Users in an organization are experiencing when attempting to access certain websites. The users report that when they type in a legitimate URL, different boxes appear on the screen, making it difficult to access the legitimate sites. Which of the following would best mitigate this issue?
A. Pop-up blockers B. URL filtering C. Antivirus D. Anti-spam
The librarian wants to secure the public Internet kiosk PCs at the back of the library. Which of the following would be the MOST appropriate? (Select TWO).
A. Device encryption B. Antivirus C. Privacy screen D. Cable locks E. Remote wipe
Correct Answer: B,D Section: Application, Data and Host Security
B: Antivirus software is used to protect systems against viruses, which are a form of malicious code designed to spread from one system to another, consuming network resources.
Public systems are particularly prone to viruses.
D: Cable locks are theft deterrent devices that can be used to tether a device to a fixed point keep devices from being easy to steal.
A: Device encryption encrypts the data on the device. This feature ensures that the data on the device cannot be accessed in a useable form should the device be stolen.
C: A privacy screen is a monitor filter that is applied to the display to filter out the light reflected from the smooth glass surface of the display and can also be used in increase privacy
by decreasing the viewing angle of a monitor, preventing it from being viewed from the side.
E: Remote wipe is the process of deleting data on a device in the event that the device is stolen. This is performed over remote connections such as the mobile phone service or the
internet connection and helps ensure that sensitive data is not accessed by unauthorized people.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 161-162, 418-419
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 236, 237
A network administrator identifies sensitive files being transferred from a workstation in the LAN to an unauthorized outside IP address in a foreign country. An investigation determines that the firewall has not been altered, and antivirus is up-to-date on the workstation. Which of the following is the MOST likely reason for the incident?
A. MAC Spoofing B. Session Hijacking C. Impersonation D. Zero-day
Correct Answer: D Section: Threats and Vulnerabilities
This question states that antivirus is up-to-date on the workstation and the firewall has not been altered. The antivirus software is up to date with all ‘known’ viruses. A zero day
vulnerability is an unknown vulnerability so a patch or virus definition has not been released yet.
A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it
— this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day”
refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must
A: This is not an example of MAC Spoofing. MAC Spoofing can be used to ‘redirect’ traffic to a different host. However, in this question the data is being sent to another country. The
traffic will therefore be going through several routers. MAC Spoofing only works when the host is on the same broadcast domain as the intended destination host.
B: Session hijacking, also known as TCP session hijacking, is a method of taking over a Web user session by surreptitiously obtaining the session ID and masquerading as the
authorized user. Once the user’s session ID has been accessed (through session prediction), the attacker can masquerade as that user and do anything the user is authorized to do on
the network. In this question, the data is being transferred from a workstation, not a web server so this is not an example of session hijacking.
C: Impersonation is where a person, computer, software application or service pretends to be someone it’s not. It is unlikely that a person in a foreign country is accessing the data by
A company is looking to improve their security posture by addressing risks uncovered by a recent penetration test. Which of the following risks is MOST likely to affect the business on a day-to-day basis?
A. Insufficient encryption methods B. Large scale natural disasters C. Corporate espionage D. Lack of antivirus software
Correct Answer: D Section: Threats and Vulnerabilities
The most common threat to computers is computer viruses. A computer can become infected with a virus through day-to-day activities such as browsing web sites or emails. As
browsing and opening emails are the most common activities performed by all users, computer viruses represent the most likely risk to a business.
A: Insufficient encryption methods do not represent the most likely risk to a business. While some weaker encryption methods are still used today, it still takes some determined effort
to decrypt the data. This is not something that would happen on a day-to-day basis.
B: Large scale natural disasters obviously are bad for computer networks. However, they’re pretty rare. They certainly don’t happen on a day-to-day basis. Computers becoming
infected with a virus are much more common.
C: Corporate espionage is a risk to any business. However, it doesn’t happen on a day-to-day basis. Computers becoming infected with a virus are much more common.
Using a heuristic system to detect an anomaly in a computer’s baseline, a system administrator was able to detect an attack even though the company signature based IDS and antivirus did not detect it. Further analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB port, and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likely occurred?
A. Cookie stealing B. Zero-day C. Directory traversal D. XML injection
Correct Answer: B
Section: Threats and Vulnerabilities
The vulnerability was unknown in that the IDS and antivirus did not detect it. This is zero day vulnerability.
A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it —this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.
A: In computer science, session hijacking, sometimes also known as cookie hijacking or cookie stealing is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim’s computer. This is not what is described in this question.
C: Directory traversal is a form of HTTP exploit in which a hacker uses the software on a Web server to access data in a directory other than the server’s root directory. If the attempt is successful, the hacker can view restricted files or even execute commands on the server.
Although some educated guesswork is involved in finding paths to restricted files on a Web server, a skilled hacker can easily carry out this type of attack on an inadequately protected server by searching through the directory tree. The risk of such attacks can be minimized by careful Web server programming, the installation of software updates and patches, filtering of input from browsers, and the use of vulnerability scanners. This is not what is described in this question.
D: When a web user takes advantage of a weakness with SQL by entering values that they should not, it is known as a SQL injection attack. Similarly, when the user enters values that query XML (known as XPath) with values that take advantage of exploits, it is known as an XML injection attack. XPath works in a similar manner to SQL, except that it does not have the same levels of access control, and taking advantage of weaknesses within can return entire documents. The best way to prevent XML injection attacks is to filter the user’s input and sanitize it to make certain that it does not cause XPath to return more data than it should. This is not what is described in this question.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 337
Sara, a user, downloads a keygen to install pirated software. After running the keygen, system performance is extremely slow and numerous antivirus alerts are displayed. Which of the following BEST describes this type of malware?
A. Logic bomb B. Worm C. Trojan D. Adware
Correct Answer: C Section: Threats and Vulnerabilities
In computers, a Trojan is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk. In one celebrated case, a Trojan was a program that was supposed to find and destroy computer viruses. A Trojan horse may be widely redistributed as part of a computer virus.
A: A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files should they ever be terminated from the company.
B: A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer. A computer worm is not what is described in this question.
D: Adware is free software that is supported by advertisements. Common adware programs are toolbars that sit on your desktop or work in conjunction with your Web browser. They include features like advanced searching of the Web or your hard drive and better organization of your bookmarks and shortcuts. Adware can also be more advanced programs such as games or utilities. They are free to use, but require you to watch advertisements as long as the programs are open. Since the ads often allow you to click to a Web site, adware typically requires an active Internet connection to run. Most adware is safe to use, but some can serve as spyware, gathering information about you from your hard drive, the Web sites you visit, or your keystrokes. Spyware programs can then send the information over the Internet to another computer. So be careful what adware you install on your computer. Make sure it is from a reputable company and read the privacy agreement that comes with it. Adware is not what is described in this question.
An Information Systems Security Officer (ISSO) has been placed in charge of a classified peer-to-peer network that cannot connect to the Internet. The ISSO can update the antivirus definitions manually, but which of the following steps is MOST important?
A. A full scan must be run on the network after the DAT file is installed. B. The signatures must have a hash value equal to what is displayed on the vendor site. C. The definition file must be updated within seven days. D. All users must be logged off of the network prior to the installation of the definition file.
Correct Answer: B Section: Compliance and Operational Security
A hash value can be used to uniquely identify secret information. This requires that the hash function is collision resistant, which means that it is very hard to find data that generate the same hash value and thus it means that in hashing two different inputs will not yield the same output. Thus the hash value must be equal to that displayed on the vendor site.
A: To run a full scan is just important to check the status of your computer insofar as virus infections may be concerned, not the updating of the antivirus definitions when you cannot connect the P2P to the internet.
C: This not a time constraint issue.
D: Logging off of the network is not a requirement to install updates.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 255
A Windows-based computer is infected with malware and is running too slowly to boot and run a malware scanner. Which of the following is the BEST way to run the malware scanner?
A. Kill all system processes B. Enable the firewall C. Boot from CD/USB D. Disable the network connection
Correct Answer: C Section: Network Security
Antivirus companies frequently create boot discs you can use to scan and repair your computer. These tools can be burned to a CD or DVD or installed onto a USB drive. You can then restart your computer and boot from the removable media. A special antivirus environment will load where your computer can be scanned and repaired.
A: Kill all system processes will stop system processes, and could have a negative effect on the system. It is not the BEST way to run the malware scanner
B: The basic purpose of a firewall is to isolate one network from another. It is not the BEST way to run the malware scanner.
D: Disabling the network connection will not allow for the BEST way to run the malware scanner.
Concurrent use of a firewall, content filtering, antivirus software and an IDS system would be considered components of:
A. Redundant systems. B. Separation of duties. C. Layered security. D. Application control.
Correct Answer: C Section: Network Security
Layered security is the practice of combining multiple mitigating security controls to protect resources and data.
A: Redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system, usually in the form of a backup or fail-safe.
B: Separation of duties is the division of administrator or privileged tasks into distinct groupings, which are individually assigned to unique administrators. The application of separation
of duties prevents a single user having complete access or power over an entire network, server, or
D: Application control is a device-management solution that limits which applications can be
installed onto a device.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 82, 272