CompTIA Security+ Get Certified Get Ahead - POST Assessment Exam Flashcards

1
Q

Your organization hosts an e-commerce Web Server. The Server randomly experiences a high volume of sales and usage from mid-November to the End of December, causing spikes in resource usage. These spikes have resulted in outages during the past year. Which of the following should be implemented to prevent these outages?

Stored Procedures
Scalability
Version Control
Memory Management

A

Scalability

Explanation:
Scalability is the best choice because it allows administrators to manually scale the server up or out as needed in response to this predictable high resource usage.

Stored procedures are a group of SQL statements that execute as a whole and help prevent SQL injection attacks.
Version control tracks software versions as it is updated and is unrelated to this question.
Memory management techniques help ensure that applications don’t cause memory problems such as memory leaks or integer overflows. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1096). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Employees currently log in with their Usernames and Passwords but management wants to increase login Security by implementing Smart Cards. However, the IT department anticipates it will take a long time to purchase the necessary equipment and issue Smart Cards for everyone. You need to identify a solution that will provide comparable Security until the Smart Cards are implemented. Which of the following is compensating control that will meet these needs?

Implement an Account Lockout Policy.
Increase Password Policy requirements.
Implement a TOTP solution.
Require users to change their Passwords more often.

A

Implement a TOTP Solution (Time-based One Time Password)

Explanation:
A Time-based One-Time Password (TOTP) solution can be implemented as a compensating control. It can be implemented with hardware tokens or with an app on a smartphone. The smart cards provide two-factor authentication, so the compensating control should provide two-factor control, and TOTP fills that need. None of the other answers provides an additional factor of authentication.

An account lockout policy locks out users after entering an incorrect password too many times.
The password policy can be used to increase password security.
Requiring users to change their password more often is in the password policy as password expiration. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1096). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You have configured a Firewall in your Network to block ICMP traffic. You want to verify that it is working as expected. Which of the following commands would you use?

arp
ipconfig
route
ping

A

ping

Explanation:
The ping command sends Internet Control Message Protocol (ICMP) echo requests and checks for ICMP echo replies.

The Address Resolution Protocol (ARP) resolves IP addresses to media access control (MAC) addresses, and the arp command is used to view and manipulate the ARP cache.
The ipconfig command displays the configuration of a NIC.
The route command can be used to display and manipulate the routing table on computing systems. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1097). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You need to reboot a database Server. Before doing so, you need to verify it doesn’t have any active Network connections. Which of the following commands will BEST meet your needs?

arp
ipconfig
hping3
netstat

A

netstat

Explanation:
The netstat command displays active connections on a system.

Arp displays information related to media access control (MAC) addresses.
Ipconfig displays TCP/IP configuration information for wired and wireless network interface cards.
The hping3 command is used to identify open and closed ports on remote systems. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1097). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You are troubleshooting an issue with the ycda Application hosted on a Linux System. You suspect that the issue is caused when performing a specific function. You execute the function and see a generic error message. You want to view the detailed error logged in the messages file. Which of the following commands would be the BEST choice to use?

head
tail
chmod
logger

A

tail

Explanation:
The tail command shows the last 10 lines (by default) of a log file and, in this scenario, is the best choice to show a recent error message.

The head command shows the beginning lines in a log file and is unlikely to display recent error messages.
You would use the chmod command (short for change mode) to change permissions on files and directories.
The logger command is used to add entries into the syslog file. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1097). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Lisa is installing an Application named gcga.exe on a Linux Server. The documentation indicates that the Application should be installed with the following permissions:

  • the owner of the application should have Read, Write, and Execute
  • the owner group of the application should have Read, and Execute
  • all other users should NOT have any permissions of the application.

Which of the following commands should be used to meet these requirements?

chmod 067 gcga.exe
chmod 661 gcga.exe
chmod 760 gcga.exe
chmod 770 gcga.exe

A

chmod 760 gcga.exe

Explanation:
The chmod 760 gcga.exe should be used. The 7 (in 760) gives read, write, and execute permissions to the owner. The 6 (in 760) gives read and execute permissions to the owner group. The 0 (in 760) ensures that everyone else has no permissions.

The 0 (in 067) denies read, write, and execute permissions for the owner, and the 7 (in 067) grants read, write, and execute permissions for everyone.
The first 6 (in 661) grants only read and write permissions but not execute permissions to the owner.
The second 7 (in 770) grants read, write, and execute permissions for the owner group, but the scenario says that only read and execute permissions should be granted for this group. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1098). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Homer is not able to access any Network resources from his Linux-based Computer. Which of the following commands would he use to view the Network configuration of his system?

ifconfig
ipconfig
netstat
tracert

A

ifconfig

Explanation:
The ifconfig command displays network settings on a Linux computer. This includes the IP address, subnet mask, and default gateway assigned to the network interface card (NIC).

The ipconfig command performs similar checks on Windows computers but not on Linux systems.
Netstat shows network statistics and active connections but not the network settings.
The tracert command traces the route between systems on a network and can help determine which network devices are failing. See Chapter 1.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1098). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Management wants to increase Security for any users accessing the Network with a VPN. They plan to implement a method that will require users to install an application on their Smartphones. This application will generate a Key that they’ll have to enter in addition to their username and password. What is the BEST description of this added authentication method?

Something you know.
Something you have.
Something you are.
Something you can do.

A

Something you have.

Explanation:
This is in the something you have factor of authentication. Users are required to have a smartphone with the authentication application installed.

The application generates a key of numbers, users don’t know this key until the application generates it.
Biometrics are in the something you are factor, but biometric methods aren’t mentioned.
Something you can do refers to a user’s actions, such as making gestures on a screen. See Chapter 2.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1098). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Users normally log on using a Smart Card, a username, and a password. Management wants administrators to use a third factor of authentication. Which of the following will meet this need?

PIN
Token
Fingerprints
Push Notifications

A

Fingerprints

Explanation:
Fingerprints are in the something you are factor of authentication and will meet this need. All the other answers are in either the something you have factor (already used by the smart card) or the something you know factor (already used by the password).

A personal identification number (PIN) is in the something you know factor.
Tokens and push notifications are in the something you have factor. See Chapter 2.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1098). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Developers are planning to develop an application using Role-based Access Control. Which of the following would they MOST likely include in their planning?

A listing of labels reflecting classification levels.
A listing of rules that the application must be able to trigger.
A listing of owners.
A matrix of functions matched with required privileges.

A

A matrix of functions matched with required privileges.

Explanation:
A matrix of functions, roles, or job titles matched with the required access privileges for each of the functions, roles, or job titles is a common planning document for a role-based access control model.

The mandatory access control (MAC) model uses sensitivity labels and classification levels.
Rule-based access control models use rules, but role-based access control models don’t use rules.
The discretionary access control (DAC) model specifies that every object has an owner and it might identify owners in a list. See Chapter 2.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1099). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Your organization has implemented a system that stores user credentials in a central database. Users log on once with their credentials. They can then access other systems in the organization without logging on again. Which of the following does this describe?

Federation
SAML
SSO
OAuth

A

SSO (Single-Sign On)

Explanation:
This describes a single sign-on (SSO) solution in which users only log on once.

Although a federation supports SSO, not all SSO systems use a federation.
Security Assertions Markup Language (SAML) is an SSO solution used for web-based applications, but not all SSO solutions use SAML.
OAuth (Open Authorization) is an authorization protocol used with HTTP-based apps, not internal organizations. See Chapter 2.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1099). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The Mapple organization is creating a Help-Desk Team to assist employees with account issues. Members o this team need to create and modify user accounts and occasionally reset user passwords. Which of the following is the BEST way to accomplish this goal?

Give each Help-Desk employee appropriate privileges individually.

Add each member of the Help-Desk team to the administrator group within the domain.

Add members of the Help-Desk team to a Security group that has the appropriate privileges.

Assign attributes to members of the Help-Desk team and give these attributes appropriate privileges.

A

Add members of the Help-Desk team to a Security group that has the appropriate privileges.

Explanation:
The best solution of the available choices is to add members of the help-desk team to a security group that has the appropriate privileges.

Assigning permissions to users individually adds to the administrative workload.
Giving members administrator privileges violates the principle of least privilege by giving them too many privileges.
An attribute-based access control model can use attributes to grant access but would add to the administrative workload if done individually. See Chapter 2.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1099). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Your organization’s Security policy states that administrators should follow the principle of Least Privilege. Which of the following tools can ensure that administrators are following the Policy?

Account Audits
Risk Assessment
Vulnerability Assessment
Threat Assessment

A

Account Audits

Explanaiton:
Account audits verify users have the permissions they need for their job, and no more, which verifies the principle of least privilege is being followed.

Risk, vulnerability, and threat assessments assess current risks. While they might verify the principle of least privilege is being followed, they do much more. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1099). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Lisa is responsible for managing and monitoring Network devices, such as Routers and Switches, in your Network. Which of the following protocols is she MOST likely to use?

NAT
SRTP
SNMPv3
DNSSEC

A

SNMPv3 (Simple Network Management Protocol v3)

Explanation:
Simple Network Management Protocol version 3 (SNMPv3) is used to securely manage and monitor network devices. None of the other choices is related to managing and monitoring network devices.

Network Address Translation (NAT) translates public IP addresses to private IP addresses and private addresses back to public.
The Secure Real-time Transport Protocol (SRTP) secures voice and other streaming media transmissions.
Domain Name System Security Extensions (DNSSEC) helps prevent DNS cache poisoning attacks. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1099-1100). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

** Your organization’s Network has the following setup:

Subnet 1:
HQ - 10.0.1.0/24
Firewall 1

Subnet 2:
HQ - 10.0.2.0/24
Firewall 2

Subnet 3:
Hot Site - 10.0.3.0/24
Firewall 3

All Firewalls should enforce the following Requirements:
- Use only Secure Protocols for Remote Management
- Block Cleartext Web Traffic

The following shows the Current Rules configured in Firewall 1:
HTTPS Outbound – Any – 10.0.1.0/24 – HTTPS – Allow
HTTP Outbound —- Any – 10.0.1.0/24 – HTTP —- Allow
DNS ——————–Any – 10.0.1.0/24 – DNS ——Allow
HTTPS Inbound —10.0.1.0/24 — Any — HTTPS —Allow
HTTP Inbound —- 10.0.1.0/24 — Any — HTTP —– Block
Telnet —————- 10.0.3.0/24 — Any – Telnet —– Allow
SSH —————— 10.0.1.0/24 — Any – SSH ——- Allow

You’re asked to verify the rules are configured correctly. Which rule - if any, should be changed to ensure Firewall 1 meets the stated requirements?

HTTPS Outbound
HTTP Outbound
DNS
Telnet
SSH
None. All rules are Correct

A

Telnet

Explanation:
The Telnet rule should be changed to block Telnet traffic. Telnet sends credentialed and other data in cleartext and should not be used.

Secure Shell (SSH) encrypts traffic and should be used instead of Telnet.
All other rules are correct. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1100). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Your organization recently landed a contract with the Federal Government. Developers are fine-tuning an application that will process sensitive data. The contract mandates that all computers using this application must be isolated. Which of the following would BEST meet this need?

Create a bastion host in a screened subnet.
Implement a Boundary Firewall.
Create an Air-Gapped Network
Implement an IPS

A

Create and Air-Gapped Network

Explanation:
An air-gapped network would best meet this need. An air gap indicates that the network is isolated from other networks with space or air. The application would be developed and compiled in this isolated network. All the other answers have a level of connectivity with the Internet and don’t provide the best protection.

A bastion host is a hardened server that can be accessed via the Internet and it may be directly on the Internet or within a screened subnet (sometimes called a demilitarized zone or DMZ).
A boundary firewall (sometimes called a perimeter firewall) is placed at the edge of the network between the Internet and the internal network or within the screened subnet.
An intrusion prevention system (IPS) is typically placed inline with traffic between the Internet and the internal network and attempts to detect and block attacks. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1100). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Your organization wants to increase Security for VoIP and Video Teleconferencing applications used within the Network. Which of the following protocols will BEST support this goal?

S/MIME
TLS
SFTP
SRTP

A

SRTP (Secure Real Time Protocol)

Explanation:
The Secure Real-Time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for Voice over Internet Protocol (VoIP), video teleconferencing, and other streaming media applications. None of the other answers are related to VoIP or video teleconferencing.

Secure/Multipurpose Internet Mail Extensions (S/MIME) secures email.
The Transport Layer Security (TLS) protocol is used to encrypt data in transit but isn’t the best choice for streaming media.
Secure File Transfer Protocol (SFTP) is a secure implementation of FTP to transfer files. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1100-1101). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

** Your organization hosts a Web Server accessed from employees within the Network, and via the Internet. Management wants to increase its Security. You are tasked with separating all Web-facing traffic from internal Network traffic. Which of the following provides the BEST solution?

Screened Subnet
VLAN
Firewall
WAF

A

Screened Subnet

Explanation:
A screened subnet (sometimes called a demilitarized zone, DMZ) is a buffered zone between a private network and the Internet, and it will separate the web server’s web-facing traffic from the internal network.

You can use a virtual local area network (VLAN) to group computers together based on job function or some other administrative need, but it is created in the internal network.
A firewall does provide protection for the web server but doesn’t necessarily separate the web-facing traffic from the internal network.
A web application firewall (WAF) protects a web server from incoming attacks, but it does not necessarily separate Internet and internal network traffic. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1101). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Developers recently configured a new service on a Server called GCGA1. GCGA1 is in a screened subnet and accessed by employees in the internal Network, and by others via the Internet. Network administrators modified Firewall rules to access the service. Testing shows the service works when accessed from internal systems. However, it does not work when accessed from the Internet. Which of the following is MOST likely configured incorrectly?

The new service.
An ACL
The GCGA1 Server
A VLAN

A

An ACL (Access Control List)

Explanation:
The most likely problem of the available choices is that an access control list (ACL) is configured incorrectly. The server is in a screened subnet (sometimes called a demilitarized zone or DMZ) and the most likely problem is an incorrectly configured ACL on the border firewall (between the Internet and the screened subnet).

The service is working when accessed by internal systems, so it isn’t likely that it is the problem.
Also, the GCGA1 server works for internal systems indicating it is working correctly.
There isn’t any indication a virtual local area network (VLAN) is in use. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1101). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Bart recently hooked up a Switch incorrectly causing a Switching Loop problem, which took down part of an organization’s Network. Management wants to implement a solution that will prevent this from occurring in the future. Which of the following is the BEST choice to meet this need?

Flood Guard
SNMPv3
SRTP
RSTP

A

RSTP (Rapid Spanning Tree Protocol)

Explanation:
Rapid Spanning Tree Protocol (RSTP) prevents switching loop problems and should be enabled on the switches to meet this need. While not available as a possible answer, the older Spanning Tree Protocol (STP) also provides loop protection.

A flood guard on a switch helps prevent a media access control (MAC) flood attack.
Simple Network Management Protocol version 3 (SNMPv3) is used to manage and monitor network devices.
The Secure Real-time Transport Protocol (SRTP) provides encryption, message authentication, and integrity for video and voice data. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1102). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A penetration tester has been hired to perform an assessment on the greatadministrator.com site. He used the nslookup command to perform some reconnaissance and received the following output:

C:>nslookup -querytype-mx greatadministrator.com
Server: UnKnown
Address: 192.168.1.1
Non-authoritative answer:
gcgapremium.com MX preference = 20, mail exchanger = mx1.emailsrvr.com
gcgapremium.com MX preference = 90, mail exchanger = mx2.emailsrvr.com

Of the following choices, what BEST describes this output?

Server named mx2.emailsrvr.com is the Primary email Server for this domain.

Server named mx1.emailsrvr.com is the Primary email Server for this domain.

The AAAA Record is misconfigured for this domain.

The SOA Record is hiding the IP address of the domain.

DNSSEC has not been enabled on this domain.

A

Server named mx1.emailsrvr.com is the Primary email Server for this domain.

Explanation:
The server named mx1.emailsrvr.com is the primary email server for this domain. The MX record indicates it is a mail server and the preference of 20 (compared with the preference of 90 for mx2) indicates it is the primary email server.

A preference of 90 for mx2.emailsrvr.com is higher than 20 (the preference for mx1.emailsrvr.com) and indicates that mx2.emailsrvr.com is the backup email server.
An AAAA record maps the IPv6 address to the hostname, but IPv6 is not indicated at all in this question.
The start of authority (SOA) record includes information about the DNS zone and some of its settings, but it does not hide the domain’s IP address.
Domain Name System Security Extensions (DNSSEC) is a suite of extensions to DNS that helps prevent DNS cache poisoning, but the existence (or non-existence) of a DNSSEC record is not indicated in this question. See Chapter 3.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1102-1103). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following is an example of a Detective Control?

An IPS reconfigured to monitor traffic instead of blocking it.
A backup solution that includes off-site backups.
Security Guards
A Cable Lock

A

An IPS reconfigured to monitor traffic instead of blocking it. (Intrusion Protection System)

Explanation:
An intrusion prevention system (IPS) is normally placed in line with traffic to block malicious traffic. However, it can be reconfigured to monitor traffic, effectively operating as an intrusion detection system (IDS).

A backup solution is a corrective or recovery control.
Security guards are preventive and deterrent controls.
Cable locks are physical controls that prevent the theft of devices such as laptops. See Chapter 4.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1102-1103). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Your organization is planning to implement a Wireless Network using WPA2 Enterprise. Of the following choices, what is required?

An Authentication Server with a Digital Certificate installed on the Authentication Server

An Authentication Server with DHCP installed on the Authentication Server

An Authentication Server with DNS installed on the Authentication Server

An Authentication Server with WPS running on the Access Point.

A

An Authentication Server with a Digital Certificate installed on the Authentication Server.

Explanation:
WPA2 Enterprise requires an 802.1x authentication server and most implementations require a digital certificate installed on the server.

The network will likely have Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) services, but it isn’t necessary to install them on the authentication server.
Wi-Fi Protected Setup (WPS) makes it easier to set up wireless devices, but it isn’t related to WPA2 Enterprise. See Chapter 4.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1103). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Bart was in a coffee shop going through emails and messages on his smartphone. He then started receiving several text messages promoting a political party and encouraging him to visit websites. After he left the coffee shop, he didn’t receive any more messages. What does this describe?

Bluesnarfing
Bluejacking
Malware
WPS Attack

A

Bluejacking

Explanation:
Bluejacking is the practice of sending unsolicited messages to other Bluetooth devices. It has a limited range of about 30 feet when sent from one mobile phone to another so the attacker couldn’t send additional messages after he left.

Bluesnarfing allows attackers to access data (including email contact lists) on a smartphone but the scenario only indicates the user is receiving unwanted messages.
Malware would not stop after a person leaves a coffee shop.
A Wi-Fi Protected Setup (WPS) attack attempts to discover an access point WPS PIN by guessing PIN numbers, but this is not related to smartphone messages. See Chapter 4.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1103). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Management within your organization wants employees to be able to access internal Network resources from remote locations, including from their homes. Which of the following is the BEST choice to meet this need?

NAC
VPN
IDS
IPS

A

VPN (Virtual Private Network)

Explanation:
A virtual private network (VPN) provides access to a private network over a public network such as the Internet via remote locations and is the best choice to meet this requirement.

Network access control (NAC) methods can check VPN clients for health before allowing them access to the network, but it doesn’t directly provide the access.
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) protect networks but do not provide remote access. See Chapter 4.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1103). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Security experts want to reduce risks associated with updating critical operating systems. Which of the following will BEST meet this goal?

Implement patches when they are released.
Implement a Change Management Policy.
Use only trusted operating systems.
Implement operating systems with Secure configurations.

A

Implement a Change Management Policy

Explanation:
A change management policy helps reduce risk associated with making any changes to systems, including updating them.

Patches should be tested and evaluated before implementing them and implementing them when they are released sometimes causes unintended consequences.
The use of a trusted operating system or operating systems with secure configurations doesn’t address how they are updated. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1104). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Your organization has a segmented Network used to process highly classified material. Management wants to prevent users from copying documents to USB flash drives from any computer in this Network. Which of the following can be used to meet his goal?

DLP
HSM
COPE
SED

A

DLP (Data Loss Prevention)

Explanation:
A data loss prevention (DLP) solution can prevent users from copying documents to a USB drive. None of the other answers control USB drives.

A hardware security module (HSM) is an external security device used to manage, generate, and securely store cryptographic keys.
COPE (corporate-owned, personally enabled) is a mobile device deployment model.
A self-encrypting drive (SED) includes the hardware and software to encrypt all data on the drive and securely store the encryption keys. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1104). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Your organization hosts an e-commerce website using a back-end database. The database stores product data and customer data, including credit card numbers. Which of the following is the BEST way to protect the credit card data?

Full Database Encryption
Full Disk Encryption
Database Column Encryption
File-Level Encryption

A

Database Column Encryption

Explanation:
Database column (or field) encryption is the best choice because it can be used to encrypt the fields holding credit card data, but not fields that don’t need to be encrypted.

Full database encryption and full disk encryption aren’t appropriate because of the resources needed to encrypt everything compared with the security desire of protecting only the credit card data.
File-level encryption isn’t appropriate on a database and will often make it inaccessible to the database application. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1104). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

The Springfield Nuclear Power Plan has created and maintains an online application used to teach the basics of nuclear physics. Only students and teachers in the Springfield Elementary School can access this application via the Cloud. What type of Cloud Service model is this?

IaaS
PaaS
SaaS
XaaS

A

SaaS (Software as a Service)

Explanation:
This is a Software as a Service (SaaS) model. The software is the online application and the cloud provider (the Springfield Nuclear Power Plant in this example) maintains it.

Infrastructure as a Service (IaaS) provides customers with the hardware via the cloud. Customers are responsible for installing the operating system and any applications.
Platform as a Service (PaaS) is a computing platform.
Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS, and SaaS but this scenario clearly describes a SaaS model. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1104-1105). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Your organization has implemented a CYOD Security Policy. The policy mandates the use of Security Controls to protect the devices, and any data on them if they are lost or stolen. Which of the following would BEST meet this goal?

Screen locks and GPS tagging.
Patch Management and Change Management
Screen Locks and Device Encryption
Full Device Encryption and XaaS

A

Screen Locks and Device Encryption

Explanation:
Screen locks provide protection for lost devices by making it more difficult for someone to access the device. Device encryption protects the confidentiality of the data even if someone gets past the screen lock.

Global Positioning System (GPS) tagging includes location information on pictures and other files but won’t help protect a lost or stolen device.
Patch management keeps devices up to date, and change management helps prevent outages from unauthorized changes.
Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS, and SaaS. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1105). YCDA, LLC. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Management within your company wants to implement a method that will authorize employee access to the Network based on several elements. These elements include the employee’s identity, location, the time of day, and the type of device used by the employee. Which of the following will BEST meet his need?

Geofencing
Containerization
Tethering
Context-aware Authentication

A

Context-aware Authentication

Explanation:
Context-aware authentication can authenticate a user and a mobile device using multiple elements, including identity, geolocation, time of day, and type of device. None of the other answers meets all the requirements of the question.

A geofence creates a virtual fence, or geographic boundary, and can be used with context-aware authentication.
Containerization isolates an application, protecting it and its data. T
ethering allows one device to share its Internet connection with other devices. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1105). YCDA, LLC. Kindle Edition.

32
Q

Personnel should be able to run the BizzFadd app from their mobile devices. However, certain features should only be operational when employees are within the company’s property. When an employee leaves the property, access to these features should be blocked. Which of the following answers provides the BEST solution to meet this goal?

Geofencing
Geolocation
GPS tagging
Containerization

A

Geofencing

Explanation:
Geofencing can be used to create a virtual fence or geographic boundary, outlining the company’s property.

Geolocation is used to identify the location of an object, such as a mobile device. Geofencing will use geolocation to determine when a mobile device is within a geographic boundary, but geolocation without geofencing won’t detect if a user is on the company’s property.
Global Positioning System (GPS) tagging adds geographic data (such as latitude and longitude data) to files indicating when the file was created and is unrelated to this question.
Containerization runs applications in a container to isolate them. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1105-1106). YCDA, LLC. Kindle Edition.

33
Q

A large city is using a SCADA system to manage a water treatment plant. City managers have asked IT personnel to implement Security Controls to reduce the risk of Cybersecurity attacks against ICSs controlled by the SCADA system. Which of the following Security Controls would be MOST relevant to protect this system?

DLP
TPM
FPGA
NIPS

A

NIPS (Network Intrusion Protection System)

Explanation:
A network intrusion prevention system (NIPS) is the most relevant security control of those listed to reduce risks related to cybersecurity attacks of the supervisory control and data acquisition (SCADA) system, or industrial control systems (ICSs) controlled by the SCADA system. The SCADA system should be within an isolated network, and the NIPS helps provide that isolation.

A data loss prevention (DLP) system helps prevent loss of data but wouldn’t protect a SCADA system from potential attacks.
A Trusted Platform Module (TPM) is a hardware chip on a computer’s motherboard that stores cryptographic keys used for encryption.
A field programmable gate array (FPGA) is an integrated circuit that can be configured after it is sold and is unrelated to this question. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1106). YCDA, LLC. Kindle Edition.

34
Q

IT Auditors have found several unmanaged VMs in a Network. They discovered that these were created by administrators for testing but weren’t removed after testing was completed. Which of the following should be implemented to prevent this in the future?

A Policy related to VM sprawl
A Policy related tot VM escape protection
A Policy related to XAAS
A Policy related to SDNs

A

A Policy related to VM sprawl

Explanation:
Virtual machine (VM) sprawl occurs when an organization has many VMs that aren’t managed properly, and a policy addressing VM sprawl can reduce or eliminate them. Unmonitored VMs often aren’t updated and can be vulnerable to attacks.

A policy related to VM escape protection addresses problems that allow successful VM escape protection attacks, such as not keeping VMs updated.
Anything as a Service (XaaS) refers to cloud services beyond IaaS, PaaS, and SaaS and is unrelated to VMs.
A software-defined network (SDN) creates an infrastructure with code instead of hardware routers and switches and is unrelated to VMs. See Chapter 5.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1106). YCDA, LLC. Kindle Edition.

35
Q

Bart recently launched an attack on a company website using Scripts he found on the Internet. Which of the following BEST describes Bart as a threat actor?

Insider
Hactivist
Script Kiddie
Shadow IT

A

Script Kiddie

Explanation:
In this scenario, Bart is acting as a script kiddie because he is using existing scripts.

An insider works for an organization, but there isn’t any indication that Bart is an employee of the company he attacked.
A hacktivist launches attacks as part of an activist movement, but this scenario doesn’t indicate Bart’s actions are trying to increase awareness about a cause.
Shadow information technology (IT) refers to IT systems deployed by non-IT departments to get around shortcomings with IT systems deployed by a central IT department in a large organization. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1106-1107). YCDA, LLC. Kindle Edition.

36
Q

The Marvin Monroe Memorial Hospital recently suffered a serious attack preventing employees from accessing any computer data. The attackers scattered ReadMe files throughout the Network that appeared on user screens. They indicated that the attackers encrypted all the data, and it would remain encrypted until the attackers received a hefty sum as payment. Which of the following identifies the MOST likely threat actor in this attack?

Criminal Syndicate
Ransomware
Competitors
Hactivist

A

Criminal Syndicate

Explanation:
Criminal syndicates most likely launched this attack because their motivation is primarily money.

While the scenario describes ransomware, ransomware is the malware, not the threat actor.
Competitors often want to obtain proprietary information, but it would be rare for a hospital competitor to put lives at risk by taking down a hospital’s network and trying to extort money from another hospital.
A hacktivist typically launches attacks to further a cause, not to extort money. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1107). YCDA, LLC. Kindle Edition.

37
Q

Gil Gunderson, a salesperson in your organization, received an email on his work computer that included a malicious link. After clicking the link, his computer was infected with malware. The malware was not detected by antivirus software installed on his computer, the organization’s email Server, or the organization’s UTM appliance. After infecting his computer, the malware then searched the Network and encrypted data in all the Network shares that Gil could access. Which of the following BEST describes how this occurred?

The malware represented a zero-day exploit.
The antivirus software indicated false positives.
The malware infection was the result of a backdoor.
The principle of Least Privilege was not implemented.

A

The malware represented a zero-day exploit.

Explanation:
The malware is likely a zero-day attack because the malware was not detected by antivirus software, the email server, or the unified threat management (UTM) appliance. A zero-day exploit wouldn’t be known by antivirus software, so it wouldn’t detect it.

A false positive occurs when antivirus software raises an alert indicating a file is malicious when it isn’t. However, there isn’t any indication that the antivirus software raised an alert.
Malware often installs backdoors that allow attackers access to infected systems without user intervention, but the scenario indicates that Gil clicked the malicious link causing the infection.
If the malware encrypted all network shares, it would indicate that Gil had too many permissions, and the principle of least privilege wasn’t implemented. However, the scenario indicates that the malware only encrypted shares that Gil could access. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1107). YCDA, LLC. Kindle Edition.

38
Q

Logs on a Web Server show that it is receiving a significant number of SYN packets from multiple sources on the Internet, but it isn’t receiving the corresponding ACK packets. Of the following choices, what is the MOST likely source of these packets?

DDoS
Ransomware
Worm
Bots

A

Bots

Explanation:
These packets are most likely coming from bots within a botnet that are launching a distributed denial-of-service (DDoS) attack using a SYN flood attack. The attacker sends the SYN packet, the web server responds with the SYN/ACK packet, but the attacker never finished the TCP handshake with the ACK packet.

While this is a DDoS attack, the question is asking for the likely source of the packets, not what type of attack is taking place.
Ransomware would encrypt data on the system, not send packets to it.
A worm is self-replicating malware that spreads throughout a network. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1108). YCDA, LLC. Kindle Edition.

39
Q

Management recently mandated that computer monitors be re-positioned to ensure they cannot be viewed from outside any windows. Additionally, users are directed to place screen filters over their monitors. What is the purpose of this policy?

Reduce success of Phishing.
Reduce success of Shoulder Surfing.
Reduce success of Dumpster Diving.
Reduce success of Prepending.

A

Reduce Success of Shoulder Surfing.

Explanation:
Shoulder surfing is the practice of viewing data by looking over someone’s shoulder and it includes looking at computer monitors. Positioning monitors so that they cannot be viewed through a window and/or placing screen filters over the monitors reduces this threat.

Phishing is an email attack.
Dumpster diving is the practice of looking through dumpsters.
Prepending simply means to add something to the beginning of something else, and social engineers often prepend queries with valid information to make their query seem valid. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1108). YCDA, LLC. Kindle Edition.

40
Q

Bart’s supervisor told him to clean his desk to comply with the organization’s clean desk space policy. While doing so, he threw several papers containing PII in the recycle bin. Which type of attack can exploit this action?

SPIM
Dumpster Diving
Shoulder Surfing
Tailgating

A

Dumpster Diving

Explanation:
Dumpster divers look through trash or recycling containers for valuable paperwork, such as documents that include Personally Identifiable Information (PII). Instead, paperwork should be shredded or incinerated.

Spam over Internet messaging (SPIM) refers to unwanted text messages sent to mobile devices.
Shoulder surfers attempt to view monitors or screens, not papers thrown into the trash or recycling containers.
Tailgating is the practice of following closely behind someone else without using proper credentials. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1108). YCDA, LLC. Kindle Edition.

41
Q

Your organization’s CFO recently received an email indicating the organization is being sued. More, the email names her specifically as a defendant in the lawsuit. It includes an attachment described as a subpoena and encourages her to open it for more information. Which of the following BEST describes the social engineering principle used by the sender in this scenario?

Whaling
Phishing
Authority
Consensus

A

Authority

Explanation:
The sender is using the social engineering principle of authority in this scenario. A chief financial officer (CFO) would respect legal authorities and might be more inclined to open an attachment from such an authority.

The scenario describes whaling, which is a specific type of phishing attack. However, whaling and phishing are attacks, not social engineering principles.
The social engineering principle of consensus attempts to show that other people like a product, but this is unrelated to this scenario. See Chapter 6.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1108-1109). YCDA, LLC. Kindle Edition.

42
Q

Users are complaining about intermittent connectivity with a Web Server. After examining the logs, you identify a large volume of connection attempts from Public IP Addresses. You realize these connection attempts are overloading the Server, preventing it from responding to other connections. Which of the following is MOST likely occurring?

DDoS Attack
DNS Poisoning Attack
Replay Attack
ARP Poisoning Attack

A

DDoS Attack (Distributed Denial of Service)

Explanation:
A distributed denial-of-service (DDoS) attack includes attacks from multiple systems with the goal of depleting the target’s resources, and this scenario indicates multiple connection attempts from different IP addresses.

A Domain Name System (DNS) poisoning attack attempts to redirect web browsers to malicious URLs.
A replay attack doesn’t overload a system but instead allows the attacker to intercept data and use it to impersonate a user or system.
An Address Resolution Protocol (ARP) poisoning attack gives clients false hardware address updates, and attackers use it to redirect or interrupt network traffic. See Chapter 7.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1109). YCDA, LLC. Kindle Edition.

43
Q

An application on one of your database Servers has crashed several times recently. Examining detailed debugging logs, you discover that just prior to crashing, the database application is receiving a long series of x90 characters. What is MOST likely occuring?

SQL Injection
Buffer Overflow
XML Injection
Zero-Day

A

Buffer Overflow

Explanation:
Buffer overflow attacks include a series of no operation (NOP) commands, such as hexadecimal 90 (x90). When successful, they can crash applications and expose memory, allowing attackers to run malicious code on the system.

SQL injection attacks and Extensible Markup Language (XML) injection attacks do not use NOP commands.
Zero-day attacks are unknown or undocumented, but attacks using NOP commands are known. See Chapter 7.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1109). YCDA, LLC. Kindle Edition.

44
Q

Your organization recently experienced a significant data breach. After an investigation, Cybersecurity professionals found that the initial attack originated from an internally developed application. Normally users can only access the application by logging on. However, the application allowed the attacker access to the application without requiring the attacker to log on. Which of the following would have the BEST chance of preventing this attack?

Code Review
Backdoor
DDoS Protection
Keylogger

A

Code Review

Explanation:
A code review would have the best chance of preventing this attack.

The scenario describes a backdoor in the internally developed application, but the backdoor is a vulnerability that allowed the attack and won’t prevent the attack.
Distributed denial of service (DDoS) protection can help thwart DDoS attacks, but there’s no indication that this is a DDoS attack.
A keylogger logs keystrokes of users so would not prevent an attack. See Chapter 7.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1109-1110). YCDA, LLC. Kindle Edition.

45
Q

** A software development process merges code changes from developers working on a project several times a day. It uses automation to validate the code and tracks changes using Version Control processes. Which of the following BEST describes this process?

Continuous Integration
Continuous Validation
Continuous Delivery
Continuous Monitoring

A

Continuous Integration

Explanation:
This describes continuous integration, which merges changes from multiple developers and uses version control processes to track the changes.

Continuous validation revalidates code after every change and is frequently part of CI, but continuous validation by itself doesn’t include version control.
Continuous delivery comes after CI and provides an automated process that delivers changes to a testing or staging environment.
Continuous monitoring monitors code changes to detect compliance issues and security threats. See Chapter 7.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1110). YCDA, LLC. Kindle Edition.

46
Q

Martin is performing a Risk Assessment. He is trying to identify the number of times a specific type of incident occurred in the previous year. Which of the following BEST identifies this?

ALE
ARO
SLE
RPO

A

ARO (Annualized Rate of Occurrence)

Explanation:
The annual rate of occurrence (ARO) is the best choice to identify how many times a specific type of incident occurs in a year.

Annual loss expectancy (ALE) identifies the expected monetary loss for a year and single loss expectancy (SLE) identifies the expected monetary loss for a single incident. ALE = SLE × ARO and if you know any two of these values, you can identify the third value. For example, ARO = ALE / SLE.
The recovery point objective (RPO) identifies a point in time where data loss is acceptable, but it doesn’t refer to the number of times an incident occurred. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1110). YCDA, LLC. Kindle Edition.

47
Q

Lisa recently reviewed a Security advisory. She’s using it to review logs and looking for activity mentioned in the Security advisory. Which of the following BEST describes what she is doing?

Creating OSINT
Threat Hunting
Penetration Testing
Performing Reconnaissance

A

Threat Hunting

Explanation:
Threat hunting is the process of actively looking for threats within a network, and security advisories provide information on threats, including their tactics, techniques, and procedures (TTPs).

Security advisories are one type of open source intelligence (OSINT) used in threat hunting, but she is reading the OSINT, not creating it.
Penetration testing actively assesses deployed security controls within a system or network. It is much more than reviewing logs.
Reconnaissance methods attempt to learn as much as possible about a target, but Lisa is examining her own network. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1110-1111). YCDA, LLC. Kindle Edition.

48
Q

You recently completed a vulnerability scan on your Network. It reported several Servers are missing key operating system patches. However, after checking the Servers, you’ve verified that the Servers have these patches installed. Which of the following BEST describes this?

False Negative
Misconfiguration on Servers
False Positive
Non-Credentialed Scan

A

False Positive

Explanation:
In this scenario, the vulnerability scanner reported a false positive indicating that the servers had a vulnerability, but the servers did not have the vulnerability.

A false negative occurs if a vulnerability scanner does not report a known vulnerability. There isn’t any indication that the servers are misconfigured.
The scenario doesn’t indicate if the scan was run under an account’s context (credentialed or non-credentialed), so this answer isn’t relevant to the question. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1111). YCDA, LLC. Kindle Edition.

49
Q

An external Security Auditor recently completed a Security Assessment. He discovered that a system has a vulnerability that two previous Security Assessments detected. Which of the following BEST explains this?

The scanner is reporting false negative.
The vendor has not created a Security patch.
The scans ran as credentialed scans.
The system is misconfigured.

A

The vendor has not created a Security patch.

Explanation:
If a vendor has not created a patch for a known vulnerability, vulnerability scanners will report the vulnerability (assuming they know about the vulnerability).

False negatives are not reported so they will not appear in a vulnerability scanner’s output.
If scans are reporting the same vulnerability, it may be because a non-credentialed scan is reporting incorrect results, but a credentialed scan is more accurate than a non-credentialed scan.
There isn’t any indication that the system is misconfigured. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1111). YCDA, LLC. Kindle Edition.

50
Q

Your organization regularly performs training in the form of a game mimicking an exercise. One team oversees the exercise, sets the rules, and identifies the Rules of Engagement. Another team uses known TTPs to exploit vulnerabilities within the Rules of Engagement. You are on a team dedicated to defending resources. Which of the following BEST describes your role?

A member of the Red Team.
A member of the Blue Team.
A member of the Purple Team.
A member of the White Team.

A

A member of the Blue Team

Explanation:
A blue team defends and since you are on a team dedicated to defending resources, you are a member of the blue team.

A red team attacks and they often use known tactics, techniques, and procedures (TTPs) of attackers to simulate actual attacks.
A purple team is a group of people who can perform on either a red team or a blue team.
The white team overseas the exercise, sets the rules, and identifies the rules of engagement. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1111). YCDA, LLC. Kindle Edition.

51
Q

You are running a vulnerability scanner with an access level that gives the best chance of detecting vulnerabilities. Which of the following BEST describes the type of scan you are running?

Non-Credentialed Scan
A Port Scan
A Non-Intrusive Scan
Credentialed Scan

A

Credentialed Scan

Explanation:
A credentialed scan runs with a high level of access and is better at detecting vulnerabilities than a non-credential scan.

A non-credentialed scan runs without any account privileges.
A port scan detects open ports on a server.
Vulnerability scanners are generally non-intrusive, but this doesn’t give a scanner any specific access level. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1111-1112). YCDA, LLC. Kindle Edition.

52
Q

You suspect that an attacker has been sending specially crafted TCP packets to a server trying to exploit a vulnerability. You decide to capture TCP packets being sent to this Server for later analysis and you want to use a command-line tool to do so. Which of the following tool will BEST meet your need?

Tcpreplay
Tcpdump
Netcat
Wiredump

A

Tcpdump

Explanation:
The tcpdump command-line tool is the best choice of the given answers. It is a command-line packet analyzer (or protocol analyzer) and its primary purpose is to capture packets.

Tcpreplay is a suite of utilities used to edit packet captures and resend them, not capture packets.
Netcat is useful for remotely accessing systems and can be used for banner grabbing, but it doesn’t capture packets.
Wiredump isn’t a valid tool name. Wireshark (not included as an answer choice) is a graphic-based packet analyzer that can be started from the command line, but tcpdump includes more command-line options than Wireshark. See Chapter 8.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1112). YCDA, LLC. Kindle Edition.

53
Q

Your company wants to control access to a restricted area of the building by adding an additional physical security control that includes facial recognition. Which of the following provides the BEST solution?

Bollards
Guards
Retina Scanners
Cameras

A

Guards

Explanation:
Security guards can protect access to restricted areas with facial recognition and by checking the identities of personnel before letting them in. In some cases, the guards might recognize people, and in other situations, they might compare people’s faces with their security badge. None of the other answers use facial recognition.

Bollards are effective barricades to block vehicles, but they do not block personnel.
Retina scanners are effective biometric access devices, but they only scan part of the eye, not the whole face.
Cameras can monitor who goes in and out of an area, but they do not control the access. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1112). YCDA, LLC. Kindle Edition.

54
Q

Thieves recently rammed a truck through the entrance of one of your organization’s buildings in the middle of the night. They then proceeded to steal a significant amount of IT equipment. Which of the following choices can prevent this from happening again?

Bollards
Guards
CCTV
Alarms

A

Bollards

Explanation:
Bollards are effective barricades that can block vehicles.

Guards can restrict access for personnel, but they cannot stop trucks from ramming through a building.
Closed-circuit television (CCTV) or a similar video surveillance system can monitor the entrance, but it won’t stop the attack.
Alarms can go off after the truck rams through the entrance, but they won’t stop the attack. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1112-1113). YCDA, LLC. Kindle Edition.

55
Q

Fileserver1 hosts several files accessed by users in your organization, and it’s important that they can always access these files. Management wants to implement a solution to increase Cybersecurity resilience. Which of the following is the LOWEST cost solution to meet this requirement?

Active/Active Load Balancing
Active/Passive Load Balancing
RAID
Warm Site

A

RAID (Redundant Array of Inexpensive Disks)

Explanation:
A redundant array of inexpensive disks (RAID) subsystem is a relatively low-cost solution for disks’ fault tolerance. By providing fault tolerance, it increases availability and resilience.

Load balancing (active/active and active/passive) requires additional servers, which are significantly more expensive than RAID.
A warm site is a separate location, which can also be expensive. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1113). YCDA, LLC. Kindle Edition.

56
Q

** You need to identify and mitigate potential single points of failure in your organization’s Security Operations. Which of the following policies would be the BEST choice to help you find them?

A Disaster Recovery Plan
A Business Impact Analysis
Annualized Loss Expectancy
Separation of Duties

A

Separation of Duties

Explanation:
A separation of duties policy is the best answer. In this context, if only one person can perform tasks within the organization’s security operations, that person becomes a single point of failure. None of the other answers address a single point of failure.

A disaster recovery plan (DRP) identifies how to recover critical systems and data after a disaster.
A business impact analysis (BIA) helps an organization identify critical systems and components.
An annualized loss expectancy (ALE) identifies the expected annual loss from a known risk. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1113). YCDA, LLC. Kindle Edition.

57
Q

** Compu-Global-Hypyer-Mega-Net hosts a website selling digital products. Marketing personnel have launched several successful sales. The Server has been overwhelmed, resulting in slow responses from the Server, and lost sales. Management wants to implement a solution that will provide Cybersecurity resilience. Which of the following is the BEST choice?

Managed PDUs
Certificates
Web Application Firewall
Load Balancing

A

Load Balancing

Explanation:
Load balancing shifts the load among multiple servers and provides cybersecurity resilience by increasing the site’s availability by adding additional nodes when necessary.

Managed power distribution units (PDUs) are used to remotely monitor energy consumption in a data center.
Certificates can be used for identity, authentication, confidentiality, and integrity but won’t provide resilience due to overloading resources on a server.
A web application firewall helps protect a web server against attacks, but it does not increase availability from normal client requests. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1113). YCDA, LLC. Kindle Edition.

58
Q

** The backup policy for a database Server states that the amount of time needed to perform backups should be minimized. Which of the following backup plans would BEST meet this need?

Full backups on Sunday and Full backups on the other six days of the week.

Full backups on Sunday and Differential backups on the other six days of the week.

Full backups on Sunday and Incremental backups on the other six days of the week.

Differential backups on Sunday and Incremental backups on the other six days of the week.

A

Full backup on Sunday and Incremental backups on the other six days of the week.

Explanation:
A full/incremental backup strategy is the best option with one full backup on one day and incremental backups on the other days. The incremental backups will take a relatively short time compared with the other methods.

A full backup every day would require the most time every day.
Differential backups become steadily larger as the week progresses and take more time to back up than incremental backups.
Backups must start with a full backup, so a differential/incremental backup strategy is not possible. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1114). YCDA, LLC. Kindle Edition.

59
Q

A Security analyst is creating a document that includes the expected monetary loss from a major outage. She is calculating the potential impact on life, property, finances, and the organization’s reputation. Which of the following documents is she MOST likely creating?

BCP
BIA
MTBF
RPO

A

BIA (Business Impact Analysis)

Explanation:
A business impact analysis (BIA) includes information on potential monetary losses along with information on essential and critical functions, recovery plans, and more. It is the most likely document of those listed that would include this information.

A business continuity plan (BCP) includes a BIA, but the BIA is more likely to include this information than the BCP.
The mean time between failures (MTBF) provides a measure of a system’s reliability.
The recovery point objective (RPO) refers to the amount of data you can afford to lose, but it does not include monetary losses. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1114). YCDA, LLC. Kindle Edition.

60
Q

You are helping a Risk Management team update the Business Impact Analysis for your organization. For one system, the plan requires an RTO of five hours and an RPO of one day. Which of the following would meet this requirement?

Ensure the system can be restored within five hours and ensure it does not lose more than one day of data.

Ensure the system can be restored within one day and ensure it does not lose more than five hours of data.

Ensure the system can be restored between five hours and one day after an outage.

Ensure critical systems can be restored within five hours and noncritical systems can be restored within one day.

A

Ensure the system can be restored within five hours and ensure it does not lose more than one day of data.

Explanation:
The recovery time objective (RTO) identifies the maximum amount of time it should take to restore a system after an outage.

The recovery point objective (RPO) refers to the amount of data you can afford to lose.
RTO only refers to time, not data. RPO refers to data recovery points, not time to restore a system. See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1114). YCDA, LLC. Kindle Edition.

61
Q

Marge is updating the Business Impact Analysis (BIA) for your organization. She needs to document the time needed to return a database Server to an operational state after a failure. Which of the following would she use?

MTTR
MTBF
SLE
ARO

A

MTTR (Mean Time To Repair)

Explanation:
The mean time to recover (MTTR) identifies the average time (the arithmetic mean) it takes to restore a failed system and is commonly used when preparing a business impact analysis (BIA).

The mean time between failures (MTBF) identifies the average (the arithmetic mean) time between failures.
The single loss expectancy (SLE) identifies the cost of any single loss.
The annual rate of occurrence (ARO) identifies how many times a loss is expected to occur in a year. Multiplying SLE * ARO identifies the annual loss expectancy (ALE). See Chapter 9.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1114-1115). YCDA, LLC. Kindle Edition.

62
Q

Lisa needs to transmit PII via email and she wants to maintain its confidentiality. Which of the following choices is the BEST solution?

Use Hashes
Encrypt it before sending.
Protect it with a Digital Signature
Use RAID

A

Encrypt it before sending.

Explanation:
Encryption is used to maintain confidentiality of any data, including Personally Identifiable Information (PII) with encryption.

Hashes provide integrity, not confidentiality.
A digital signature provides authentication, non-repudiation, and integrity.
A redundant array of inexpensive disks (RAID) provides higher availability for a disk subsystem. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1115). YCDA, LLC. Kindle Edition.

63
Q

Employees in your organization recently received an email that appeared to come from your organization’s CEO. The email mentioned that IT personnel were troubleshooting an Authentication issue and needed employees to reply to the email with their credentials. Several employees responded with their credentials. This was a phishing campaign created for user training, and it spoofed the CEO’s email. Executives want to ensure that employees have proof that any emails that appear to be coming from the executives, did come from them. Which of the following should be implemented?

Digital Signatures
Spam Filter
Role-based Training
Heuristic-based Detection

A

Digital Signatures

Explanation:
A digital signature provides assurances of who sent an email and meets the goal of this scenario.

Although a spam filter might filter a spear phishing attack, it does not provide assurances about who sent an email.
Role-based training provides targeted training for employees based on their roles, but any type of training wouldn’t provide assurances about who sent an email.
Some antivirus software includes heuristic-based detection. Heuristic-based detection attempts to detect viruses that were previously unknown and do not have virus signatures. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1115). YCDA, LLC. Kindle Edition.

64
Q

As an administrator, you receive an antivirus alert from a Server in your Network indicating one of the files has a Hash of known malware. The file was pushed to the Server from the organization’s patch management system and is scheduled to be applied to the Server early the next morning. The antivirus software indicates that the file and hash of the malware on the server are:

File: gcga_upgrade.exe
Hash: bd64571e26035d95e5e9232b4affb915

Checking the logs of the patch management system, you see the following information:

Status —- Update Name —– Hash
Pushed — gcga_upgrade.exe —- b815571e26035d95e5e9232b4aff48db

Which of the following indicates what MOST likely occurred?

The file was infected after it was pushed out to the Server.

The file was embedded with crypto-malware before it was pushed to the Server.

The file was listed in the patch management system’s blacklist

The file was infected when the patch management system downloaded it.

A

The file was infected after it was pushed out to the Server.

Explanation:
Of the given choices, the file was most likely infected after it was pushed out to the server. This is because the hash of the file is different on the server than it is on the patch management system.

The scenario doesn’t indicate what type of infection the malware has, so it isn’t possible to tell if it is crypto-malware or another type of malware.
A blacklist blocks files so if the file were listed in the patch management system’s blacklist, the patch management system wouldn’t push it out to systems.
If it were infected before it was pushed out to the server, it would have the same hash. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1115-1116). YCDA, LLC. Kindle Edition.

65
Q

** Tony hid several plaintext documents within an image file. He then sent the image file to Louie. Which of the following BEST describes the purpose of his actions?

To support Steganography
To support Integrity
To support Resilience
To support Obfuscation

A

To support Obfuscation

Explanation:
Hiding data within data is one way to support a use case of supporting obfuscation and Tony is attempting to send the text files within the image file to obscure his intent.

In this scenario, Tony is using steganography to hide the files within the image, but that is the method, not the purpose.
Hashing methods and digital signatures support integrity.
Redundancy and fault-tolerance methods increase availability supporting resiliency. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1116). YCDA, LLC. Kindle Edition.

66
Q

** Lisa and Bart need to exchange emails over the Internet using a non-secure channel. These emails need to provide non-repudiation. They decide to use Certificates on each of their computers. What would they use to sign their emails?

CRL
OCSP
CSR
CA
DSA

A

DSA (Digital Signature Algorithm)

Explanation:
A Digital Signature Algorithm (DSA) is used to create a digital signature and they would sign their emails with a digital signature.

A certificate revocation list (CRL) is a list of revoked certificates.
Online Certificate Status Protocol (OCSP) is an alternative to a CRL and provides a real-time response indicating the validity of a certificate.
The certificate signing request (CSR) is used to request a certificate.
A certificate authority (CA) manages certificates and would sign certificates issued to users. A certificate is needed to create a digital signature, but the certificate itself can’t sign an email. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1116). YCDA, LLC. Kindle Edition.

67
Q

Administrators have noticed a significant amount of OCSP traffic sent to an intermediate CA. They want to reduce this traffic. Which of the following is the BEST choice to meet this need?

Pinning
Digital Signatures
Stapling
Hashing

A

Stapling

Explanation:
Online Certificate Status Protocol (OCSP) stapling reduces OCSP traffic sent to a certificate authority (CA). Certificate presenters append a timestamped, digitally signed OCSP response to a certificate.

Public key pinning includes a list of public key hashes in HTTPS responses from the web server. While pinning helps validate certificates, it is unrelated to OCSP.
Neither digital signatures (used for non-repudiation) nor hashing (used for integrity) will reduce OCSP traffic. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1116). YCDA, LLC. Kindle Edition.

68
Q

A company is hosting an e-commerce site that uses Certificates for HTTPS. Management wants to ensure that users can verify the validity of these Certificates even if elements of the Internet suffer an extended outage. Which of the following provides the BEST solution?

OCSP
PEM
SAN
CRL

A

CRL (Certificate Revocation List)

Explanation:
A certificate revocation list (CRL) provides the best solution in this scenario. After a CRL is retrieved, systems hold a copy of it in cache. Instead of downloading the same CRL every time a system needs to validate a certificate, they just look at the cached copy of the CRL.

Online Certificate Status Protocol (OCSP) is an alternative to a CRL and provides a real-time response to validate certificates. Because OCSP responds in real time, it is susceptible to Internet outages.
Privacy enhanced mail (PEM) certificates are not used to validate other certificates.
A subject alternative name (SAN) certificate is used for multiple domains that have different names but are owned by the same organization. See Chapter 10.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1117). YCDA, LLC. Kindle Edition.

69
Q

A Security Auditor discovered that several employees in the Accounting department can print and sign checks. In her final report, she recommended restricting the number of people who can print checks and the number of people who can sign them. She also recommended that no one should be authorized to both print and sign checks. Which Security policy does this describe?

Discretionary Access Control
Rule-based Access Control
Separation of Duties
Job Rotation

A

Separation of Duties

Explanation:
This recommendation enforces the separation of duties principle, which prevents any individual person from performing multiple job functions that might allow the person to commit fraud.

Discretionary access control specifies that every object has an owner but doesn’t separate duties.
Devices such as routers use a rule-based access control model, but it doesn’t separate duties.
Job rotation policies rotate employees into different jobs, but they don’t necessarily separate job functions. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1117). YCDA, LLC. Kindle Edition.

70
Q

Bart recently resigned and left your organization. Later, IT personnel determined that he deleted several files and folders on a Server share after he left the organization. Further, they determined that he did so during the weekend while the organization was closed. Which of the following account management practices would have prevented his actions?

Onboarding
Time-of-Day Restrictions
Account Audit
Offboarding

A

Offboarding

Explanation:
Offboarding is the process of removing an employee’s access when he leaves the organization, and this is typically done during the exit interview. Because the employee deleted the files and shares after he left the organization, it indicates offboarding processes were not performed.

Onboarding is the process of granting appropriate access to employees when they are first hired.
Time-of-day restrictions might have prevented the employee from accessing resources during the weekend while the organization was closed. However, there isn’t any indication that the organization wanted to restrict employees from accessing resources during off-hours.
An account audit might have identified the account but not as quickly as offboarding processes done during an exit interview. Additionally, audits are typically done periodically, such as monthly. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1117-1118). YCDA, LLC. Kindle Edition.

71
Q

Your organization hired a third-party Security professional to assess vulnerabilities. The Security professional discovered a Server was running an application that hasn’t been updated for eight years. Management decided to keep the application online because there isn’t a newer version from the vendor. Which of the following BEST describes why the application doesn’t have a newer version?

MSA
AUP
MSSP
EOL

A

EOL (End of Life)

Explanation:
When a system reaches its end of life (EOL), a vendor no longer offers it for sale, and the vendor stops releasing updates for it. This scenario indicates management has weighed the risks and decided to keep the application. While not available as a possible answer, end of service life (EOSL) would be more specific. EOSL is the date when a vendor no longer supports a product and would no longer create patches or upgrades. The other answers are unrelated to the question.

Measurement systems analysis (MSA) evaluates processes and tools used to make measurements.
An acceptable use policy (AUP) defines proper system usage for employees when using IT systems.
A managed security service provider (MSSP) is a third-party vendor that provides security services for smaller companies. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1118). YCDA, LLC. Kindle Edition.

72
Q

A Help-Desk professional has begun to receive several calls from employees related to malware. Using common incident response procedures, which of the following should be her FIRST response to these calls?

Preparation
Identification
Eradication
Recovery

A

Identification

Explanation:
At this stage, the first response is incident identification.

The preparation phase is performed before an incident and includes steps to prevent incidents.
After identifying this as a valid incident (malware infection), the next steps are containment, eradication, recovery, and lessons learned. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1118). YCDA, LLC. Kindle Edition.

73
Q

Homer reported suspicious activity on his computer. After investigating, you verify that his computer is infected with malware. Which of the following steps should you take NEXT?

Identification
Preparation
Containment
Eradication

A

Containment

Explanation:
After identifying an incident, the next step is containment. The scenario indicates you have identified the incident as a malware infection.

Preparation is the first step in an incident response process but done BEFORE an incident occurs.
Eradication attempts to remove all elements of the incident after first containing it.
The last two steps in the incident response process are recovery and lessons learned. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 1118-1119). YCDA, LLC. Kindle Edition.

74
Q

Security personnel confiscated Bart’s workstation after a Security incident. Administrators removed the hard drive for forensic analysis but were called away to troubleshoot an outage before capturing an image of the drive. They left it unattended for several hours before returning to begin their analysis. Later, legal personnel stated that the analysis results would not be admissible in a court of law. What is the MOST likely reason for the lack of admissibility?

Witnesses were not identified.
A Chain of Custody was not maintained.
An Order of Volatility as not maintained.
A Hard Drive analysis was not complete.

A

A Chain of Custody was not maintained.

Explanation:
A chain of custody was not maintained because the hard drive was left unattended for several hours before capturing an image.

Witnesses were not mentioned but are not needed for the hard drive if the chain of custody was maintained.
The order of volatility does not apply here, but the hard drive is not volatile.
Analysis would occur after capturing an image, but there isn’t any indication it wasn’t done or wasn’t complete. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1119). YCDA, LLC. Kindle Edition.

75
Q

Your organization is involved in a lawsuit, and a judge issued a court order requiring your organization to keep all emails from the last three years. Your data retention policy states that email should only be maintained from the previous 12 months. After investigating, administrators realize that backups contain emails from the last three years. What should they do with these backups?

Backups older than 12 months should be deleted to comply with the data retention policy of the company.

Backups for the last 12 months should be protected to comply with the legal hold.

Backups for the last 2 years should be protected to comply with the legal hold.

Backups for the last 3 years should be protected to comply with the legal hold.

A

Backups for the last 3 years should be protected to comply with the legal hold.

Explanation:
The court order specified a legal hold on email from the last three years, so all the backups for the last three years should be kept.

If the backups had been destroyed before the court order, they wouldn’t be available, so the legal hold wouldn’t apply to them.
Deleting them after the court order is illegal.
Protecting only the backups from the last 12 months or the last two years doesn’t comply with the court order. See Chapter 11.

Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 1119). YCDA, LLC. Kindle Edition.