CompTIA Security Plus Mock Test Q637

Which of the following is BEST used to capture and analyze network traffic between hosts on the same network segment?

A. Protocol analyzer
B. Router
C. Firewall
D. HIPS


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing and analyzing the packets sent from two systems that are not communicating properly could help determine the cause of the issue.
Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).

Incorrect Answers:
B: A router is used to route traffic between hosts on different networks. It is not used to capture and analyze network traffic.
C: A firewall is used to block unauthorized traffic from accessing hosts on a network. It is not used to capture and analyze network traffic.
D: A HIPS (Host Intrusion Prevention System) is software installed on a host which monitors the host for suspicious activity by analyzing events occurring within that host with the aim of detecting and preventing intrusion. It is not used to capture and analyze network traffic.

References:
http://en.wikipedia.org/wiki/Wireshark

CompTIA Security Plus Mock Test Q628

In order to maintain oversight of a third party service provider, the company is going to implement a Governance, Risk, and Compliance (GRC) system. This system is promising to provide overall security posture coverage. Which of the following is the MOST important activity that should be considered?

A. Continuous security monitoring
B. Baseline configuration and host hardening
C. Service Level Agreement (SLA) monitoring
D. Security alerting and trending


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
The company is investing in a Governance, Risk, and Compliance (GRC) system to provide overall security posture coverage. This is great for testing the security posture. However, to be effective and ensure the company always has a good security posture, you need to monitor the security continuously.
Once a baseline security configuration is documented, it is critical to monitor it to see that this baseline is maintained or exceeded. A popular phrase among personal trainers is “that which gets measured gets improved.” Well, in network security, “that which gets monitored gets secure.”
Continuous monitoring means exactly that: ongoing monitoring. This may involve regular measurements of network traffic levels, routine evaluations for regulatory compliance, and checks of network security device configurations.

Incorrect Answers:
B: Baseline configuration and host hardening should be performed initially or when new computer systems are implemented. However, after that has been done, you should continue to monitor the security of the system.
C: Service Level Agreement (SLA) monitoring is performed to ensure that the availability of the system meets SLA’s agreed with your customers. It does not affect or ensure the security of the system.
D: Security alerting and trending is important. However, this can only happen with continuous security monitoring.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 61

CompTIA Security Plus Mock Test Q511

An administrator notices an unusual spike in network traffic from many sources. The administrator suspects that:

A. it is being caused by the presence of a rogue access point.
B. it is the beginning of a DDoS attack.
C. the IDS has been compromised.
D. the internal DNS tables have been poisoned.

Correct Answer: B
Section: Threats and Vulnerabilities

Explanation:
A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for periods of time. Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.

Incorrect Answers:
A: A rogue access point would not cause a spike in network traffic from many sources unless many computers had connected to the rogue access point and started sending lots of traffic.
C: The question states that an administrator notices an unusual spike in network traffic from many sources. You would typically notice this on a firewall or an IDS system. It’s unlikely the IDS has been compromised. A DDoS attack is far more common.
D: DNS poisoning is the process of inserting incorrect information into DNS records. This may cause a slight increase in broadcast traffic on the network (as computers try to locate each other) but it would not cause a serious spike in network traffic.

References:
http://en.wikipedia.org/wiki/Denial-of-service_attack

CompTIA Security Plus Mock Test Q469

Which of the following helps to establish an accurate timeline for a network intrusion?

A. Hashing images of compromised systems
B. Reviewing the date of the antivirus definition files
C. Analyzing network traffic and device logs
D. Enforcing DLP controls at the perimeter

Correct Answer: C
Section: Compliance and Operational Security

Explanation:
Network activity as well as intrusion can be viewed on device logs and by analyzing the network traffic that passed through your network. Thus to establish an accurate timeline for a network intrusion you can look at and analyze the device logs and network traffic to yield the appropriate information.

Incorrect Answers:
A: Hashing is used to do integrity checks and not to establish timelines for network intrusions.
B: Antivirus definition files shows how up to date your antivirus protection for your network is and not when an intrusion occurred.
D: Enforcing DLP controls are meant to prevent data loss and not to establish accurate timelines insofar as network intrusion is concerned.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 100, 117

Comptia Security Plus Mock Test Q74

Review the following diagram depicting communication between PC1 and PC2 on each side of a router. Analyze the network traffic logs which show communication between the two computers as captured by the computer with IP 10.2.2.10.
DIAGRAM
PC1 PC2
[192.168.1.30]——–[INSIDE 192.168.1.1 router OUTSIDE 10.2.2.1]———[10.2.2.10] LOGS
10:30:22, SRC 10.2.2.1:3030, DST 10.2.2.10:80, SYN
10:30:23, SRC 10.2.2.10:80, DST 10.2.2.1:3030, SYN/ACK
10:30:24, SRC 10.2.2.1:3030, DST 10.2.2.10:80, ACK
Given the above information, which of the following can be inferred about the above environment?

A. 192.168.1.30 is a web server.
B. The web server listens on a non-standard port.
C. The router filters port 80 traffic.
D. The router implements NAT.

Correct Answer: D
Section: Network Security

Explanation:
Network address translation (NAT) allows you to share a connection to the public Internet via a single interface with a single public IP address. NAT maps the private addresses to the public address. In a typical configuration, a local network uses one of the designated “private” IP address subnets. A router on that network has a private address (192.168.1.1) in that address space, and is also connected to the Internet with a “public” address (10.2.2.1) assigned by an Internet service provider.

Incorrect Answers:
A: If that were true, then the routers IP address would not be the source.

B, C: The diagram shows that a TCP connection has been established. If these were happening, there wouldn’t be a connection established.

References:
https://technet.microsoft.com/en-us/library/dd469812.aspx
http://en.wikipedia.org/wiki/Transmission_Control_Protocol

Comptia Security Plus Mock Test Q26

A review of the company’s network traffic shows that most of the malware infections are caused by users visiting gambling and gaming websites. The security manager wants to implement a solution that will block these websites, scan all web traffic for signs of malware, and block the malware before it enters the company network. Which of the following is suited for this purpose?

A. ACL
B. IDS
C. UTM
D. Firewall


Correct Answer: C

Section: Network Security

Explanation:
An all-in-one appliance, also known as Unified Threat Management (UTM) and Next Generation Firewall (NGFW), is one that provides a good foundation for security. A variety is available; those that you should be familiar with for the exam fall under the categories of providing URL filtering, content inspection, or malware inspection.
Malware inspection is the use of a malware scanner to detect unwanted software content in network traffic. If malware is detected, it can be blocked or logged and/or trigger an alert.

Incorrect Answers:
A: Access control lists (ACLs) are used to define who is allowed to or denied permission to perform a specified activity or action.

B: An intrusion detection system (IDS) is an automated system that either watches activity in real time or reviews the contents of audit logs in order to detect intrusions or security
policy violations.

D: The basic purpose of a firewall is to isolate one network from another.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 96, 119
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 19, 21, 24

Comptia Security Plus Mock Test Q11

Mike, a network administrator, has been asked to passively monitor network traffic to the company’s sales websites. Which of the following would be BEST suited for this task?

A. HIDS
B. Firewall
C. NIPS
D. Spam filter

Correct Answer: C
Section: Network Security

Explanation:
Network-based intrusion prevention system (NIPS) monitors the entire network for suspicious traffic by analyzing protocol activity.

Incorrect Answers:
A: A host-based IDS (HIDS) watches the audit trails and log fi les of a host system. It’s reliable for detecting attacks directed against a host, whether they originate from an external source or are being perpetrated by a user locally logged in to the host.

B: Firewalls provide protection by controlling traffic entering and leaving a network.

D: A spam filter is a software or hardware tool whose primary purpose is to identify and block/filter/remove unwanted messages (that is, spam). Spam is most commonly associated with email, but spam also exists in instant messaging (IM), short message service (SMS), Usenet, and web discussions/forums/comments/blogs.

References:
http://en.wikipedia.org/wiki/Intrusion_prevention_system
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 42, 47