CompTIA Security Plus Mock Test Q1163

Users are trying to communicate with a network but are unable to do so. A network administrator sees connection attempts on port 20 from outside IP addresses that are being blocked. How can the administrator resolve this?

A. Enable stateful FTP on the firewall
B. Enable inbound SSH connections
C. Enable NETBIOS connections in the firewall
D. Enable HTTPS on port 20


Correct Answer: A
Section: Mixed Questions

CompTIA Security Plus Mock Test Q672

During a penetration test from the Internet, Jane, the system administrator, was able to establish a connection to an internal router, but not successfully log in to it. Which ports and protocols are MOST likely to be open on the firewall? (Select FOUR).

A. 21
B. 22
C. 23
D. 69
E. 3389
F. SSH
G. Terminal services
H. Rlogin
I. Rsync
J. Telnet


Correct Answer: B,C,F,J
Section: Threats and Vulnerabilities

Explanation:
The question states that Jane was able to establish a connection to an internal router. Typical ports and protocols used to connect to a router include the following:
B, F: Port 22 which is used by SSH (Secure Shell).
C, J: Port 23 which is used by Telnet.
SSH and Telnet both provide command line interfaces for administering network devices such as routers and switches.

Incorrect Answers:
A: Port 21 is used by FTP (File Transfer Protocol). It is used for downloading and uploading files over a network using a TCP connection. It is not used for connecting to network
devices such as routers or switches.
D: Port 69 is used by TFTP (Trivial File Transfer Protocol). It is used for downloading and uploading files over a network using a UDP connection. It is not used for connecting to
network devices such as routers or switches.
E: Port 3389 is used by Remote Desktop Protocol (RDP). RDP is used for connecting to Windows computers. It is not used for connecting to network devices such as routers or
switches.
G: Terminal Services is an earlier name for Remote Desktop Services. Terminal Services uses Remote Desktop Protocol (RDP) on port 3389. It is not used for connecting to network
devices such as routers or switches.
H: Rlogin (Remote Login) uses port 513 and is used for connecting to Linux or Unix computers. It is not used for connecting to network devices such as routers or switches.
I: RSync is a file synchronization protocol that uses port 873. It is used for synchronizing files between Linux or Unix computers. It is not used for connecting to network devices such
as routers or switches.

References:
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

CompTIA Security Plus Mock Test Q616

Joe analyzed the following log and determined the security team should implement which of the following as a mitigation method against further attempts?
Host 192.168.1.123
[00: 00: 01]Successful Login: 015 192.168.1.123 : local
[00: 00: 03]Unsuccessful Login: 022 214.34.56.006 : RDP 192.168.1.124
[00: 00: 04]UnSuccessful Login: 010 214.34.56.006 : RDP 192.168.1.124
[00: 00: 07]UnSuccessful Login: 007 214.34.56.006 : RDP 192.168.1.124
[00: 00: 08]UnSuccessful Login: 003 214.34.56.006 : RDP 192.168.1.124

A. Reporting
B. IDS
C. Monitor system logs
D. Hardening


Correct Answer: D
Section: Threats and Vulnerabilities

Explanation:
We can see a number of unsuccessful login attempts using a Remote Desktop Connection (using the RDP protocol) from a computer with the IP address 192.168.1.124.
Someone successfully logged in locally. This is probably an authorized login (for example, Joe logging in).
Hardening is the process of securing a system. We can harden (secure) the system by either disallowing remote desktop connections altogether or by restricting which IPs are allowed to initiate remote desktop connections.

Incorrect Answers:
A: Reporting is not used to prevent unauthorized login attempts.
B: An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. An IDS could detect the attempted logins but it would not prevent them. “Hardening” is a basic security principle which should be applied to every system.
C: Monitoring system logs will keep you informed about any potential problems with the computer system. However, it will not prevent unauthorized login attempts.

CompTIA Security Plus Mock Test Q553

Ann, the network administrator, has learned from the helpdesk that employees are accessing the wireless network without entering their domain credentials upon connection. Once the connection is made, they cannot reach any internal resources, while wired network connections operate smoothly. Which of the following is MOST likely occurring?

A. A user has plugged in a personal access point at their desk to connect to the network wirelessly.
B. The company is currently experiencing an attack on their internal DNS servers.
C. The company’s WEP encryption has been compromised and WPA2 needs to be implemented instead.
D. An attacker has installed an access point nearby in an attempt to capture company information.

Correct Answer: D
Section: Threats and Vulnerabilities

Explanation:
The question implies that users should be required to enter their domain credentials upon connection to the wireless network. The fact that they are connecting to a wireless network without being prompted for their domain credentials and they are unable to access network resources suggests they are connecting to a rogue wireless network.
A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a hacker to conduct a man-in-the-middle attack. Rogue access points of the first kind can pose a security threat to large organizations with many employees, because anyone with access to the premises can install (maliciously or non-maliciously) an inexpensive wireless router that can potentially allow access to a secure network to unauthorized parties. Rogue access points of the second kind target networks that do not employ mutual authentication (client-server server-client) and may be used in conjunction with a rogue RADIUS server, depending on security configuration of the target network.
To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.

Incorrect Answers:
A: A personal access point would not have the same SSID as the corporate wireless network. Therefore, other network computers would not attempt to connect to the personal access point.
B: This is not a DNS issue. The users are able to connect to the rogue access point without entering their domain credentials. If the DNS system was compromised, the users would not be able to connect to the wireless network.
C: WEP encryption is considered to be very weak in terms of security and WPA2 is recommended. However, compromised WEP encryption would not cause the symptoms described in this question.

References:
http://en.wikipedia.org/wiki/Rogue_access_point

CompTIA Security Plus Mock Test Q509

A server with the IP address of 10.10.2.4 has been having intermittent connection issues. The logs show repeated connection attempts from the following IPs:
10.10.3.16
10.10.3.23
212.178.24.26
217.24.94.83
These attempts are overloading the server to the point that it cannot respond to traffic. Which of the following attacks is occurring?

A. XSS
B. DDoS
C. DoS
D. Xmas


Correct Answer: B
Section: Threats and Vulnerabilities

Explanation:
A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for periods of time. Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.

Incorrect Answers:
A: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. This is not what is described in the question.
C: The question states that the source of the traffic is multiple IP addresses. Therefore, this is a DDoS (Distributed Denial of Service) attack. A DoS (Denial of Service) attack comes from a single IP address.
D: Some stateless firewalls only check against security policy those packets which have the SYN flag set (that is, packets that initiate connection according to the standards). Since Christmas tree scan packets do not have the SYN flag turned on, they can pass through these simple systems and reach the target host. A large number of Christmas tree packets can also be used to conduct a DoS attack by exploiting the fact that Christmas tree packets require much more processing by routers and end-hosts than the ‘usual’ packets do.
This is not what is described in the question.

References:
http://en.wikipedia.org/wiki/Denial-of-service_attack
http://www.answers.com/Q/What_is_an_XMAS_attack_on_a_computer
http://en.wikipedia.org/wiki/Cross-site_scripting

CompTIA Security Plus Mock Test Q315

Sara, an employee, tethers her smartphone to her work PC to bypass the corporate web security gateway while connected to the LAN. While Sara is out at lunch her PC is compromised via the tethered connection and corporate data is stolen. Which of the following would BEST prevent this from occurring again?

A. Disable the wireless access and implement strict router ACLs.
B. Reduce restrictions on the corporate web security gateway.
C. Security policy and threat awareness training.
D. Perform user rights and permissions reviews.

Correct Answer: C
Section: Compliance and Operational Security

Explanation:
BYOD (In this case Sara’s smart phone) involves the possibility of a personal device that is infected with malware introducing that malware to the network and security awareness training will address the issue of the company’s security policy with regard to BYOD.

Incorrect Answers:
A: Disabling wireless access and implementing strict router ACL’s will hamper the day-to-day operations of the company and disabling these ‘punishes all users’ and not just Sara who
was responsible for the data theft that occurred. It would be best to provide training to all users regarding BYOD.
B: Reducing restrictions on the corporate web security gateway will leave the company data more vulnerable.
D: User rights and permissions reviews will not prevent data theft since Sara still requires permissions to perform her duties.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 399-404, 401

CompTIA Security Plus Mock Test Q193

Ann, the network administrator, is receiving reports regarding a particular wireless network in the building. The network was implemented for specific machines issued to the developer department, but the developers are stating that they are having connection issues as well as slow bandwidth. Reviewing the wireless router’s logs, she sees that devices not belonging to the developers are connecting to the access point. Which of the following would BEST alleviate the developer’s reports?

A. Configure the router so that wireless access is based upon the connecting device’s hardware address.
B. Modify the connection’s encryption method so that it is using WEP instead of WPA2.
C. Implement connections via secure tunnel with additional software on the developer’s computers.
D. Configure the router so that its name is not visible to devices scanning for wireless networks.

Correct Answer: A
Section: Network Security

Explanation:
MAC addresses are also known as an Ethernet hardware address (EHA), hardware address or physical address. Enabling MAC filtering would allow for a WAP to restrict or allow access based on the hardware address of the device.

Incorrect Answers:
B: WPA2 is more secure that WEP.
C: This answer will not prevent devices not belonging to the developer department from connecting to the access point.
D: Hiding the SSID could work, but hackers with basic wireless knowledge can easily discover it.

References:
https://en.wikipedia.org/wiki/MAC_address
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 59-63

Comptia Security Plus Mock Test Q80

An auditor is given access to a conference room to conduct an analysis. When they connect their laptop’s Ethernet cable into the wall jack, they are not able to get a connection to the Internet but have a link light. Which of the following is MOST likely causing this issue?

A. Ethernet cable is damaged
B. The host firewall is set to disallow outbound connections
C. Network Access Control
D. The switch port is administratively shutdown

Correct Answer: C
Section: Network Security

Explanation:
Network Access Control (NAC) means controlling access to an environment through strict adherence to and implementation of security policies. The goals of NAC are to prevent/ reduce zero-day attacks, enforce security policy throughout the network, and use identities to perform access control.

Incorrect Answers:
A, B, D: In all three cases, a link light would not be showing.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, p. 40

Comptia Security Plus Mock Test Q42

A database administrator contacts a security administrator to request firewall changes for a connection to a new internal application. The security administrator notices that the new application uses a port typically monopolized by a virus. The security administrator denies the request and suggests a new port or service be used to complete the application’s task. Which of the following is the security administrator practicing in this example?

A. Explicit deny
B. Port security
C. Access control lists
D. Implicit deny

Correct Answer: C
Section: Network Security

Explanation:
Traffic that comes into the router is compared to ACL entries based on the order that the entries occur in the router. New statements are added to the end of the list. The router continues to look until it has a match. If no matches are found when the router reaches the end of the list, the traffic is denied. For this reason, you should have the frequently hit entries at the top of the list. There is an implied deny for traffic that is not permitted.

Incorrect Answers:
A: An explicit deny would block the application until it is added to the ACL.

B: Port security in IT can mean several things:
The physical control of all connection points, such as RJ-45 wall jacks or device ports, so that no unauthorized users or unauthorized devices can attempt to connect into an open port.
The management of TCP and User Datagram Protocol (UDP) ports. If a service is active and assigned to a port, then that port is open. All the other 65,535 ports (of TCP or UDP) are
closed if a service isn’t actively using them.
Port knocking is a security system in which all ports on a system appear closed. However, if the client sends packets to a specific set of ports in a certain order, a bit like a secret
knock, then the desired service port becomes open and allows the client software to connect to the service.

C: Implicit deny is the default security stance that says if you aren’t specifically granted access or privileges for a resource, you’re denied access by default.

References:
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 24, 26