CompTIA Security Plus Mock Test Q1634

Joe a computer forensic technician responds to an active compromise of a database server. Joe first collects information in memory, then collects network traffic and finally conducts an image of the hard drive. Which of the following procedures did Joe follow?

A.
Order of volatility
B. Chain of custody
C. Recovery procedure
D. Incident isolation


Correct Answer: A
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1310

Ann is concerned that the application her team is currently developing is vulnerable to unexpected user input that could lead to issues within the memory is affected in a detrimental manner leading to potential exploitation. Which of the following describes this application threat?

A. Replay attack
B. Zero-day exploit
C. Distributed denial of service
D. Buffer overflow

Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q665

One of the servers on the network stops responding due to lack of available memory. Server administrators did not have a clear definition of what action should have taken place based on the available memory. Which of the following would have BEST kept this incident from occurring?

A. Set up a protocol analyzer
B. Set up a performance baseline
C. Review the systems monitor on a monthly basis
D. Review the performance monitor on a monthly basis

Correct Answer: B
Section: Threats and Vulnerabilities

Explanation:
A performance baseline provides the input needed to design, implement, and support a secure network. The performance baseline would define the actions that should be performed
on a server that is running low on memory.

Incorrect Answers:
A: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. It is not used to
provide guidance on the actions that should be performed on a server that is running low on memory.
C: Reviewing the systems monitor on a monthly basis may help to determine that the server is running low on memory. However, the server could run out of memory in between
reviews. The system monitor also does not provide guidance on the actions that should be performed on a server that is running low on memory. Therefore this is not the best answer
and is therefore incorrect.
D: Reviewing the performance monitor on a monthly basis may help to determine that the server is running low on memory. However, the server could run out of memory in between
reviews. The performance monitor also does not provide guidance on the actions that should be performed on a server that is running low on memory. Therefore this is not the best
answer and is therefore incorrect.

CompTIA Security Plus Mock Test Q595

A server administrator notes that a legacy application often stops running due to a memory error. When reviewing the debugging logs, they notice code being run calling an internal process to exploit the machine. Which of the following attacks does this describe?

A. Zero-day
B. Buffer overflow
C. Cross site scripting
D. Malicious add-on


Correct Answer: B
Section: Threats and Vulnerabilities

Explanation:
This question describes a buffer overflow attack.
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information – which has to go somewhere – can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user’s files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.

Incorrect Answers:
A: A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it — this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users. Zero-day attacks are generally not used to attack legacy applications. Memory errors are indicative of a buffer overflow attack.
C: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.
Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. XSS attacks are not used to attack legacy applications. Memory errors are indicative of a buffer overflow attack.
D: The application is a legacy application. It is therefore unlikely to have an add-on. The question states that the application often stops running due to a memory error. Memory errors are indicative of a buffer overflow attack.

References:
http://searchsecurity.techtarget.com/definition/buffer-overflow
http://en.wikipedia.org/wiki/Cross-site_scripting
http://www.pctools.com/security-news/zero-day-vulnerability/

CompTIA Security Plus Mock Test Q591

A malicious individual is attempting to write too much data to an application’s memory. Which of the following describes this type of attack?

A. Zero-day
B. SQL injection
C. Buffer overflow
D. XSRF


Correct Answer: C
Section: Threats and Vulnerabilities

Explanation:
A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information – which has to go somewhere – can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that could, for example, damage the user’s files, change data, or disclose confidential information. Buffer overflow attacks are said to have arisen because the C programming language supplied the framework, and poor programming practices supplied the vulnerability.
Incorrect Answers:
A: A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it — this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users. This type of attack does not attempt to write too much data to an application’s memory.
B: SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. This type of attack does not attempt to write too much data to an application’s memory.
D: Cross-Site Request Forgery — also known as XSRF, session riding, and one-click attack — involves unauthorized commands coming from a trusted user to the website. This is often done without the user’s knowledge, and it employs some type of social networking to pull it off. For example, assume that Evan and Spencer are chatting through Facebook. Spencer sends Evan a link to what he purports is a funny video that will crack him up. Evan clicks the link, but it actually brings up Evan’s bank account information in another browser tab, takes a screenshot of it, closes the tab, and sends the information to Spencer. The reason the attack is possible is because Evan is a trusted user with his own bank. In order for it to work, Evan would need to have recently accessed that bank’s website and have a cookie that had yet to expire. The best protection against cross-site scripting is to disable the running of scripts (and browser profi les). This type of attack does not attempt to write too much data to an application’s memory.

References:
http://searchsecurity.techtarget.com/definition/buffer-overflow
http://www.pctools.com/security-news/zero-day-vulnerability/
http://en.wikipedia.org/wiki/SQL_injection
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 335

CompTIA Security Plus Mock Test Q494

A program has been discovered that infects a critical Windows system executable and stays dormant in memory. When a Windows mobile phone is connected to the host, the program infects the phone’s boot loader and continues to target additional Windows PCs or phones. Which of the following malware categories BEST describes this program?

A. Zero-day
B. Trojan
C. Virus
D. Rootkit

Correct Answer: C
Section: Threats and Vulnerabilities

Explanation:
A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are man-made. A simple virus that can make a copy of itself over and over again is relatively easy to produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems.
Some people distinguish between general viruses and worms. A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs.

Incorrect Answers:
A: A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users. A zero-day vulnerability is not described in this question.
B: In computers, a Trojan is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk. In one celebrated case, a Trojan was a program that was supposed to find and destroy computer viruses. A Trojan horse may be widely redistributed as part of a computer virus. A Trojan is not what is being described in this question. A Trojan is not what is described in this question.
D: A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. A rootkit is not what is described in this question.

References:
http://www.webopedia.com/TERM/V/virus.html
http://www.pctools.com/security-news/zero-day-vulnerability/