CompTIA Security Certification
Question No: 521 – (Topic 3)
Which of the following is BEST used to capture and analyze network traffic between hosts on the same network segment?
Answer: A Explanation:
A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing and analyzing the packets sent from two systems that are not communicating properly could help determine the cause of the issue.
Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).
Question No: 522 – (Topic 3)
A network administrator identifies sensitive files being transferred from a workstation in the LAN to an unauthorized outside IP address in a foreign country. An investigation determines that the firewall has not been altered, and antivirus is up-to-date on the workstation. Which of the following is the MOST likely reason for the incident?
Answer: D Explanation:
This question states that antivirus is up-to-date on the workstation and the firewall has not been altered. The antivirus software is up to date with all ‘known’ viruses. A zero day vulnerability is an unknown vulnerability so a patch or virus definition has not been released yet.
A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it-this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.
Question No: 523 – (Topic 3)
Four weeks ago, a network administrator applied a new IDS and allowed it to gather baseline data. As rumors of a layoff began to spread, the IDS alerted the network administrator that access to sensitive client files had risen far above normal. Which of the following kind of IDS is in use?
Answer: D Explanation:
Most intrusion detection systems (IDS) are what is known as signature-based. This means that they operate in much the same way as a virus scanner, by searching for a known identity – or signature – for each specific intrusion event. And, while signature-based IDS is very efficient at sniffing out known methods of attack, it does, like anti-virus software, depend on receiving regular signature updates, to keep in touch with variations in hacker technique. In other words, signature-based IDS is only as good as its database of stored signatures.
Any organization wanting to implement a more thorough – and hence safer – solution, should consider what we call anomaly-based IDS. By its nature, anomaly-based IDS is a
rather more complex creature. In network traffic terms, it captures all the headers of the IP packets running towards the network. From this, it filters out all known and legal traffic, including web traffic to the organization#39;s web server, mail traffic to and from its mail server, outgoing web traffic from company employees and DNS traffic to and from its DNS server.
There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects any traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and probes towards network hardware. It can, therefore, give early warnings of potential intrusions, because probes and scans are the predecessors of all attacks. And this applies equally to any new service installed on any item of hardware – for example, Telnet deployed on a network router for maintenance purposes and forgotten about when the maintenance was finished. This makes anomaly-based IDS perfect for detecting anything from port anomalies and web anomalies to mis-formed attacks, where the URL is deliberately mis-typed.
Question No: 524 – (Topic 3)
While opening an email attachment, Pete, a customer, receives an error that the application has encountered an unexpected issue and must be shut down. This could be an example of which of the following attacks?
Answer: B Explanation:
When the user opens an attachment, the attachment is loaded into memory. The error is caused by a memory issue due to a buffer overflow attack.
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information – which has to go somewhere – can overflow into adjacent buffers, corrupting or overwriting the valid data held in them.
Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new
instructions to the attacked computer that could, for example, damage the user#39;s files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
Question No: 525 – (Topic 3)
Which of the following is the MOST intrusive type of testing against a production system?
White box testing
Answer: D Explanation:
Penetration testing is the most intrusive type of testing because you are actively trying to circumvent the system’s security controls to gain access to the system.
Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.
Pen tests can be automated with software applications or they can be performed manually. Either way, the process includes gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or for real) and reporting back the findings.
The main objective of penetration testing is to determine security weaknesses. A pen test can also be used to test an organization#39;s security policy compliance, its employees#39; security awareness and the organization#39;s ability to identify and respond to security incidents.
Penetration tests are sometimes called white hat attacks because in a pen test, the good guys are attempting to break in.
Pen test strategies include: Targeted testing
Targeted testing is performed by the organization#39;s IT team and the penetration testing team working together. It#39;s sometimes referred to as a quot;lights-turned-onquot; approach because everyone can see the test being carried out.
This type of pen test targets a company#39;s externally visible servers or devices including domain name servers (DNS), e-mail servers, Web servers or firewalls. The objective is to find out if an outside attacker can get in and how far they can get in once they#39;ve gained access.
This test mimics an inside attack behind the firewall by an authorized user with standard access privileges. This kind of test is useful for estimating how much damage a disgruntled employee could cause.
A blind test strategy simulates the actions and procedures of a real attacker by severely limiting the information given to the person or team that#39;s performing the test beforehand. Typically, they may only be given the name of the company. Because this type of test can require a considerable amount of time for reconnaissance, it can be expensive.
Double blind testing
Double blind testing takes the blind test and carries it a step further. In this type of pen test, only one or two people within the organization might be aware a test is being conducted.
Double-blind tests can be useful for testing an organization#39;s security monitoring and incident identification as well as its response procedures.
Question No: 526 – (Topic 3)
Users have been reporting that their wireless access point is not functioning. They state that it allows slow connections to the internet, but does not provide access to the internal network. The user provides the SSID and the technician logs into the company’s access point and finds no issues. Which of the following should the technician do?
Change the access point from WPA2 to WEP to determine if the encryption is too strong
Clear all access logs from the AP to provide an up-to-date access list of connected users
Check the MAC address of the AP to which the users are connecting to determine if it is an imposter
Reconfigure the access point so that it is blocking all inbound and outbound traffic as a troubleshooting gap
The users may be connecting to a rogue access point. The rogue access point could be hosting a wireless network that has the same SSID as the corporate wireless network. The only way to tell for sure if the access point the users are connecting to is the correct one is to check the MAC address. Every network card has a unique 48-bit address assigned.
A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used as a network address for most IEEE 802 network technologies, including Ethernet and WiFi. Logically, MAC addresses are used in the media access control protocol sublayer of the OSI reference model.
MAC addresses are most often assigned by the manufacturer of a network interface controller (NIC) and are stored in its hardware, such as the card#39;s read-only memory or some other firmware mechanism. If assigned by the manufacturer, a MAC address usually encodes the manufacturer#39;s registered identification number and may be referred to as the burned-in address (BIA). It may also be known as an Ethernet hardware address (EHA), hardware address or physical address. This can be contrasted to a programmed address, where the host device issues commands to the NIC to use an arbitrary address.
A network node may have multiple NICs and each NIC must have a unique MAC address. MAC addresses are formed according to the rules of one of three numbering name spaces managed by the Institute of Electrical and Electronics Engineers (IEEE): MAC-48, EUI-48, and EUI-64.
Question No: 527 – (Topic 3)
All executive officers have changed their monitor location so it cannot be easily viewed when passing by their offices. Which of the following attacks does this action remediate?
Answer: C Explanation:
Viewing confidential information on someone’s monitor is known as shoulder surfing. By moving their monitors so they cannot be seen, the executives are preventing users passing by ‘shoulder surfing’.
Shoulder surfing is using direct observation techniques, such as looking over someone#39;s shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it#39;s relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.
Question No: 528 – (Topic 3)
Which of the following attacks impact the availability of a system? (Select TWO).
Answer: A,D Explanation:
A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker#39;s victim. All the hosts receiving the PING request reply to this victim#39;s address instead of the real sender#39;s address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim#39;s T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees.
Smurfing falls under the general category of Denial of Service attacks – security attacks that don#39;t try to steal information, but instead attempt to disable a computer or network.
A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer.
One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to
a server overload.
A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for periods of time.
Question No: 529 – (Topic 3)
Purchasing receives an automated phone call from a bank asking to input and verify credit card information. The phone number displayed on the caller ID matches the bank. Which of the following attack types is this?
Answer: C Explanation:
Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing but does not always occur over the Internet and is carried out using voice technology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone.
The potential victim receives a message, often generated by speech synthesis, indicating that suspicious activity has taken place in a credit card account, bank account, mortgage account or other financial service in their name. The victim is told to call a specific telephone number and provide information to quot;verify identityquot; or to quot;ensure that fraud does not occur.quot; If the attack is carried out by telephone, caller ID spoofing can cause the
victim#39;s set to indicate a legitimate source, such as a bank or a government agency.
Vishing is difficult for authorities to trace, particularly when conducted using VoIP. Furthermore, like many legitimate customer services, vishing scams are often outsourced to other countries, which may render sovereign law enforcement powerless.
Consumers can protect themselves by suspecting any unsolicited message that suggests they are targets of illegal activity, no matter what the medium or apparent source. Rather than calling a number given in any unsolicited message, a consumer should directly call the institution named, using a number that is known to be valid, to verify all recent activity and to ensure that the account information has not been tampered with.
Question No: 530 – (Topic 3)
A database administrator receives a call on an outside telephone line from a person who states that they work for a well-known database vendor. The caller states there have been problems applying the newly released vulnerability patch for their database system, and asks what version is being used so that they can assist. Which of the following is the BEST action for the administrator to take?
Thank the caller, report the contact to the manager, and contact the vendor support line to verify any reported patch issues.
Obtain the vendor’s email and phone number and call them back after identifying the number of systems affected by the patch.
Give the caller the database version and patch level so that they can receive help applying the patch.
Call the police to report the contact about the database systems, and then check system logs for attack attempts.
Answer: A Explanation:
Impersonation is where a person, computer, software application or service pretends to be someone or something it’s not. Impersonation is commonly non-maliciously used in client/server applications. However, it can also be used as a security threat.
In this question, the person making the call may be impersonating someone who works for a well-known database vendor. The actions described in this answer would mitigate the risk. By not divulging information about your database system and contacting the vendor directly, you can be sure that you are talking to the right people.
100% Ensurepass Free Download!
–Download Free Demo:SY0-401 Demo PDF
100% Ensurepass Free Guaranteed!
–Download 2018 EnsurePass SY0-401 Full Exam PDF and VCE
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|