CompTIA Security Plus Mock Test Q1704

Ann a security analyst is monitoring the IDS console and noticed multiple connections from an internal host to a suspicious call back domain. Which of the following tools would aid her to decipher the network traffic?

A. Vulnerability Scanner
B. NMAP
C. NETSTAT
D. Packet Analyzer


Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1665

An attack that is using interference as its main attack to impede network traffic is which of the following?

A. Introducing too much data to a targets memory allocation
B. Utilizing a previously unknown security flaw against the target
C. Using a similar wireless configuration of a nearby network
D. Inundating a target system with SYN requests

Correct Answer: A
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1634

Joe a computer forensic technician responds to an active compromise of a database server. Joe first collects information in memory, then collects network traffic and finally conducts an image of the hard drive. Which of the following procedures did Joe follow?

A.
Order of volatility
B. Chain of custody
C. Recovery procedure
D. Incident isolation


Correct Answer: A
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1357

An intrusion has occurred in an internet facing system. The security administrator would like to gather forensic evidence while the system is still in operation. Which of the following procedures should the administrator perform FIRST on the system?

A. Make a drive image
B. Take hashes of system data
C. Collect information in RAM
D. Capture network traffic

Correct Answer: D
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1214

A system security analyst wants to capture data flowing in and out of the enterprise. Which of the following would MOST likely help in achieving this goal?

A. Taking screenshots
B. Analyzing Big Data metadata
C. Analyzing network traffic and logs
D. Capturing system image


Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q855

Which of the following controls should critical application servers implement to protect themselves from other potentially compromised application services?

A. NIPS
B. Content filter
C. NIDS
D. Host-based firewalls

Correct Answer: D
Section: Application, Data and Host Security

Explanation:
A host-based firewall is designed to protect the host from network based attack by using filters to limit the network traffic that is allowed to enter or leave the host. The action of a filter
is to allow, deny, or log the network packet. Allow enables the packet to continue toward its destination. Deny blocks the packet from going any further and effectively discarding it. Log
records information about the packet into a log file. Filters can be based on protocol and ports. By blocking protocols and ports that are not required, other potentially compromised
application services would be prevented from being exploited across the network.

Incorrect Answers:
A: A network-based IPS (NIPS) is an intrusion detection and prevention system that scans network traffic in real time against a database of attack signatures. It is useful for detecting
and responding to network-based attacks originating from outside the organization. However, other potentially compromised application services would run on the host, rather than
across the network.
B: Content filtering usually refers to web site content. It entails inspecting the data on a web page against a blacklist of unwanted terms and preventing access to that web page.
C: A network-based IDS (NIDS) is an intrusion detection system that scans network traffic in real time and is useful for detecting network-based attacks originating from outside the
organization. However, other potentially compromised application services would run on the host, rather than across the network.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 111-112, 116-117
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 5-8, 13-16

CompTIA Security Plus Mock Test Q850

Which of the following should a company implement to BEST mitigate from zero-day malicious code executing on employees’ computers?

A. Least privilege accounts
B. Host-based firewalls
C. Intrusion Detection Systems
D. Application white listing

Correct Answer: D
Section: Application, Data and Host Security

Explanation:
Application whitelisting is a security stance that prohibits unauthorized software from being able to execute unless it is on the preapproved exception list: the whitelist. This prevents
any and all software, including malware, from executing unless it is on the whitelist. This can help block zero-day attacks, which are new attacks that exploit flaws or vulnerabilities in
targeted systems and applications that are unknown or undisclosed to the world in general.

Incorrect Answers:
A: Least privilege is a security stance in which users are granted the minimum necessary access, permissions, and privileges that they require to accomplish their work tasks. It does
not mitigate from zero-day exploits
B: A host-based firewall is designed to protect the host from network based attack by using filters to limit the network traffic that is allowed to enter or leave the host. The action of a
filter is to allow, deny, or log the network packet. Allow enables the packet to continue toward its destination. Deny blocks the packet from going any further and effectively discarding it.
Log records information about the packet into a log file. Filters can be based on protocol and ports.
C: Intrusion detection systems (IDSs) are designed to detect suspicious activity based on a database of known attacks. It does not detect zero-day exploits that are new attacks that
exploit flaws or vulnerabilities in targeted systems and applications that are unknown or undisclosed to the world in general.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 5-8, 12, 22, 82, 121, 241
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 26, 221, 236,338

CompTIA Security Plus Mock Test Q796

Joe, a network security engineer, has visibility to network traffic through network monitoring tools However, he’s concerned that a disgruntled employee may be targeting a server containing the company’s financial records. Which of the following security mechanism would be MOST appropriate to confirm Joe’s suspicion?

.

A. HIDS
B. HIPS
C. NIPS
D. NIDS

Correct Answer: A
Section: Application, Data and Host Security

Explanation:
A host-based IDS (HIDS) is an intrusion detection system that runs as a service on a host computer system. It is used to monitor the machine logs, system events, and application
activity for signs of intrusion. It is useful for detecting attacks that originate outside the organization as well as attacks by internal users logged on to the system.

Incorrect Answers:
B: A host-based IPS (HIPS) is an intrusion detection and prevention system that runs as a service on a host computer system. It is used to monitor the machine logs, system events,
and application activity for signs of intrusion.
C: A network-based IPS (NIPS) is an intrusion detection and prevention system that scans network traffic in real time against a database of attack signatures. It is useful for detecting
and responding to network-based attacks originating from outside the organization.
D: A network-based IDS (NIDS) is an intrusion detection system that scans network traffic in real time and is useful for detecting network-based attacks originating from outside the
organization.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 111-112, 116-117
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 13-16

CompTIA Security Plus Mock Test Q719

Which of the following attacks involves the use of previously captured network traffic?

A. Replay
B. Smurf
C. Vishing
D. DDoS


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
Replay attacks are becoming quite common. They occur when information is captured over a network. A replay attack is a kind of access or modification attack. In a distributed
environment, logon and password information is sent between the client and the authentication system. The attacker can capture the information and replay it later. This can also occur
with security certificates from systems such as Kerberos: The attacker resubmits the certificate, hoping to be validated by the authentication system and circumvent any time
sensitivity.
If this attack is successful, the attacker will have all of the rights and privileges from the original certificate. This is the primary reason that most certificates contain a unique session
identifier and a time stamp. If the certificate has expired, it will be rejected and an entry should be made in a security log to notify system administrators.

Incorrect Answers:
B: A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. It does not involve the use
of previously captured network traffic.
C: Vishing is the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. The scammer usually pretends to be
a legitimate business, and fools the victim into thinking he or she will profit. Vishing does not involve the use of previously captured network traffic.
D: A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer. One common method of attack involves saturating the
target machine with external communications requests, so much so that it cannot respond to legitimate traffic or responds so slowly as to be rendered essentially unavailable. Such
attacks usually lead to a server overload. DDoS attacks do not involve the use of previously captured network traffic.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 325

CompTIA Security Plus Mock Test Q696

Which of the following devices is used for the transparent security inspection of network traffic by redirecting user packets prior to sending the packets to the intended destination?

A. Proxies
B. Load balancers
C. Protocol analyzer
D. VPN concentrator


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
A proxy is a device that acts on behalf of other(s). A commonly used proxy in computer networks is a web proxy. Web proxy functionality is often combined into a proxy firewall.
A proxy firewall can be thought of as an intermediary between your network and any other network. Proxy firewalls are used to process requests from an outside network; the proxy
firewall examines the data and makes rule-based decisions about whether the request should be forwarded or refused. The proxy intercepts all of the packets and reprocesses them
for use internally. This process includes hiding IP addresses.
The proxy firewall provides better security than packet filtering because of the increased intelligence that a proxy firewall offers. Requests from internal network users are routed
through the proxy. The proxy, in turn, repackages the request and sends it along, thereby isolating the user from the external network. The proxy can also offer caching, should the
same request be made again, and it can increase the efficiency of data delivery.

Incorrect Answers:
B: A load balancer distributes traffic between servers. For example, you could have two or more web servers hosting your corporate website. The DNS record for the website will point
to the virtual IP of the load balancer. The load balancer will then share web requests between the web servers. A load balancer is not what is described in this question.
C: A Protocol Analyzer is program used to capture network data communications sent between devices on a network with the purpose of examining the data. Traffic is not ‘redirected’
to a Protocol Analyzer and the Protocol Analyzer does not then send the packets to the intended destination.
D: VPNs are used to make connections between private networks across a public network, such as the Internet. A VPN concentrator is a hardware device used to create remote
access VPNs. The concentrator creates encrypted tunnel sessions between hosts. A VPN concentrator is not what is described in this question.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 98