the server has SSL 2, TLS 1.1, and TLS 1.2 enabled, uses input validation on a username and password field, performs server-side validation, and uses a WAF. 

Which of the following should be performed to enhance security?

  • Disable SSL

  • Disable TLS

  • Disable server-side validation and enable client-side validation

  • Disable the WAF

Correct answer: Disable SSL

Despite being used interchangeably, SSL and TLS are not the same; SSL has been replaced by the more secure TLS. SSL presents a risk due to vulnerabilities such as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack and can be exploited if left enabled on a server. Attackers can essentially force a web application to use SSL if it is enabled and exploit this weaker implementation.

Both server-side and client-side validation are important for application security. A web application firewall (WAF) is useful for protecting a web application.

143.

Anders Insurance Agency has discovered that malware on one of their internal computers has been exfiltrating user information. But the malware is unfamiliar and not registering with their antivirus/anti-malware programs. They alert a cybersecurity agency, which investigates and discovers that the malware is originating from an infected government site for an insurance regulatory authority that Anders Insurance visits regularly.

Which of the following is the BEST description of what has occurred?

  • Watering hole attack

  • Phishing

  • Whaling

  • Typosquatting

Correct answer: Watering hole attack

A watering hole attack targets sites that its victims use most often. After infecting the site and configuring it to deliver malware, the attacker waits for their target to use the site and become infected, and then the attacker can carry out additional objectives, such as exfiltrating information.

A phishing attack involves baiting users to divulge sensitive information. A whaling attack is a targeted attack against a high-value individual. A typosquatting attack involves registering a domain name similar to a legitimate site.

144.

A sales employee at a company has a potential client at the office. The company does not have a guest Wi-Fi network, so the employee uses their device to share their network connection with the potential client. 

What type of threat is occurring at the company?

  • Shadow IT

  • Organized crime

  • Nation-state

  • Hacktivist

Correct answer: Shadow IT

Shadow IT occurs when individuals implement their own technology solutions because the company's IT does not meet their needs. Oftentimes, these activities go unnoticed by IT staff, and shadow IT can expose sensitive data to unauthorized users.

Organized crime uses sophisticated means to hack high-value targets. Nation-states are characterized as advanced persistent threats. Hacktivists typically try to deface public-facing websites to promote their message.

145.

The SHA hash algorithms would be MOST useful for providing which of the following guarantees?

  • Integrity

  • Key exchange

  • Authentication

  • Encryption

Correct answer: Integrity

A cipher suite describes the set of cryptographic algorithms used to provide confidentiality, integrity, and authenticity for an SSL/TLS session. A few different types of algorithms can be used, including:

  • Key exchange: RSA, Diffie-Hellman, and Elliptic Curve Diffie-Hellman (ECDH) can be used to create a shared secret key over an insecure channel.
  • Authentication: Algorithms such as RSA, DSA, and ECDSA can be used to authenticate the identity of the sender of a message.
  • Encryption: Algorithms such as RC4, RSA, and AES can be used to protect the confidentiality of a message's contents.
  • Integrity: Algorithms such as the SHA hash algorithms can ensure the integrity of a message.

146.

Which factor primarily motivates organized crime?

  • Financial gain

  • Political beliefs

  • Espionage

  • Revenge

Correct answer: Financial gain

Organized crime is primarily interested in financial gain. They often engage in activities such as ransomware and identity theft to make a profit.

Hacktivists are motivated by political beliefs. Nation-states and competing organizations are motivated by espionage. Disgruntled employees can be motivated by revenge.

147.

A security testing group is interested in analyzing current threats and trends in the digital landscape. They want to attract and trap potential attackers in order to learn about and counteract hacking attempts. 

What type of technology should they use for this?

  • Honeypot

  • Firewall

  • Proxy

  • Rootkit

Correct answer: Honeypot

A honeypot attracts the hacker away from the real network to isolate them in a monitored area. It contains dummy resources and data to look like it's of value to the attacker. The attacker's methods are then analyzed and studied to improve security overall. Honeypots are capable of catching threats because they present an attractive target for attackers; they entice hackers to try any methods they have to gain access to the target.

A firewall allows or denies traffic based on a ruleset. A proxy handles requests between a client and server. A rootkit is a tool that an attacker uses to get administrative access to a system.

148.

What type of protected data includes copyrights and trademarks?

  • Intellectual property

  • PHI

  • PII

  • Biometric

Correct answer: Intellectual property

Intellectual property is the result of an individual or organization's creative work. It includes trademarks, copyrights, patents, and trade secrets.

Personal health information (PHI) is an individual's protected medical data. Personally identifiable information (PII) is information such as driver's licenses and passports. Biometric information is data such as fingerprints or iris scans.

149.

Which of the following is an integrated circuit that includes all the functionality of a computing system within the hardware, typically including an application contained in read-only memory (ROM), EEPROM, or flash memory?

  • SoC

  • SCADA

  • ICS

  • RTOS

Correct answer: SoC

A system on a chip (SoC) is a fully self-contained computing system contained within the hardware itself. These systems usually contain an application loaded onto read-only memory, electrically erasable programmable read-only memory (EEPROM), or flash memory to provide a specific function or service. Many mobile devices contain SoC and many IoT systems are SoC, like embedded sensors.

SCADA and ICS are used for industrial systems. A real-time operating system (RTOS) is an OS designed for fast performance.

150.

An administrator wants to ensure that a file is not tampered with. To do so, they use a function that takes the file as input and creates a unique, repeatable output from it. If the file is subsequently changed, then the function's output would also change from the original. 

What is this an example of?

  • Hashing

  • Salting

  • Tokenization

  • Data masking

Correct answer: Hashing

A hash function is a mathematical procedure that converts a variable-sized amount of data into a smaller block of data. It's designed to take an arbitrary data block from a file or message, use it as input, and, from that block, produce a fixed hash value that can be verified by the recipient.

Salting is the process of making a password more secure by adding random characters. Tokenization involves replacing real data with placeholder data that can be retrieved later. Data masking involves hiding sensitive data with fake data.

151.

As a security analyst, you have been tasked with performing a vulnerability scan against the organization's network. Of the following tools, which would NOT achieve this?

  • Autopsy

  • Nessus

  • OpenVAS

  • Nexpose

Correct answer: Autopsy

Nessus, Nexpose, and OpenVAS are all examples of vulnerability scanners that could be used to test for vulnerabilities in an organization's network. 

Autopsy is a tool that can be used along with The Sleuth Kit for forensic analysis. Autopsy is not a vulnerability scanner.

152.

Which of the following types of injection can be used to extract data from a customer database?

  • SQL injection

  • DLL injection

  • LDAP injection

  • XML injection

Correct answer: SQL injection

  • An SQL injection attack places malicious content in an SQL query to change the information being requested from a database.
  • Dynamic-link library (DLL) injection forces a program to load a malicious DLL and run the malicious code that it contains.
  • Lightweight Directory Access Protocol (LDAP) injection is designed to abuse directory services databases that store information about computers, networks, and users.
  • Extensible Markup Language (XML) injection sends malicious content to a web application that uses that XML data.

153.

A security firm wants to ensure that their messages are secure and authentic. They want to provide encryption to these messages through various digital signatures and certificates. 

Which of the following is a large system of software, policies, and procedures used for digital signatures and certificates?

  • PKI

  • HSM

  • TPM

  • FDE

Correct answer: PKI

A public key infrastructure (PKI) is an entire system of hardware and software, policies and procedures, and people. It's used to distribute, manage, store, and revoke digital certificates. The public key is only able to encrypt information and the private key is only able to decrypt information. The public and private keys are matched, so that information encrypted with the public key can only be decrypted by the associated private key.

A hardware security module (HSM) is a hardware device that handles key management and cryptographic operations. The Trusted Platform Management (TPM) is a component that ensures systems are secure. Full-device encryption (FDE) is used to automatically encrypt hard drives.

154.

Which term measures in percentage terms the magnitude of loss or damage if a risk occurs?

  • Exposure factor

  • Risk threshold

  • SLE

  • ARO

Correct answer: Exposure factor

The exposure factor (EF) is a percentage that shows the magnitude of loss or damage if a risk occurs. It is important for making valuations or assets.

The risk threshold is the amount of risk an organization is willing to take. The single loss expectancy (SLE) measures the impact of the loss of a single item. The annualized rate of occurrence (ARO) is the number of times an event occurs per year.

155.

Which of the following policies outlines how an organization will keep operating, even during an incident?

  • Business continuity plan

  • Disaster recovery plan

  • SDLC

  • AUP

Correct answer: Business continuity plan

A business continuity plan is a strategy for maintaining operations as an incident is occurring, including failover plans and an analysis of potential risks and how to manage them.

A disaster recovery plan is a plan for restoring the organization to normal operations after an incident. The software development lifecycle (SDLC) is a framework for developing and maintaining applications. An acceptable use policy (AUP) is a policy that outlines how users can properly use IT resources.

156.

Which technical implication of a failed change management process can result in a large revenue loss due to a system remaining offline?

  • Downtime

  • Service restart

  • Application restart

  • Dependencies

Correct answer: Downtime

Downtime refers to the time when a system is offline due to technical difficulties. This has the greatest effect on revenue loss if an organization does not have a business continuity plan in place.

Service and application restarts represent a potential vulnerability as security controls may not all be brought online at the same time. Dependencies occur when one system requires another system in order to operate.

157.

Which governance structure is responsible for creating and enforcing laws?

  • Government entities

  • Committees

  • Boards

  • Task forces

Correct answer: Government entities

Government entities are the governance structures with the ability to create and enforce laws. They also provide public services. 

Committees are internal groups that are formed for a specific purpose. Boards are groups that provide strategic guidance to an organization. Task forces are formed to tackle specific challenges.

158.

What list is provided by the MITRE Corporation to give security administrators up-to-date information on vulnerabilities?

  • CVE

  • CVSS

  • TAXII

  • TSIG

Correct answer: CVE

Administrators should always stay up-to-date on the latest vulnerabilities with lists such as the Common Vulnerabilities and Exposures (CVE). MITRE provides a list of common vulnerabilities that can be found in applications and operating systems so administrators can respond and patch any vulnerable system.

The common vulnerability scoring system (CVSS) is used to measure and describe the severity of vulnerabilities. TAXII is a cybersecurity information-sharing protocol. TSIG is a protocol extension to DNS.

159.

Which practice is used to ensure that the third-party libraries an organization uses are free from vulnerabilities?

  • Package monitoring

  • Dynamic analysis

  • Static analysis

  • Error handling

Correct answer: Package monitoring

Package monitoring is a way to identify issues with third-party libraries that an organization uses. There are tools that can be used to automate this by performing updates and checking for new dependencies.

Dynamic analysis is a method for examining an application while running it. Static analysis is used to examine an application without running it. Error handling is used to deal with errors in a way that does not expose information to possible attackers.

160.

Which component of the control plane in a zero trust cybersecurity model provides context to user authentication?

  • Adaptive identity

  • Threat scope reduction

  • Policy-driven access control

  • Policy administrator

Correct answer: Adaptive identity

Adaptive identity takes context into account when granting access rights. It considers factors such as where the user is logging in from, what device they are using, and whether their device meets security standards.

Threat scope reduction refers to limiting the attack surface that can be exploited in a breach. Policy-driven access control refers to the automation of enforcing security policies. A policy administrator communicates with the data plane using decisions based on the policy engine.