SYO-501 Study Guide Flashcards
A security administrator wants to implement a log-on script that will prevent MITM attacks on the local LAN. Which of the following commands should the security administrator implement within the script to accomplish this task?
A: ARP -s 192.168.1.1 00-3a-d1-fa-b1-06
B: dig -x@192.168.1.1 mypc.comptia.com
C: nmap -A -T4 192.168.1.1
D: tcpdump -Inv host 192.168.1.1 or either 00:3a:d1:fa:b1:06
A
An actor downloads and runs a program against a corporate login page. The program imports a list of usernames and passwords, looking for a successful attempt. Which of the following terms BEST describes the actor in this situation? A: Script kiddie B: Hactivist C: Cryptologist D: Security Auditor
A
A penetration tester harvests potential usernames from a social networking site. The penetration tester then uses social engineering to attempt to obtain associated passwords to gain unauthorized access to shares on a network server. Which of the following methods is the penetration tester MOST likely using? A: Escalation of privilege B: SQL injection C: Active Reconnaissance D: Proxy server
C
A vulnerability scan is being conducted against a desktop system. The scan is looking for files, versions, and registry values known to be associated with system vulnerabilities. Which of the following BEST describes the type of scan being performed? A: Non-intrusive B: Authenticated C: Credentialed D: Active
C
A third-party penetration testing company was able to successfully use an ARP cache poison technique to gain root access on a server. The tester successfully moved to another server that was not in the original network. Which of the following is the MOST likely method used to gain access to the other host? A: Backdoor B: Pivoting C: Persistence D: Logic Bomb
B
Which of the following is commonly done as part of a vulnerability scan? A: Exploiting misconfigured applications B: Cracking employee passwords C: Sending phishing emails to employees D: Identifying unpatched workstations
D
A security analyst is attempting to break into a client's secure network. The analyst was not given prior information about the client, except for a block of public IP addresses that are currently in use. After network enumeration, the analyst's NEXT step is to perform: A: a gray-box penetration test. B: a risk analysis. C: a vulnerability assessment. D: an external security audit. E: a red team exercise.
A
Which of the following BEST describes a network-based attack that can allow an attacker to take full control of a vulnerable host? A: Remote exploit B: Amplification C: Sniffing D: Man-in-the-middle
A
Which of the following describes the key difference between vishing and phishing attacks?
A: Phishing is used by attackers to steal a person’s identity.
B: Vishing attacks require some knowledge of the target of attack.
C: Vishing attacks are accomplished using telephony services.
D: Phishing is a category of social engineering attack.
C
Which of the following should a security analyst perform FIRST to determine the vulnerabilities of a legacy system? A: Passive scan B: Aggressive scan C: Credentialed scan D: Intrusive scan
A
Which of the following components of printers and MFDs are MOST likely to be used as vectors of compromise if they are improperly configured? A: Embedded web server B: Spooler C: Network interface D: LCD control panel
A
A user downloads and installs an MP3 converter, and runs the application. Upon running the application, the antivirus detects a new port in a listening state. Which of the following has the user MOST likely executed? A: RAT B: Worm C: Ransomware D: Bot
A
Which of the following threat actors is MOST likely to steal a company's proprietary information to gain a market edge and reduce time to market? A: Competitor B: Hacktivist C: Insider D: Organized crime
A
Which of the following specifically describes the exploitation of an interactive process to access otherwise restricted areas of the OS? A: Pivoting B: Process affinity C: Buffer overflow D: XSS
C
Which of the following differentiates a collision attack from a rainbow table attack?
A: A rainbow table attack performs a hash lookup.
B: A rainbow table attack uses the hash as a password.
C: In a collision attack, the hash and the input data are equivalent.
D: In a collision attack, the same input results in different hashes.
A
A security administrator is diagnosing a server where the CPU utilization is at 100% for 24 hours. The main culprit of CPU utilization is the antivirus program. Which of the following issue could occur if left unresolved? (Select TWO) A: MITM attack B: DoS attack C: DLL injection D: Buffer overflow E: Resource exhaustion
B&E
A security analyst conducts a manual scan on a known hardened host that identifies many non-compliant items. Which of the following BEST describe why this has occurred? (Select TWO)
A: Privileged-user certificated were used to scan the host
B: Non-applicable plug ins were selected in the scan policy
C: The incorrect audit file was used
D: The output of the report contains false positives
E: The target host has been compromised
B&D
When attackers use a compromised host as a platform for launching attacks deeper into a company's network, it is said that they are: A: Escalating privilege B: Becoming persistent C: Fingerprinting D: Pivoting
D
A Chief Information Officer (CIO) recently saw on the news that a significant security flaw exists with a specific version of a technology the company uses to support many critical applications. The CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed. Which of the following would BEST provide the needed information? A: Penetration test B: Vulnerability scan C: Active reconnaissance D: Patching assessment report
A
Which of the following attack types BEST describes a client-side attack that is used to manipulate an HTML iframe with JavaScript code via a web browser? A: Buffer overflow B: MITM C: XSS D: SQLi
C
Which of the following uses precomputed hashes to guess passwords? A: Iptables B: NAT tables C: Rainbow tables D: ARP tables
C
In determining when it may be necessary to perform a credentialed scan against a system instead of a non-credentialed scan, which of the following requirements is MOST likely to influence its decisions?
A: The scanner must be able to enumerate the host OS of devices scanner
B: The scanner must be able to footprint the network
C: The scanner must be able to check for open ports with listening services
D: The scanner must be able to audit file system permissions
D
A company has noticed multiple instances of proprietary information on public websites. It has also observed an increase in the number of email messages sent to random employees containing malicious links and PDFs. Which of the following changes should the company make to reduce the risks associated with phishing attacks? (Select TWO)
A: Install an additional firewall
B: Implement a redundant email server
C: Block access to personal email on corporate systems
D: Update the X.509 certificates on the corporate email server
E: Update corporate policy to prohibit access to social media websites
F: Review access violation on the file server
C&E
A security analyst is migrating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk? A: Enable CHAP B: Disable NTLM C: Enable Kerebos D: Disable PAP
B
A systems administrator found a suspicious file in the root of the file system. The file contains URLs, usernames, passwords, and text from other documents being edited on the system. Which of the following types of malware would generate such a file? A: Keylogger B: Rootkit C: Bot D: RAT
B
A remote intruder wants to take inventory of a network so exploits can be researched. The intruder is looking for information about software versions on the network. Which of the following techniques is the intruder using? A: Banner grabbing B: Port scanning C: Packet sniffing D: Virus scanning
A
A technician is investigating a potentially compromised device with the following symptoms:
-Browser slowness
-Frequent browser crashes
-Hourglass stuck
-New search toolbar
-Increased memory consumption
Which of the following types of malware has infected the system?
A: Man-in-the-browser
B: Spoofer
C: Spyware
D: Adware
D
An external attacker can modify the ARP cache of an internal computer. Which of the following types of attacks is described? A: Replay B: Spoofing C: DNS poisoning D: Client-side attack
B
A new security administrator ran a vulnerability scanner for the first time and caused a system outage. Which of the following types of scans MOST likely caused the outage? A: Non-intrusive credentialed scan B: Non-intrusive non-credentialed scan C: Intrusive credentialed scan D: Intrusive non-credentialed scan
D
Which of the following types of penetration test will allow the tester to have access only to password hashes prior to the penetration test? A: Black box B: Gray box C: Credentialed D: White box
B
Which of the following threats has sufficient knowledge to cause the MOST danger to an organization? A: Competitors B: Insiders C: Hacktivists D: Script kiddies
B
Ann, a customer, is reporting that several important files are missing from her workstation. She recently received communication from an unknown party who is requesting funds to restore the files. Which of the following attacks has occurred? A. Ransomware B. Keylogger C. Buffer overflow D. Rootkit
A
An analyst is using a vulnerability scanner to look for common security misconfigurations on devices. Which of the following might be identified by the scanner? (Select TWO).
A: The firewall is disabled on workstations.
B: SSH is enabled on servers.
C: Browser homepages have not been customized.
D: Default administrator credentials exist on networking hardware.
E: The OS is only set to check for updates once a day.
A&D
A malicious system continuously sends an extremely large number of SYN packets to a server. Which of the following BEST describes the resulting effect?
A: The server will be unable to server clients due to lack of bandwidth
B: the server’s firewall will be unable to effectively filter traffic due to the amount of data transmitted
C: The server will crash when trying to reassemble all the fragmented packets
D: The server will exhaust its memory maintaining half-open connections
D
A systems administrator is deploying a new mission essential server into a virtual environment. Which of the following is BEST mitigated by the environment's rapid elasticity characteristic? A: Data confidentiality breaches B: VM escape attacks C: Lack of redundancy D: Denial of service
D
A help desk technician receives a phone call from an individual claiming to be an employee of the organization and requesting assistance to access a locked account. The help desk technician asks the individual to provide proof of identity before access can be granted. Which of the following types of attack is the caller performing? A: Phishing B: Shoulder surfing C: Impersonation D: Dumpster diving
C
A security auditor is testing perimeter security in a building that is protected by badge readers. Which of the following types of attacks would MOST likely gain access? A: Phishing B: Man-in-the-middle C: Tailgating D: Watering hole E: Shoulder surfing
C
A senior incident response manager receives a call about some external IPs communicating with internal computers during off hours. Which of the following types of malware is MOST likely causing this issue? A. Botnet B. Ransomware C. Polymorphic malware D. Armored virus
A
The POODLE attack is an MITM exploit that affects: A: TLS1.0 with CBC mode cipher B: SSLv2.0 with CBC mode cipher C: SSLv3.0 with CBC mode cipher D: SSLv3.0 with ECB mode cipher
C
Ann, a user, states that her machine has been behaving erratically over the past week. She has experienced slowness and input lag and found text files that appear to contain pieces of her emails or online conversations with coworkers. The technician runs a standard virus scan but detects nothing. Which of the following types of malware has infected the machine? A: Ransomware B: Rootkit C: Backdoor D: Keylogger
D
A security analyst is attempting to identify vulnerabilities in a customer's web application without impacting the system or its data. Which of the following BEST describes the vulnerability scanning concept performed? A: Aggressive scan B: Passive scan C: Non-credentialed scan D: Compliance scan
B
A user receives an email from ISP indicating malicious traffic coming from the user’s home network is detected. The traffic appears to be Linux-based, and it is targeting a website that was recently featured on the news as being taken offline by an Internet attack. The only Linux device on the network is a home surveillance
camera system. Which of the following BEST describes what is happening?
A: The camera system is infected with a bot.
B: The camera system is infected with a RAT.
C: The camera system is infected with a Trojan.
D: The camera system is infected with a backdoor.
A
A network administrator is reviewing the following IDS logs:
[insert photo]
Based on the above information, which of the following types of malware is triggering the IDS?
A: Trojan
B: Bot
C: Logic Bomb
D: Worm
D
Hacktivists are commonly motivated by? A: Curiosity B: Notoriety C: Financial Gain D: Political Cause
D
An organization’s IT department announced plans to update workstation operating systems to the latest version after electing to skip the prior two versions. Which of the following vulnerabilities is the organization seeking to mitigate?
A: Incompatibility issues with currently implemented software
B: Lack of vendor support on the version currently in use
C: Poorly defined security baselines
D: Use of expired certificates on the network
B
A security analyst is conducting a web application vulnerability scan against the company website. Which of the following is considered an intrusive scan? A: Ping Sweep B: Time-delay port scanning C: Service identification D: Cipher suite order
D
An auditor confirms the risk associated with a Windows specific vulnerability, which was discovered by the company's security tool, does not apply due to the server running a LinuxOS. Which of the following does this BEST describe? A: Inherent risk B: Attack vector C: False positive D: Remediation
C
Which of the following BEST describes the impact of an unremediated session timeout vulnerability?
A: The credentials of a legitimate user could be intercepted and reused to log in when the legitimate user is offline.
B: An attacker has time to attempt brute-force password cracking.
C: More than one user may be allowed to concurrently connect to the system, and an attacker can use one of those concurrent connections.
D: An attacker could use an existing session that has been initiated by a legitimate user
D
A technician is evaluating malware that was found on the enterprise network. After reviewing samples of the malware's binaries, the technician finds each has a different hash associated with it. Which of the following types of malware is MOST likely present in the environment? A: Trojan B: Polymorphic worm C: Logic Bomb D: Armored Virus
B
An employee in the finance department receives an email, which appears to come from the Chief Financial Officer (CFO), instructing the employee to immediately wire a large sum of money to a vendor. Which of the following BEST describes the principles of social engineering used? (Select TWO)
A. Familiarity B. Scarcity C. Urgency D. Liking E. Consensus F. Authority
C&F
A security analyst is assigned to perform a penetration test for one of the company's clients. During the scope discussion, the analyst is notified that the client is not going to share any information related to the environment to be tested. Which of the following BEST identifies the type of penetration testing? A: Black box B: White box C: Gray box D: Blue teaming
A
A website form is used to register new students at a university. The form passes the unsanitized values entered by the user and uses them to directly add the student's information to several core systems. Which of the following attacks can be used to gain further access due to this practice? A: Cross-site request forgeries. B: XSS attacks C: MITM attacks D: SQL Injection
D
During a routine review of firewall log reports a security technician notices multiple successful logins for the admin user during unusual hours the technician contact the network administrator, who confirms the logins were not related to the administrator’s activities. Which of the following is the most likely reason for these logins?
A: Firewall maintenance service windows were scheduled.
B: Default credentials were still in place.
C: The entries in the log were caused by the file Integrity monitoring system.
D: A blue team was conducting a penetration test on a firewall.
B
A security auditor is performing a vulnerability scan to find out if mobile applications used in the organization are secure. The auditor finds out that one application has been accessed remotely with no legitimate account credentials. After investigating, it seems the application has allowed some user to bypass authentication of that application. Which of the following types of malware allows such a compromise to take place? (Select TWO).
A: RAT
B: Ransomware
C: Worm
D: Trojan
E: Backdoor
A&E
Which of the following differentiates ARP poising from a MAC spoofing attack?
A: ARP poisoning uses unsolicited ARP replies.
B: ARP poisoning overflows a switch’s CAM table.
C: MAC spoofing uses DCHPOFFER/DHCPACKS packets
D: MAC spoofing can be performed across multiple routers.
A
Which of the following is a major difference between XSS attacks and remote code exploits?
A: XSS attacks uses machine language, while remote exploits use interpreted language.
B: XSS attacks target servers, while remote code exploits target clients.
C: Remote code exploits aim to escalate attackers’ privileges, while XSS attack aim to gain access only.
D: Remote code exploits allow writing code at the client side and executing it, while XSS attacks require no code to work.
D
Compared to a non-credentialed scan, which of the following is a unique result of a credentialed scan?
A: Uncommon open ports on the host
B: Outdated software versions on the host
C: Self-signed certificate on the host
D: Fully qualified domain name
B
The network team has detected a large amount of traffic between workstations on the network. The traffic as initially very light, but it is increasing exponentially as the day progresses. Which of the following types of malware might be suspected? A: Backdoor B: Rootkit C: Worm D: Spyware
C
A penetration tester is assessing a large organization and obtains a valid set of basic user credentials from a compromised computer. Which of the following is the MOST likely to occur? A: Impersonation B: Credential harvesting C: Password cracking D: Lateral movement
B
An employee is having issues when attempting to access files on a laptop. The machine was previously running slow, and many files were not accessible. The employee is not able to access the hard drive the next day, and all the file names were changed to some random names. Which of the following BEST represents what compromised the machine? A: Ransomware B: Worm C: Crypto-malware D: RAT
C
A security manager discovers the most recent vulnerability scan report illustrates low-level non-critical findings. Which of the following scanning concepts would BEST report critical threats? A: Non-credentialed scan B: Compliance scan C: Intrusive scan D: Application scan
C
A penetration testing team deploys a specifically crafted payload to a web server, which results in opening a new session as the web server daemon. This session has full read/write access to the file system and the admin console. Which of the following BEST describes the attack? A: Domain hijacking B: Injection C: Buffer overflow D: Privilege escalation
B
An analyst is part of a team that is investigating a potential breach of sensitive data at a large organization, which serves the financial sector. The organization suspects a breach occurred when proprietary data was disclosed to the public. the team finds servers were accessed using shared credentials that have been in place for some time. In addition, the team discovers undocumented firewall rules, which provided unauthorized external access to a server. Suspecting the activities of a malicious insider threat, which of the following was the MOST likely to have been utilized to exfiltrate the proprietary data? A: Keylogger B: Botnet C: Crypto-malware D: Backdoor E: Ransomware F: DLP
D
Which of the following enables sniffing attacks against a switched network? A: ARP poisoning B: IGMP snooping C: IP spoofing D: Syn flooding
A
A public announcement is made about a newly discovered, rapidly spreading virus. The security team immediately updates and applies all its antivirus signatures. The security manager contacts the antivirus vendor support team to ask why one of the systems was infected. The vendor support team explains that the signature update is not available for this virus yet. Which of the following BEST describes this situation? A: Race condition B: Zero day C: Lack of vendor support D: Untrained users
B
While browsing an external website, a human resources manager opens several links in new browser tabs to review later. After browsing 20 minutes, a full screen message appears in a completely new browser window with a critical error code and a help desk number to call. At the same time, an audio message plays over the laptop speaker, describing a critical error and warning that the IP address of the laptop will be blocked until the critical issue is resolved. The human resources manager is unable to escape out of the error message, and the keyboard is not responsive. After alerting the security team, the human resources manager holds down the power button to turn off the laptop and then powers it back on, which rectifies the issue. Which of the following BEST describes the type of attack the human resources manager is experiencing? A: Spyware B: Ransomware C: Adware D: Logic bomb
C
A security analyst is monitoring the network and observes unusual traffic coming from a host on the LAN. Using a network monitoring tool, the analyst observes the following information:
[insert photo]
After ten seconds, some computers shown in the IP Dst field start to exhibit the same behavior and immediately make multiple outbound connection attempts. Based on this observed behavior, which of the following is the MOST likely cause?
A: Users are running port scans on the network.
B: A malicious host is performing a MITM attack.
C: An amplified DDoS attack is in progress.
D: A worm is attacking the network.
E: a race condition is being leveraged.
D