CompTIA Security+ Get Certified Get Ahead - CH7 Review Flashcards
An IDS has sent multiple alerts in response to increased traffic. Upon investigation, you realize it is due to a spike in Network traffic from several sources. Assuming this is malicious, which of the following is the MOST likely explanation?
An ARP Poisoning Attack
A DNS Poisoning Attack
A Domain Hijacking Attack
A DDoS Attack
A DDoS Attack (Distributed Denial of Service)
Explanation:
A distributed denial-of-service (DDoS) attack causes spikes in network traffic as multiple systems attempt to connect to a server and deplete the target’s resources.
An Address Resolution Protocol (ARP) poisoning attack attempts to mislead systems about the source media access control (MAC) address.
A Domain Name System (DNS) poisoning attack attempts to redirect web browsers to malicious URLs.
In a domain hijacking attack, an attacker changes a domain name registration without permission from the owner.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 722-723). YCDA, LLC. Kindle Edition.
While investigating performance issues on a Web Server, you verified that the CPU usage was about 10% five minutes ago. However, it now shows that the CPU usage has been averaging over 98% for the last two minutes. Which of the following BEST describes what the Web Server is experiencing?
Resource Exhaustion
DDoS
A Buffer Overflow Attack
A Memory Leak
Resource Exhaustion
Explanation:
CPU usage averaging 98 percent indicates resource exhaustion. The scenario doesn’t indicate the cause of the increased usage, so resource exhaustion is the best answer.
A distributed denial-of-service (DDoS) attack could cause this. However, a surge in traffic from an effective marketing campaign sent via email could also cause a surge in resource usage.
A buffer overflow attack is a type of DDoS attack, but the scenario doesn’t give enough information to indicate a buffer overflow attack has taken place.
The scenario only mentions CPU usage, so there isn’t any indication of a memory leak.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 723). YCDA, LLC. Kindle Edition.
An administrator regularly connects to a Server using SSH without any problems. Today, he sees a message similar to the following:
WARNING: Remote Host Identification Has Changed!!
It is possible that someone is up to no good!
Someone could be eavesdropping on you right now (Man-in-the-Middle) attack!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is 12:34:56:78:9a:bc:de:f1:23:45:67:89:ab:cd:ef:12.
Please contact your system administrator.
Add correct hots key in /home/hostname /.ssh/known_hosts to get rid of this message.
Offending RSA key in /va/lib/sss/pubconf/known_hosts:4
RSA host key for ycda has changed and you have requested strict checking.
Host key verification failed.
Which of the following is the MOST likely reason for this message?
Rogue Access Point
On-Path Attack
MAC Flooding
ARP Poisoning
On-Path Attack
Explanation:
The message indicates a potential man-in-the-middle (MITM) attack, which is also known as an on-path attack. Specifically, it indicates that the key on the host system has changed, which may be due to the administrator connecting to the MITM system instead of the target system. None of the other answers are related to incorrect cryptographic keys.
A rogue access point is an unauthorized wireless access point.
Media access control (MAC) flooding is an attack on a switch, attempting to overload it with different MAC addresses.
An Address Resolution Protocol (ARP) poisoning attack misleads computers or switches about a system’s actual MAC address.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 723). YCDA, LLC. Kindle Edition.
Homer complains that his system started acting erratically today. You discover that malware infected his system, but you discover he didn’t open any email during the day. He mentions that he has been browsing the Internet all day. Which of the following could you check to see where the malware MOST likely originated?
Web Server Logs
Mail Server Logs
PowerShell Logs
DNS Server Logs
DNS Server Logs
Explanation:
Domain Name System (DNS) logs will record DNS queries, such as what hostnames it resolved to IP addresses. The log entries would show all the domains that Homer visited during the day. One of these is most likely the one that downloaded malware onto his system.
A web server would show activity on the web server, but you wouldn’t have access to web servers controlled by others.
Homer didn’t open any email, so the mail server logs wouldn’t help.
PowerShell logs may show activity, but only if the malware used PowerShell. However, the PowerShell logs are unlikely to show who ran PowerShell scripts.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 723-724). YCDA, LLC. Kindle Edition.
While reviewing logs for a Web application, a Security analyst notices that it has crashed several times, reporting a memory error. Shortly after it crashes, the logs show malicious code that isn’t part of a known application. Which of the following is MOST likely occuring?
Buffer Overflow
ARP Poisoning
Privilege Escalation
Replay
Buffer Overflow
Explanation:
Buffer overflow attacks often cause an application to crash and expose system memory. Attackers then write malicious code into the exposed memory and use different techniques to get the system to run this code. None of the other attacks insert malicious code into memory.
An Address Resolution Protocol (ARP) poisoning attack attempts to mislead systems about the source media access control (MAC) address.
Privilege escalation techniques attempt to give an attacker more rights and permissions.
In a replay attack, the attacker intercepts data and typically attempts to use the intercepted data to impersonate a user or system.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 724). YCDA, LLC. Kindle Edition.
Web developers are implementing error handling in a database application accessed by a Web Server. Which of the following would be the BEST way to implement this?
Display a detailed error message but log generic information on the error.
Display a generic error message but log detailed information on the error.
Display a generic error message and log generic information on the error.
Display a detailed error message and log detailed information on the error.
Display a generic error message but log detailed information on the error.
Explanation:
You should display a generic error message but log detailed information on the error.
Detailed error messages to the user are often confusing to them and give attackers information they can use against the system.
Logging generic information makes it more difficult to troubleshoot the problem later.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 724). YCDA, LLC. Kindle Edition.
** A Web developer is adding input validation techniques to a website application. Which of the following should the developer implement during this process?
Validation on the Server-side
Validation on the Client-side
Normalization techniques
Memory management techniques
Validation on the Server-side
Explanation:
At a minimum, input validation should be performed on the server-side.
Client-side validation can be combined with server-side validation, but attackers can bypass client-side input validation if it is used alone.
Normalization techniques organize tables and columns in a database to reduce redundant data but have nothing to do with input validation.
Memory management is a secure coding technique that helps prevent memory errors.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 724-725). YCDA, LLC. Kindle Edition.
Developers in the YCDA organization have created an application that users can download and install on their computers. Management wants to provide users with a reliable method of verifying that the application has not been modified after YCDA Released it. Whch iof the following methods provides the BEST solution?
Code signing
Input validation
Obfuscation
Stored procedures
Code signing
Explanation:
Code signing provides a digital signature for the code, verifies the publisher of the code, and verifies that it hasn’t been modified since the publisher released it. None of the other answers verify the application hasn’t been modified.
Input validation verifies data is valid before using it.
Code obfuscation or code camouflage techniques make the code more difficult to read.
Stored procedures are used with SQL databases and can be used for input validation.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 725). YCDA, LLC. Kindle Edition.
** Your organization is preparing to deploy a Web-based application, which will accept user input. Which of the following will BEST test the reliability of this application to maintain availability and data integrity?
Static code analysis
Input validation
Error handling
Dynamic code analysis
Dynamic code analysis
Explanation:
Dynamic code analysis techniques test an application during its execution and is the best choice of the available answers to verify the application can maintain availability and data integrity.
Static code analysis (such as a manual code review) is done without executing any code, but it won’t test its reliability.
Input validation is the practice of checking data for validity before using it, but this is done within the application, not as a method to test the application.
Error-handling techniques are also done within the application.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 725). YCDA, LLC. Kindle Edition.
Several developers in your organization are working on a software development project. Recently, Bart made an unauthorized change to the code that effectively broke several modules. Unfortunately, there isn’t any record of who made the change or details of the change. Management wants to ensure it is easy to identify who makes any changes in the future. Which of the following provides the best solution for this need?
Dynamic code analysis
Version control
Static code analysis
Use of third-party SDKs
Version control
Explanation:
A version control system will track all changes to a software project, including who made the change and when.
Dynamic code analysis techniques test an application during its execution.
Static code analysis examines the code without executing it as a method of code testing.
The use of third-party software development kits (SDKs) is a secure coding technique, but it won’t detect unauthorized changes.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 725). YCDA, LLC. Kindle Edition.
Database administrators have created a database used by a Web application. However, testing shows that application queries against the database take a significant amount of time. Which of the following actions is MOST likely to improve the overall performance of the database?
Normalization
Client-side input validation
Server-side input validation
Obfuscation
Normalization
Explanation:
Normalization techniques organize tables and columns in a database and improve overall database performance. None of the other answers improve the database performance.
Input validation techniques help prevent many types of attacks, and server-side input validation techniques are preferred over client-side input validation techniques.
Obfuscation techniques make code more difficult to read.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 725-726). YCDA, LLC. Kindle Edition.
** Looking at logs for an online Web application, you see that someone has entered the following phrase into several queries: ‘ or ‘1’=’1’;–
Which of the following provides the BEST protection against this attack?
Normalization
Proper error handling
Removing dead code
Stored procedures
Stored procedures
Explanation:
Attackers commonly use the phrase ’ or‘1’=’1’;– in SQL injection attacks, and stored procedures are an effective method of preventing SQL injection attacks.
Normalization techniques organize tables and columns in a database to reduce redundant data but don’t block SQL injection attacks.
This phrase won’t cause an error, so proper error-handling techniques won’t help.
Dead code is code that is never executed, and it should be removed, but dead code is unrelated to a SQL injection attack.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 726). YCDA, LLC. Kindle Edition.
You are examining logs generated by an online Web application. You notice that the following phrase is appearing in several queries ‘ or ‘1’=’1’;–
Which of the following is the MOST likely explanation for this?
A Buffer Overflow Attack
A DLL Injection Attack
A SQL Injection Attack
A Race Condition
A SQL Injection Attack
Explanation:
Attackers use the character string ’ or‘1’=’1’;- - in SQL injection attacks to query or modify databases.
A buffer overflow attack sends more data or unexpected data to an application with the goal of accessing system memory.
A dynamic link library (DLL) injection attack attempts to inject DLLs into memory, causing DLL commands to run.
A race condition is a programming conflict when two or more applications or application models attempt to access a resource at the same time.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 726). YCDA, LLC. Kindle Edition.
Your organization has created a Web application that will go live after testing is complete. An application tester sees the following URL:
https://gcgapremium.com/info.php?sessionID=10123&acct=homer
The tester resends the following URL to the website:
https://gcgapremium.com/info.php?sessionID=32101&=homer
Which of the following attacks is the tester checking?
Pass the Hash
Buffer Overflow
Cross-Site Request Forgery
Race Condition
Cross-Site Request Forgery
Explanation:
This indicates an attempt to launch a cross-site request forgery attack. The question mark (?) in the URL is the giveaway here.
A pass the hash attack is a password attack.
A buffer overflow attack sends unexpected data, but the URLs are primarily the same, so it isn’t unexpected data.
A race condition occurs when a system attempts to do two or more operations simultaneously instead of in a specific order.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 726). YCDA, LLC. Kindle Edition.
Your SIEM sent an alert after detecting the following script was run on a system within your Network.
invoke-command {
$a = net localgroup administrators |
where {$-AND $-notmatch “command completed”}|
select -skip 4 }
What BEST describes this script?
A Python script to list local administrators
A script used to create a Logic Bomb
A PowerShell script to list local administrators
A script used to create a Backdoor
A PowerShell script to list local administrators
Explanation:
This is a PowerShell script using the invoke-command cmdlet and it lists members of the local Administrators group.
This is not a Python script.
This is not a logic bomb because it isn’t taking any action other than creating a list.
It is not creating a backdoor either.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 727). YCDA, LLC. Kindle Edition.
