251-300 Flashcards
Which of the following environments utilizes dummy data and is MOST likely to be installed locally on a system that allows code to be assessed directly and modified easily with each build?
a. Production
b. Test
c. Staging
d. Development
d. Development
Explanation:
Development environment is typically where software developers work on code and applications. It is localized on individual developer systems or a dedicated development server. In this environment, dummy data (synthetic or placeholder data) is commonly used for testing and debugging purposes. Developers have the flexibility to assess and modify code easily during the development process, often using version control systems to manage changes. Unlike production, test, and staging environments, the development environment is less formal and is focused on iterative development and debugging, making it suitable for direct code assessment and frequent modifications.
An analyst receives multiple alerts for beaconing activity for a host on the network. After analyzing the activity, the analyst observes the following activity:
-A user enters comptia.org into a web browser.
-The website that appears is not the comptia.org site.
-The website is a malicious site from the attacker.
-Users in a different office are not having this issue.
Which of the following types of attacks was observed?
a. On-path attack
b. DNS poisoning
c. Locator (URL) redirection
d. Domain hijacking
(Braindump: c. Locator (URL) redirection)
DNS Poisoning would affect ALL users in the office. C: is the Only Correct Answer, here.
“Domain Name System (DNS) poisoning happens when fake information is entered into the cache of a domain name server, resulting in DNS queries producing an incorrect reply, sending users to the wrong website. DNS poisoning also goes by the terms “DNS spoofing” and “DNS cache poisoning.”
(Community : B 79%, C 21%)
Chat GPT :
B. DNS poisoning
Here’s why:
DNS poisoning (also known as DNS spoofing) occurs when a malicious actor alters DNS records to redirect traffic from a legitimate site to a malicious one. In this case, when the user enters "comptia.org" into the web browser, they are redirected to a malicious site instead of the legitimate CompTIA website. This redirection happens because the DNS resolution process has been compromised, resulting in the wrong IP address being returned for the legitimate domain.
Let’s briefly review the other options:
On-path attack (formerly known as man-in-the-middle attack): This involves intercepting and potentially altering communication between two parties. While it could result in redirection to a malicious site, it typically involves active interception rather than altering DNS records. Locator (URL) redirection: This involves changing the URL or using a URL shortener to redirect users to a different site. This is usually done at the URL level rather than manipulating DNS records. Domain hijacking: This involves taking control of the entire domain registration, allowing the attacker to control DNS settings and web content for that domain. This scenario specifically indicates that only some users (in a different office) are experiencing the issue, which suggests a localized DNS poisoning rather than full domain control.
Therefore, the most likely attack observed is DNS poisoning.
Which of the following in the incident response process is the BEST approach to improve the speed of the identification phase?
a. Activate verbose logging in all critical assets.
b. Tune monitoring in order to reduce false positive rates.
c. Redirect all events to multiple syslog servers.
d. Increase the number of sensors present on the environment.
b. Tune monitoring in order to reduce false positive rates.
Explanation:
Tuning monitoring to reduce false positive rates involves configuring monitoring systems to more accurately detect and alert on genuine security incidents while minimizing false alarms. False positives can slow down the identification phase by diverting attention and resources from genuine incidents. By fine-tuning monitoring rules and thresholds, security analysts can focus on relevant alerts, leading to quicker identification of potential security incidents. This approach is generally more effective than simply increasing logging verbosity, redirecting events to multiple syslog servers, or adding more sensors, as those actions may increase data volume without necessarily improving the relevance or accuracy of alerts.
A security administrator is analyzing the corporate wireless network. The network only has two access points running on channels 1 and 11. While using airodump-ng, the administrator notices other access points are running with the same corporate ESSID on all available channels and with the same BSSID of one of the legitimate access points. Which of the following attacks is happening on the corporate network?
a. On-path
b. Evil twin
c. Jamming
d. Rogue access point
e. Disassociation
b. Evil Twin attack.
Here’s why:
Evil Twin attack: In this type of attack, a malicious actor sets up a rogue wireless access point (AP) with the same SSID (network name) and often the same BSSID (MAC address) as a legitimate AP in the vicinity. The goal is to trick users and devices into connecting to the rogue AP instead of the legitimate one. Once connected, the attacker can intercept traffic, conduct man-in-the-middle attacks, or lure users into providing sensitive information.
In your case:
The presence of multiple access points with the same ESSID (corporate network name) and the same BSSID as one of the legitimate access points suggests that someone has set up rogue APs to mimic the corporate network. These rogue APs are likely broadcasting on multiple channels, trying to attract devices across different areas of the wireless spectrum (channels 1 and 11 in your case).
When implementing automation with IoT devices, which of the following should be considered FIRST to keep the network secure?
a. Z-Wave compatibility
b. Network range
c. Zigbee configuration
d. Communication protocols
d. Communication protocols
Here’s why:
IoT devices communicate using various protocols such as Wi-Fi, Bluetooth, Zigbee, Z-Wave, and others. The choice of communication protocol significantly impacts the security and functionality of IoT deployments:
Security Features: Different protocols offer varying levels of security features. For example, Zigbee and Z-Wave are designed with mesh networking capabilities and built-in encryption, which can enhance security compared to protocols like Bluetooth, which may require additional security measures. Interoperability: Ensuring that IoT devices can communicate securely and effectively with each other and with central management systems often depends on selecting compatible communication protocols. Network Segmentation: Understanding how these protocols operate and interact with other network components is crucial for proper network segmentation and isolation of IoT devices from critical network resources.
Considering communication protocols first allows you to establish a secure foundation for IoT deployments, addressing encryption, authentication, and interoperability requirements from the outset. Therefore, the correct answer is d. Communication protocols.
An organization is concerned that its hosted web servers are not running the most updated version of the software. Which of the following would work BEST to help identify potential vulnerabilities?
a. hping3 -S comptia-org -p 80
b. nc -l -v comptia.org -p 80
c. nmap comptia.org -p 80 -sV
d. nslookup –port=80 comptia.org
c. nmap comptia.org -p 80 -sV.
Here’s why:
nmap is a versatile network scanning tool that can scan hosts for open ports and services. -p 80 specifies that the scan should target port 80, which is commonly used for HTTP traffic. -sV enables version detection, which allows nmap to determine the versions of services running on open ports.
By running this command (nmap comptia.org -p 80 -sV), the organization can discover the versions of software running on the web servers hosted at comptia.org. This information is crucial for identifying whether the software versions are up-to-date or if there are known vulnerabilities associated with the detected versions.
Therefore, c. nmap comptia.org -p 80 -sV is the most appropriate choice to help identify potential vulnerabilities related to outdated software versions on the organization’s hosted web servers.
A news article states hackers have been selling access to IoT camera feeds. Which of the following is the MOST likely reason for this issue?
a. Outdated software
b. Weak credentials
c. Lack of encryption
d. Backdoors
b. Weak credentials.
Here’s why:
IoT devices, including cameras, are often deployed with default or weak credentials (such as username/password combinations like admin/admin or no password at all). These devices are frequently targeted by attackers who scan the internet for devices with known vulnerabilities. Once they find devices with weak credentials, hackers can gain unauthorized access to them.
Selling access to IoT camera feeds implies that hackers have compromised these devices and are exploiting them for financial gain or malicious purposes. Weak credentials make it easy for attackers to brute-force their way into these devices or exploit default credentials that haven’t been changed by users.
While other factors like a. Outdated software, c. Lack of encryption, and d. Backdoors can also contribute to IoT vulnerabilities, weak credentials remain one of the most exploited weaknesses in IoT security, making it the most likely reason in this scenario. Strengthening credentials by using strong, unique passwords and implementing multi-factor authentication (MFA) can significantly mitigate this risk.
A company wants to build a new website to sell products online. The website will host a storefront application that will allow visitors to add products to a shopping cart and pay for the products using a credit card. Which of the following protocols would be the MOST secure to implement?
a. SSL
b. SFTP
c. SNMP
d. TLS
d. TLS (Transport Layer Security).
Here’s why TLS is the best choice:
Encryption: TLS provides encryption of data in transit between the user's browser and the web server. This ensures that sensitive information such as credit card details cannot be intercepted or read by unauthorized parties. Data Integrity: TLS ensures data integrity, meaning that the data cannot be altered or tampered with while it is being transmitted over the network. Authentication: TLS supports server authentication, which allows the client (user's browser) to verify the identity of the server it is communicating with. This helps prevent man-in-the-middle attacks where an attacker might impersonate the server. Compatibility: TLS is widely supported across browsers and devices, making it suitable for ensuring secure communications between clients and servers on the web.
While SSL (Secure Sockets Layer) was its predecessor, TLS has superseded SSL due to various security vulnerabilities found in SSL over time. Therefore, TLS is the current standard for securing web communications and would be the most secure protocol to implement for the new e-commerce website.
An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the number of devices that were replaced due to loss, damage, or theft steadily increased by 10%. Which of the following would BEST describe the estimated number of devices to be replaced next year?
a. ALE
b. ARO
c. RPO
d. SLE
b. ARO (Annualized Rate of Occurrence).
Here’s why:
Annualized Rate of Occurrence (ARO) refers to the expected frequency with which a loss event (such as device replacement due to loss, damage, or theft) is anticipated to occur in a given year. It is derived from historical data and trends. In this scenario, the IT manager is using the trend of the past five years, where the number of devices replaced due to loss, damage, or theft increased by 10% annually. This percentage increase provides the ARO for the upcoming year, helping to estimate how many devices may need replacement. ALE (Annualized Loss Expectancy) is related but calculates the expected monetary loss from the occurrence of such events over a year, factoring in the cost of each incident and the ARO. RPO (Recovery Point Objective) and SLE (Single Loss Expectancy) are terms typically associated with disaster recovery and risk management, focusing on data loss scenarios rather than physical device replacement.
An organization is repairing the damage after an incident. Which of the following controls is being implemented?
a. Detective
b. Preventive
c. Corrective
d. Compensating
c. Corrective.
Corrective controls are implemented after an incident has occurred to mitigate the impact or restore affected systems and data to their normal operational state. These controls aim to fix the root cause of the incident and prevent its recurrence. Detective controls are used to detect and identify incidents or anomalies as they occur or shortly after. Preventive controls are implemented to prevent incidents from occurring in the first place. Compensating controls are alternative measures implemented when an original control cannot be applied effectively.
In the context of repairing damage after an incident, the organization is actively addressing the consequences and remedying the situation, which aligns with corrective controls.
A Chief Executive Officer’s (CEO) personal information was stolen in a social-engineering attack. Which of the following sources would reveal if the CEO’s personal information is for sale?
a. Automated information sharing
b. Open-source intelligence
c. The dark web
d. Vulnerability databases
c. The dark web.
The dark web is a part of the internet that is not indexed by traditional search engines and is often used for illicit activities, including the sale of stolen personal information. Open-source intelligence (OSINT) can also be used to gather information from publicly available sources, but it typically focuses on publicly accessible data rather than illicit activities. Automated information sharing and vulnerability databases are more related to technical information sharing and security vulnerabilities, rather than the sale of personal information.
Which of the following typically uses a combination of human and artificial intelligence to analyze event data and take action without intervention?
a. TTP
b. OSINT
c. SOAR
d. SIEM
c. SOAR (Security Orchestration, Automation, and Response).
SOAR platforms integrate security orchestration, automation, and response capabilities to automate incident response workflows. They utilize a combination of human and artificial intelligence (AI) to analyze event data, automate repetitive tasks, and orchestrate responses to security incidents. TTP (Tactics, Techniques, and Procedures) refer to the behavior and actions of threat actors. OSINT (Open-Source Intelligence) refers to intelligence collected from publicly available sources. SIEM (Security Information and Event Management) systems collect, correlate, and analyze security event data but typically require human intervention for action.
A security analyst has been tasked with creating a new WiFi network for the company. The requirements received by the analyst are as follows:
-Must be able to differentiate between users connected to WiFi
-The encryption keys need to change routinely without interrupting the users or forcing reauthentication
-Must be able to integrate with RADIUS
-Must not have any open SSIDs
Which of the following options BEST accommodates these requirements?
a. WPA2-Enterprise
b. WPA3-PSK
c. 802.11n
d. WPS
a. WPA2-Enterprise
Here’s how WPA2-Enterprise aligns with each requirement:
Must be able to differentiate between users connected to WiFi: WPA2-Enterprise uses 802.1X authentication, which allows for individual user authentication through a RADIUS server. Each user has unique credentials, enabling differentiation. The encryption keys need to change routinely without interrupting the users or forcing reauthentication: WPA2-Enterprise supports dynamic key exchange using protocols like EAP-TLS or PEAP, which allows for frequent key rotation without requiring users to reauthenticate. Must be able to integrate with RADIUS: WPA2-Enterprise is designed to work with a RADIUS server for centralized authentication, authorization, and accounting. Must not have any open SSIDs: WPA2-Enterprise does not require an open SSID; it operates with a closed (hidden) SSID by default, enhancing security.
Therefore, WPA2-Enterprise is the most suitable choice that meets all the specified requirements effectively.
A security administrator is trying to determine whether a server is vulnerable to a range of attacks. After using a tool, the administrator obtains the following output:
HTTP/1.0 200 OK
Content-Type: text/html
Server: Apache
root:s9fyf983#:0:1)System Operator:/:/bin/bash
daemon:*:1:1::/tmp:
user1:f1@su3FF:183.100:user:/home/users/user1:/bin/bash
Which of the following attacks was successfully implemented based on the output?
a. Memory leak
b. Race conditions
c. SQL injection
d. Directory traversal
d. Directory traversal
Directory traversal attacks exploit insufficient input validation in web applications to access directories and files outside the intended directory. In this scenario, sensitive information such as user credentials (root, daemon, user1) and their associated details (/bin/bash) are disclosed, indicating a potential vulnerability allowing unauthorized access to system files.
Memory leak: This involves unintended memory access that can lead to unauthorized data disclosure, but the provided output does not directly indicate a memory leak.
Race conditions: These occur when the outcome of a process depends on the timing of other uncontrollable events. The output does not indicate race conditions.
SQL injection: This attack targets databases by injecting malicious SQL code into queries, but the output does not show SQL-related errors or database content.
Directory traversal: This attack exploits insufficient input validation in web applications to access directories and files outside the intended directory.
A Chief Security Officer is looking for a solution that can reduce the occurrence of customers receiving errors from back-end infrastructure when systems go offline unexpectedly. The security architect would like the solution to help maintain session persistence. Which of the following would BEST meet the requirements?
a. Reverse proxy
b. NIC teaming
c. Load balancer
d. Forward proxy
c. Load balancer
Load balancers distribute incoming network traffic across multiple servers to ensure no single server gets overwhelmed, thereby reducing the impact of server outages. They also help maintain session persistence by ensuring that once a client establishes a session with a server, subsequent requests from that client are routed back to the same server. This prevents disruptions in user sessions even if individual servers go offline or are taken out of service temporarily.
a. Reverse proxy:
A reverse proxy is used to handle incoming client requests and distribute them to the appropriate backend servers. While it can help with load distribution and offloading certain tasks from servers, it does not inherently provide session persistence across servers during outages. It focuses more on routing and enhancing security rather than maintaining session state.
b. NIC teaming:
NIC teaming (or network interface card teaming) involves combining multiple network interfaces into a single logical interface to increase bandwidth and redundancy. However, it primarily deals with network interface redundancy and load balancing at the network level, not at the application level where session persistence is managed.
d. Forward proxy:
A forward proxy is used to retrieve data from other servers on behalf of a client. It does not provide load balancing or session persistence features for backend infrastructure. Its primary role is to enhance security and control outbound traffic from clients within a network.
(Braindump: a. Reverse proxy )
Which of the following should an organization consider implementing in the event executives need to speak to the media after a publicized data breach?
a. Incident response plan
b. Business continuity plan
c. Communication plan
d. Disaster recovery plan
c. Communication plan
Explanation:
When executives need to speak to the media after a publicized data breach, it’s crucial to have a well-defined communication plan in place. A communication plan outlines how information about the incident will be communicated both internally and externally, including to the media, customers, stakeholders, and the public. It ensures that messaging is consistent, accurate, and timely, helping to manage the organization’s reputation and maintain public trust during a crisis.
A well-known organization has been experiencing attacks from APTs. The organization is concerned that custom malware is being created and emailed into the company or installed on USB sticks that are dropped in parking lots. Which of the following is the BEST defense against this scenario?
a. Configuring signature-based antivirus to update every 30 minutes
b. Enforcing S/MIME for email and automatically encrypting USB drives upon insertion
c. Implementing application execution in a sandbox for unknown software
d. Fuzzing new files for vulnerabilities if they are not digitally signed
c. Implementing application execution in a sandbox for unknown software.
Explanation:
Sandboxing: This technique involves running potentially risky or unknown software in an isolated environment (sandbox) where its behavior can be observed without affecting the rest of the system. Sandboxing helps prevent malware from spreading or causing harm by containing its activities within a controlled environment. Email and USB Defense: While options like configuring antivirus to update frequently (option a) and using encryption (option b) are beneficial, they do not directly mitigate the risk of custom malware that may evade signature-based detection or encryption measures. Sandboxing, on the other hand, focuses on behavior analysis, which is crucial for detecting and containing new and unknown threats, such as custom malware.
A company is implementing BYOD and wants to ensure all users have access to the same cloud-based services. Which of the following would BEST allow the company to meet this requirement?
a. IaaS
b. PaaS
c. MaaS
d. SaaS
d. SaaS (Software as a Service).
Explanation:
SaaS (Software as a Service): This cloud computing model allows users to access software applications that are hosted and maintained by a third-party provider via the internet. Users can access these applications from any device with an internet connection, making it ideal for a BYOD environment where users bring their own devices. SaaS applications ensure consistency in service access across different devices and platforms, as the applications are centrally managed and accessed through a web browser or client application. Other Options: IaaS (Infrastructure as a Service): Provides virtualized computing resources over the internet, such as virtual machines and storage, but does not directly address application access consistency. PaaS (Platform as a Service): Provides a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the underlying infrastructure. While it supports application development and deployment, it does not necessarily ensure uniform access to third-party SaaS applications. MaaS (Mobile as a Service): Generally refers to mobile device management services, which focus on managing mobile devices, apps, and content, but do not directly provide uniform access to cloud-based services.
Therefore, SaaS is the most suitable option for ensuring consistent access to cloud-based services across various devices in a BYOD environment.
During a recent security incident at a multinational corporation a security analyst found the following logs for an account called user:
Account Login location Time (UTC) Message
user New York 9:00 am Login: user, successful
user Lost Angeles 9:01 am Login: user, successful
user Sao Paolo 9:05 am Login: user, successful
user Munich 9:12 am Login: user, successful
Which of the following account policies would BEST prevent attackers from logging in as user?
a. Impossible travel time
b. Geofencing
c. Time-based logins
d. Geolocation
a. Impossible travel time
Here’s why:
Impossible travel time: This policy detects and prevents logins from locations that are geographically too far apart to be possible within a given timeframe. In this case, the logins from New York, Los Angeles, Sao Paulo, and Munich all occurring within minutes of each other indicate a clear case of impossible travel time. Implementing this policy would block such suspicious login attempts based on the unrealistic travel times between the locations.
Let’s briefly review the other options:
Geofencing: Geofencing restricts access based on predefined geographic boundaries. While this can be effective for limiting logins to certain locations, it wouldn't specifically address the issue of multiple, simultaneous logins from different locations. Time-based logins: This policy restricts logins to certain times of the day. While it can enhance security, it wouldn't prevent logins from different locations in quick succession unless those times were also unrealistic for travel. Geolocation: Geolocation tracks the physical location from which a login attempt is made and can be used to enhance security by verifying if the login location is typical for the user. However, it does not specifically address the scenario of multiple rapid logins from different locations unless combined with an impossible travel time check.
Therefore, the impossible travel time policy is the most appropriate and effective in preventing the kind of suspicious login activity described in the logs.
An organization is tuning SIEM rules based off of threat intelligence reports. Which of the following phases of the incident response process does this scenario represent?
a. Lessons learned
b. Eradication
c. Recovery
d. Preparation
d. Preparation.
Explanation:
Preparation in the incident response process involves activities such as enhancing monitoring and detection capabilities, which includes tuning SIEM rules based on threat intelligence. By leveraging threat intelligence reports, organizations can proactively adjust their detection mechanisms (such as SIEM rules) to better identify and respond to potential threats. This phase focuses on readiness and involves actions taken before an incident occurs to improve the organization's ability to detect, respond to, and recover from security incidents effectively.
Other Options Explained:
Lessons learned: This phase occurs after an incident has been resolved, where the organization conducts a retrospective analysis to identify what went well and what could be improved in handling similar incidents in the future. Eradication: This phase involves the removal of threats from affected systems and networks during an active incident response process. Recovery: This phase follows eradication and involves restoring affected systems and data to normal operation after an incident.