Comptia 301-350 Flashcards by Avante Davidson

A security analyst is investigating an incident to determine what an attacker was able to do on a compromised laptop. The analyst reviews the following SIEM log:

Which of the following describes the method that was used to compromise the laptop?

A. An attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack.
B. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file.
C. An attacker was able to install malware to the C:\asdf234 folder and use it to gain administrator rights and launch Outlook.
D. An attacker was able to phish user credentials successfully from an Outlook user profile

B. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file.

How well did you know this?

Not at all

Perfectly

A security analyst discovers that a company’s username and password database was posted on an Internet forum. The usernames and passwords are stored in plain text. Which of the following would mitigate the damage done by this type of data exfiltration in the future?

A. Create DLP controls that prevent documents from leaving the network.
B. Implement salting and hashing.
C. Configure the web content filter to block access to the forum.
D. Increase password complexity requirements.

B. Implement salting and hashing.

How well did you know this?

Not at all

Perfectly

Joe, an employee, receives an email stating he won the lottery. The email includes a link that requests a name, mobile phone number, address, and date of birth be provided to confirm Joe’s identity before sending him the prize. Which of the following BEST describes this type of email?

A. Spear phishing
B. Whaling
C. Phishing
D. Vishing

C. Phishing

How well did you know this?

Not at all

Perfectly

A company deployed a WiFi access point in a public area and wants to harden the configuration to make it more secure. After performing an assessment, an analyst identifies that the access point is configured to use WPA3, AES, WPS, and RADIUS. Which of the following should the analyst disable to enhance the access point security?

A. WPA3
B. AES
C. RADIUS
D. WPS

D. WPS

How well did you know this?

Not at all

Perfectly

Which of the following would be used to find the MOST common web-application vulnerabilities?

A. OWASP
B. MITRE ATT&CK
C. Cyber Kill Chain
D. SDLC

A. OWASP

How well did you know this?

Not at all

Perfectly

A network engineer is troubleshooting wireless network connectivity issues that were reported by users. The issues are occurring only in the section of the building that is closest to the parking lot. Users are intermittently experiencing slow speeds when accessing websites and are unable to connect to network drives. The issues appear to increase when laptop users return to their desks after using their devices in other areas of the building. There have also been reports of users being required to enter their credentials on web pages in order to gain access to them. Which of the following is the MOST likely cause of this issue?

A. An external access point is engaging in an evil-twin attack.
B. The signal on the WAP needs to be increased in that section of the building.
C. The certificates have expired on the devices and need to be reinstalled.
D. The users in that section of the building are on a VLAN that is being blocked by the firewall

A. An external access point is engaging in an evil-twin attack.

How well did you know this?

Not at all

Perfectly

A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator MOST likely use to confirm the suspicions?

A. Nmap
B. Wireshark
C. Autopsy
D. DNSEnum

A. Nmap

How well did you know this?

Not at all

Perfectly

A vulnerability has been discovered and a known patch to address the vulnerability does not exist. Which of the following controls works BEST until a proper fix is released?

A. Detective
B. Compensating
C. Deterrent
D. Corrective

B. Compensating

How well did you know this?

Not at all

Perfectly

While reviewing pcap data, a network security analyst is able to locate plaintext usernames and passwords being sent from workstations to network switches. Which of the following is the security analyst MOST likely observing?

A. SNMP traps
B. A Telnet session
C. An SSH connection
D. SFTP traffic

B. A Telnet session

How well did you know this?

Not at all

Perfectly

An attacker replaces a digitally signed document with another version that goes unnoticed. Upon reviewing the document’s contents, the author notices some additional verbiage that was not originally in the document but cannot validate an integrity issue. Which of the following attacks was used?

A. Cryptomalware
B. Hash substitution
C. Collision
D. Phishing

B. Hash substitution

How well did you know this?

Not at all

Perfectly

A security analyst notices that specific files are being deleted each time a systems administrator is on vacation. Which of the following BEST describes the type of malware that is running?

A. Fileless virus
B. Logic bomb
C. Keylogger
D. Ransomware

B. Logic bomb

How well did you know this?

Not at all

Perfectly

Which of the following involves the inclusion of code in the main codebase as soon as it is written?

A. Continuous monitoring
B. Continuous deployment
C. Continuous validation
D. Continuous integration

D. Continuous integration

How well did you know this?

Not at all

Perfectly

Which of the following can reduce vulnerabilities by avoiding code reuse?

A. Memory management
B. Stored procedures
C. Normalization
D. Code obfuscation

D. Code obfuscation

How well did you know this?

Not at all

Perfectly

The technology department at a large global company is expanding its Wi-Fi network infrastructure at the headquarters building. Which of the following should be closely coordinated between the technology, cybersecurity, and physical security departments? Select 1

A. Authentication protocol
B. Encryption type
C. WAP placement
D. VPN configuration

C. WAP placement

How well did you know this?

Not at all

Perfectly

Which of the following is an example of risk avoidance?

A. Installing security updates directly in production to expedite vulnerability fixes
B. Buying insurance to prepare for financial loss associated with exploits
C. Not installing new software to prevent compatibility errors
D. Not taking preventive measures to stop the theft of equipment

C. Not installing new software to prevent compatibility errors

How well did you know this?

Not at all

Perfectly

A security administrator needs to block a TCP connection using the corporate firewall. Because this connection is potentially a threat, the administrator does not want to send back an RST. Which of the following actions in the firewall rule would work BEST?

B. Reject
C. Log alert
D. Permit

A. Drop

How well did you know this?

Not at all

Perfectly

A security team discovered a large number of company-issued devices with non-work-related software installed. Which of the following policies would MOST likely contain language that would prohibit this activity?

A. NDA
B. BPA
C. AUP
D. SLA

C. AUP

How well did you know this?

Not at all

Perfectly

Which of the following BEST describes data streams that are compiled through artificial intelligence that provides insight on current cyberintrusions, phishing, and other malicious cyberactivity?

A. Intelligence fusion
B. Review reports
C. Log reviews
D. Threat feeds

D. Threat feeds

How well did you know this?

Not at all

Perfectly

Which of the following would be the BEST resource for a software developer who is looking to improve secure coding practices for web applications?

A. OWASP
B. Vulnerability scan results
C. NIST CSF
D. Third-party libraries

A. OWASP

How well did you know this?

Not at all

Perfectly

Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day business operations. Which of the following documents did Ann receive?

A. An annual privacy notice
B. A non-disclosure agreement
C. A privileged-user agreement
D. A memorandum of understanding

A. An annual privacy notice

How well did you know this?

Not at all

Perfectly

A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a new ERP system for the company. The CISO categorizes the system, selects the controls that apply to the system, implements the controls, and then assesses the success of the controls before authorizing the system. Which of the following is the CISO using to evaluate the environment for this new ERP system?

A. The Diamond Model of Intrusion Analysis
B. CIS Critical Security Controls
C. NIST Risk Management Framework
D. ISO 27002

C. NIST Risk Management Framework

A manufacturing company has several one-off legacy information systems that cannot be migrated to a newer OS due to software compatibility issues. The OSs are still supported by the vendor, but the industrial software is no longer supported. The Chief Information Security Officer has created a resiliency plan for these systems that will allow OS patches to be installed in a non-production environment, while also creating backups of the systems for recovery. Which of the following resiliency techniques will provide these capabilities?

A. Redundancy
B. RAID 1+5
C. Virtual machines
D. Full backups

C. Virtual machines

A retail store has a business requirement to deploy a kiosk computer in an open area. The kiosk computer’s operating system has been hardened and tested. A security engineer is concerned that someone could use removable media to install a rootkit. Which of the following should the security engineer configure to BEST protect the kiosk computer?

A. Measured boot
B. Boot attestation
C. UEFI
D. EDR

B. Boot attestation

A security engineer is reviewing the logs from a SAML application that is configured to use MFA. During this review, the engineer notices a high volume of successful logins that did not require MFA from users who were traveling internationally. The application, which can be accessed without a VPN, has a policy that allows time-based tokens to be generated. Users who change locations should be required to reauthenticate but have been able to log in without doing so. Which of the following statements BEST explains the issue?

A. OpenID is mandatory to make the MFA requirements work.
B. An incorrect browser has been detected by the SAML application.
C. The access device has a trusted certificate installed that is overwriting the session token.
D. The user’s IP address is changing between logins, but the application is not invalidating the token.

D. The user’s IP address is changing between logins, but the application is not invalidating the token.

A company is implementing MFA for all applications that store sensitive data. The IT manager wants MFA to be non-disruptive and user friendly. Which of the following technologies should the IT manager use when implementing MFA? A. One-time passwords B. Email tokens C. Push notifications D. Hardware authentication

C. Push notifications

A security analyst needs to centrally manage credentials and permissions to the company’s network devices. The following security requirements must be met: * All actions performed by the network staff must be logged. * Per-command permissions must be possible. * The authentication server and the devices must communicate through TCP. Which of the following authentication protocols should the analyst choose? A. Kerberos B. CHAP C. TACACS+ D. RADIUS

C. TACACS+

An organization wants to enable built-in FDE on all laptops. Which of the following should the organization ensure is installed on all laptops? A. TPM B. CA C. SAML D. CRL

A. TPM

An organization recently released a software assurance policy that requires developers to run code scans each night on the repository. After the first night, the security team alerted the developers that more than 2,000 findings were reported and need to be addressed. Which of the following is the MOST likely cause for the high number of findings? A. The vulnerability scanner was not properly configured and generated a high number of false positives. B. Third-party libraries have been loaded into the repository and should be removed from the codebase. C. The vulnerability scanner found several memory leaks during runtime, causing duplicate reports for the same issue. D. The vulnerability scanner was not loaded with the correct benchmarks and needs to be updated.

A. The vulnerability scanner was not properly configured and generated a high number of false positives.

An organization is concerned about intellectual property theft by employees who leave the organization. Which of the following should the organization MOST likely implement? A. CBT B. NDA C. MOU D. AUP

B. NDA

A security analyst reviews web server logs and notices the following lines: Which of the following vulnerabilities is the attacker trying to exploit? A. Token reuse B. SQLi C. CSRF D. XSS

D. XSS

A network manager is concerned that business may be negatively impacted if the firewall in its data center goes offline. The manager would like to implement a high availability pair to: A. decrease the mean time between failures. B. remove the single point of failure. C. cut down the mean time to repair. D. reduce the recovery time objective.

B. remove the single point of failure.

A major manufacturing company updated its internal infrastructure and just recently started to allow OAuth applications to access corporate data. Data leakage is now being reported. Which of the following MOST likely caused the issue? A. Privilege creep B. Unmodified default settings C. TLS protocol vulnerabilities D. Improper patch management

B. Unmodified default settings

While preparing a software inventory report, a security analyst discovers an unauthorized program installed on most of the company’s servers. The program utilizes the same code signing certificate as an application deployed to only the accounting team. After removing the unauthorized program, which of the following mitigations should the analyst implement to BEST secure the server environment? A. Revoke the code signing certificate used by both programs. B. Block all unapproved file hashes from installation C. Add the accounting application file hash to the allowed list. D. Update the code signing certificate for the approved application.

A. Revoke the code signing certificate used by both programs.

A security analyst is reviewing the latest vulnerability scan report for a web server following an incident. The vulnerability report showed no concerning findings. The vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a patch is available for the vulnerability. Which of the following is the MOST likely cause? A. Security patches failed to install due to a version incompatibility. B. An adversary altered the vulnerability scan reports. C. A zero-day vulnerability was used to exploit the web server. D. The scan reported a false negative for the vulnerability.

C. A zero-day vulnerability was used to exploit the web server.

The help desk has received calls from users in multiple locations who are unable to access core network services. The network team has identified and turned off the network switches using remote commands. Which of the following actions should the network team take NEXT? A. Disconnect all external network connections from the firewall. B. Send response teams to the network switch locations to perform updates. C. Turn on all the network switches by using the centralized management software. D. Initiate the organization's incident response plan.

D. Initiate the organization's incident response plan.

An attacker is trying to gain access by installing malware on a website that is known to be visited by the target victims. Which of the following is the attacker MOST likely attempting? A. A spear-phishing attack B. A watering-hole attack C. Typo squatting D. A phishing attack

B. A watering-hole attack

An organization is moving away from the use of client-side and server-side certificates for EAP. The company would like for the new EAP solution to have the ability to detect rogue access points. Which of the following would accomplish these requirements? A. PEAP B. EAP-FAST C. EAP-TLS D. EAP-TTLS

B. EAP-FAST

A security analyst receives a SIEM alert that someone logged in to the appadmin test account, which is only used for the early detection of attacks. The security analyst then reviews the following application log: Which of the following can the security analyst conclude? A. A replay attack is being conducted against the application. B. An injection attack is being conducted against a user authentication system. C. A service account password may have been changed, resulting in continuous failed logins within the application. D. A credentialed vulnerability scanner attack is testing several CVEs against the application.

B. An injection attack is being conducted against a user authentication system.

A security team is engaging a third-party vendor to do a penetration test of a new proprietary application prior to its release. Which of the following documents would the third-party vendor MOST likely be required to review and sign? A. SLA B. NDA C. MOU D. AUP

B. NDA

Which of the following is an administrative control that would be MOST effective to reduce the occurrence of malware execution? A. Security awareness training B. Frequency of NIDS updates C. Change control procedures D. EDR reporting cycle

C. Change control procedures

Employees at a company are receiving unsolicited text messages on their corporate cell phones. The unsolicited text messages contain a password reset link. Which of the following attacks is being used to target the company? A. Phishing B. Vishing C. Smishing D. Spam

C. Smishing

During a Chief Information Security Officer (CISO) convention to discuss security awareness, the attendees are provided with a network connection to use as a resource. As the convention progresses, one of the attendees starts to notice delays in the connection, and the HTTPS site requests are reverting to HTTP. Which of the following BEST describes what is happening? A. Birthday collision on the certificate key B. DNS hijacking to reroute traffic C. Brute force to the access point D. A SSL/TLS downgrade

D. A SSL/TLS downgrade

A user enters a password to log in to a workstation and is then prompted to enter an authentication code. Which of the following MFA factors or attributes are being utilized in the authentication process? (Choose two.) A. Something you know B. Something you have C. Somewhere you are D. Someone you know E. Something you are F. Something you can do

A. Something you know B. Something you have

A company uses specially configured workstations for any work that requires administrator privileges to its Tier 0 and Tier 1 systems. The company follows a strict process to harden systems immediately upon delivery. Even with these strict security measures in place, an incident occurred from one of the workstations. The root cause appears to be that the SoC was tampered with or replaced. Which of the following MOST likely occurred? A. Fileless malware B. A downgrade attack C. A supply-chain attack D. A logic bomb E. Misconfigured BIOS

C. A supply-chain attack

Audit logs indicate an administrative account that belongs to a security engineer has been locked out multiple times during the day. The security engineer has been on vacation for a few days. Which of the following attacks can the account lockout be attributed to? A. Backdoor B. Brute-force C. Rootkit D. Trojan

B. Brute-force

A security analyst is reviewing the output of a web server log and notices a particular account is attempting to transfer large amounts of money: Which of the following types of attacks is MOST likely being conducted? A. SQLi B. CSRF C. Spear phishing D. API

B. CSRF

After installing a patch on a security appliance, an organization realized a massive data exfiltration had occurred. Which of the following BEST describes the incident? A. Supply chain attack B. Ransomware attack C. Cryptographic attack D. Password attack

A. Supply chain attack

A security analyst reviews web server logs and notices the following lines: Which of the following vulnerabilities has the attacker exploited? (Choose two.) A. Race condition B. LFI C. Pass the hash D. XSS E. RFI F. Directory traversal

B. LFI F. Directory traversal

An information security manager for an organization is completing a PCI DSS self-assessment for the first time. Which of the following is the MOST likely reason for this type of assessment? A. An international expansion project is currently underway. B. Outside consultants utilize this tool to measure security maturity. C. The organization is expecting to process credit card information. D. A government regulator has requested this audit to be completed.

C. The organization is expecting to process credit card information.

Physical access to the organization's servers in the data center requires entry and exit through multiple access points: a lobby, an access control vestibule, three doors leading to the server floor, a door to the server floor itself, and eventually to a caged area solely for the organization’s hardware. Which of the following controls is described in this scenario? A. Compensating B. Deterrent C. Preventive D. Detective

C. Preventive