CompTIA Security Plus Mock Test Q1648

While performing surveillance activities, an attacker determines that an organization is using 802.1X to secure LAN access. Which of the following attack mechanisms can the attacker utilize to bypass the identified network security?

A. MAC spoofing
B. Pharming
C. Xmas attack
D. ARP poisoning

Correct Answer: A
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1572

While performing surveillance activities an attacker determines that an organization is using 802.1X to secure LAN access. Which of the following attack mechanisms can the attacker utilize to bypass the identified network security controls?

A. MAC spoofing
B. Pharming
C. Xmas attack
D. ARP poisoning

Correct Answer: D
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1497

During a company-wide initiative to harden network security, it is discovered that end users who have laptops cannot be removed from the local administrator group. Which of the following could be used to help mitigate the risk of these machines becoming compromised?

A. Security log auditing
B. Firewalls
C. HIPS
D. IDS

Correct Answer: B
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1383

Company XYZ has suffered leaks of internally distributed confidential documents. Ann the network security analyst has been tasked to track down the culprit. She has decided to embed a four letter string of characters in documents containing proprietary information. Which of the following initial steps should Ann implement before sending documents?

A. Store one of the documents in a honey pot
B. Start antivirus scan on all the suspected computers
C. Add a signature to the NIDS containing the four letter string
D. Ask employees to report suspicious behaviors

Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1302

The network security manager has been notified by customer service that employees have been sending unencrypted confidential information via email. Which of the following should the manager select to BEST detect and provide notification of these occurrences?

A. DLP
B. SSL
C. DEP
D. UTM

Correct Answer: A
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1178

A network security engineer notices unusual traffic on the network from a single IP attempting to access systems on port 23. Port 23 is not used anywhere on the network. Which of the following should the engineer do to harden the network from this type of intrusion in the future?

A. Disable unnecessary services on servers
B. Disable unused accounts on servers and network devices
C. Implement password requirements on servers and network devices
D. Enable auditing on event logs


Correct Answer: A
Section: Mixed Questions

CompTIA Security Plus Mock Test Q796

Joe, a network security engineer, has visibility to network traffic through network monitoring tools However, he’s concerned that a disgruntled employee may be targeting a server containing the company’s financial records. Which of the following security mechanism would be MOST appropriate to confirm Joe’s suspicion?

.

A. HIDS
B. HIPS
C. NIPS
D. NIDS

Correct Answer: A
Section: Application, Data and Host Security

Explanation:
A host-based IDS (HIDS) is an intrusion detection system that runs as a service on a host computer system. It is used to monitor the machine logs, system events, and application
activity for signs of intrusion. It is useful for detecting attacks that originate outside the organization as well as attacks by internal users logged on to the system.

Incorrect Answers:
B: A host-based IPS (HIPS) is an intrusion detection and prevention system that runs as a service on a host computer system. It is used to monitor the machine logs, system events,
and application activity for signs of intrusion.
C: A network-based IPS (NIPS) is an intrusion detection and prevention system that scans network traffic in real time against a database of attack signatures. It is useful for detecting
and responding to network-based attacks originating from outside the organization.
D: A network-based IDS (NIDS) is an intrusion detection system that scans network traffic in real time and is useful for detecting network-based attacks originating from outside the
organization.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 111-112, 116-117
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 13-16

CompTIA Security Plus Mock Test Q721

An administrator is instructed to disable IP-directed broadcasts on all routers in an organization. Which of the following attacks does this prevent?

A. Pharming
B. Smurf
C. Replay
D. Xmas


Correct Answer: B
Section: Threats and Vulnerabilities

Explanation:
A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING
requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can
support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker’s victim. All the
hosts receiving the PING request reply to this victim’s address instead of the real sender’s address. A single attacker sending hundreds or thousands of these PING messages per
second can fill the victim’s Internet connection with ping replies, bringing their entire Internet service to its knees. Smurfing falls under the general category of Denial of Service attacks
— security attacks that don’t try to steal information, but instead attempt to disable a computer or network.
By disabling IP-directed broadcasts on all routers, we can prevent the smurf attack by blocking the ping requests to broadcast addresses.

Incorrect Answers:
A: Similar in nature to e-mail phishing, pharming seeks to obtain personal or private (usually financial related) information through domain spoofing. Rather than being spammed with
malicious and mischievous e-mail requests for you to visit spoof Web sites which appear legitimate, pharming ‘poisons’ a DNS server by infusing false information into the DNS server,
resulting in a user’s request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult
to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing.
Disabling IP-directed broadcasts would not prevent this attack.
C: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an
adversary who intercepts the data and retransmits it. Disabling IP-directed broadcasts would not prevent this attack.
D: In information technology, a Christmas (Xmas) tree packet is a packet with every single option set for whatever protocol is in use. Christmas tree packets can be used as a method
of divining the underlying nature of a TCP/IP stack by sending the packets and awaiting and analyzing the responses. When used as part of scanning a system, the TCP header of a
Christmas tree packets has the flags SYN, FIN, URG and PSH set. Many operating systems implement their compliance with the Internet Protocol standard (RFC 791) in varying or
incomplete ways. By observing how a host responds to an odd packet, such as a Christmas tree packet, assumptions can be made regarding the host’s operating system. Disabling
IP-directed broadcasts would not prevent this attack.

References:
http://www.webopedia.com/TERM/S/smurf.html
http://www.webopedia.com/TERM/P/pharming.html
http://en.wikipedia.org/wiki/Christmas_tree_packet

CompTIA Security Plus Mock Test Q654

A security administrator wants to get a real time look at what attackers are doing in the wild, hoping to lower the risk of zero-day attacks. Which of the following should be used to accomplish this goal?

A.
Penetration testing
B. Honeynets
C. Vulnerability scanning
D. Baseline reporting


Correct Answer: B
Section: Threats and Vulnerabilities

Explanation:
A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker’s activities and methods can be studied and that information used to
increase network security. A honeynet contains one or more honey pots, which are computer systems on the Internet expressly set up to attract and “trap” people who attempt to
penetrate other people’s computer systems. Although the primary purpose of a honeynet is to gather information about attackers’ methods and motives, the decoy network can benefit
its operator in other ways, for example by diverting attackers from a real network and its resources. The Honeynet Project, a non-profit research organization dedicated to computer
security and information sharing, actively promotes the deployment of honeynets.
In addition to the honey pots, a honeynet usually has real applications and services so that it seems like a normal network and a worthwhile target. However, because the honeynet
doesn’t actually serve any authorized users, any attempt to contact the network from without is likely an illicit attempt to breach its security, and any outbound activity is likely evidence
that a system has been compromised. For this reason, the suspect information is much more apparent than it would be in an actual network, where it would have to be found amidst all
the legitimate network data. Applications within a honeynet are often given names such as “Finances” or “Human Services” to make them sound appealing to the attacker.
A virtual honeynet is one that, while appearing to be an entire network, resides on a single server.

Incorrect Answers:
A: Penetration testing evaluates an organization’s ability to protect its networks, applications, computers and users from attempts to circumvent its security controls to gain
unauthorized or privileged access to protected assets. You perform a penetration test by attempting to gain access to the system. However, to do this, you are trying to exploit
weaknesses that you know about. An attacker might use a different method. To view all methods used by attackers, you need to set up a honeynet.
C: A vulnerability scanner is software designed to assess computers, computer systems, networks or applications for weaknesses. A vulnerability scan will scan for weaknesses
(vulnerabilities) in a system but it does not provide information about the methods attackers are using.
D: Baseline reporting will alert the security manager to any changes in the security posture compared to the original baseline configuration. Baseline reporting does not provide
information about the methods attackers are using.

References:
http://searchsecurity.techtarget.com/definition/honeynet