CompTIA Security Plus Mock Test Q1478

A router was shut down as a result of a DoS attack. Upon review of the router logs, it was determined that the attacker was able to connect to the router using a console cable to complete the attack. Which of the following should have been implemented on the router to prevent this attack? (Select two)

A. IP ACLs should have been enabled on the console port on the router
B. Console access to the router should have been disabled
C. Passwords should have been enabled on the virtual terminal interfaces on the router
D. Virtual terminal access to the router should have been disabled
E. Physical access to the router should have been restricted

Correct Answer: B,E
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1392

Log file analysis on a router reveals several unsuccessful telnet attempts to the virtual terminal (VTY) lines. Which of the following represents the BEST configuration used in order to prevent unauthorized remote access while maintaining secure availability for legitimate users?

A. Disable telnet access to the VTY lines, enable SHH access to the VTY lines with RSA encryption
B. Disable both telnet and SSH access to the VTY lines, requiring users to log in using HTTP
C. Disable telnet access to the VTY lines, enable SHH access to the VTY lines with PSK encryption
D. Disable telnet access to the VTY lines, enable SSL access to the VTY lines with RSA encryption

Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q1385

An administrator is investigating a system that may potentially be compromised and sees the following log entries on the router.
*Jul 15 14:47:29.779: %Router1: list 101 permitted TCP 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 3 packets.
*Jul 15 14:47:38.779: %Router1: list 101 permitted TCP 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 6 packets.
*Jul 15 14:47:45.779: %Router1: list 101 permitted TCP 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 8 packets.
Which of the following BEST describes the compromised system?

A. It is running a rogue web server
B. It is being used in a man-in-the-middle attack
C. It is participating in a botnet
D. It is an ARP poisoning attack

Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q709

A user has plugged in a wireless router from home with default configurations into a network jack at the office. This is known as:

A. an evil twin.
B. an IV attack.
C. a rogue access point.
D. an unauthorized entry point.


Correct Answer: C
Section: Threats and Vulnerabilities

Explanation:
A rogue access point is a wireless access point that should not be there. In this question, the wireless router has been connected to the corporate network without authorization.
Therefore, it is a rogue access point.
A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has
been created to allow a hacker to conduct a man-in-the-middle attack. Rogue access points of the first kind can pose a security threat to large organizations with many employees,
because anyone with access to the premises can install (maliciously or non-maliciously) an inexpensive wireless router that can potentially allow access to a secure network to
unauthorized parties. Rogue access points of the second kind target networks that do not employ mutual authentication (client-server server-client) and may be used in conjunction
with a rogue RADIUS server, depending on security configuration of the target network.
To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.

Incorrect Answers:
A: An evil twin, in the context of network security, is a rogue or fake wireless access point (WAP) that appears as a genuine hotspot offered by a legitimate provider. In this question,
the wireless access point has its default settings. It is therefore, not trying to imitate the corporate wireless network and is therefore, not an evil twin.
B: An initialization vector is a random number used in combination with a secret key as a means to encrypt data. This number is sometimes referred to as a nonce, or “number
occurring once,” as an encryption program uses it only once per session.
An initialization vector is used to avoid repetition during the data encryption process, making it impossible for hackers who use dictionary attack to decrypt the exchanged encrypted
message by discovering a pattern. This is known as an IV attack. An unauthorized wireless access point plugged into a network is not an IV attack. Therefore this answer is incorrect.
D: If the wireless router was providing access to the corporate network, it could be defined as an unauthorized entry point. However, ‘rogue access point’ is a more specific term to
describe the wireless router in this question. Therefore this answer is incorrect.

References:
http://en.wikipedia.org/wiki/Rogue_access_point
http://www.techopedia.com/definition/26858/initialization-vector

CompTIA Security Plus Mock Test Q697

An administrator is investigating a system that may potentially be compromised, and sees the following log entries on the router.
*Jul 15 14:47:29.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 3 packets.
*Jul 15 14:47:38.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 6 packets.
*Jul 15 14:47:45.779:%Router1: list 101 permitted tcp 192.10.3.204(57222) (FastEthernet 0/3) -> 10.10.1.5 (6667), 8 packets.
Which of the following BEST describes the compromised system?

A. It is running a rogue web server
B. It is being used in a man-in-the-middle attack
C. It is participating in a botnet
D. It is an ARP poisoning attack

Correct Answer: C
Section: Threats and Vulnerabilities

Explanation:
In this question, we have a source computer (192.10.3.204) sending data to a single destination IP address 10.10.1.5. No data is being received back by source computer which
suggests the data being sent is some kind of Denial-of-service attack. This is common practice for computers participating in a botnet. The port used is TCP 6667 which is IRC
(Internet Relay Chat). This port is used by many Trojans and is commonly used for DoS attacks.
Software running on infected computers called zombies is often known as a botnet. Bots, by themselves, are but a form of software that runs automatically and autonomously. (For
example, Google uses the Googlebot to find web pages and bring back values for the index.)
Botnet, however, has come to be the word used to describe malicious software running on a zombie and under the control of a bot-herder.
Denial-of-service attacks — DoS and DDoS — can be launched by botnets, as can many forms of adware, spyware, and spam (via spambots). Most bots are written to run in the
background with no visible evidence of their presence. Many malware kits can be used to create botnets and modify existing ones.

Incorrect Answers:
A: The compromised system is not running a rogue web server. The ports used are not ports used by a web server (typically TCP ports 80 and 443). Furthermore, the computer is not
responding to a web request. It is just sending out data.
B: If the compromised computer was being used in a man-in-the-middle attack, it would be receiving data, not just sending it.
D: Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by
changing the target computer’s ARP cache with a forged ARP request and reply packets. This is not what is happening in this question.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 309

CompTIA Security Plus Mock Test Q672

During a penetration test from the Internet, Jane, the system administrator, was able to establish a connection to an internal router, but not successfully log in to it. Which ports and protocols are MOST likely to be open on the firewall? (Select FOUR).

A. 21
B. 22
C. 23
D. 69
E. 3389
F. SSH
G. Terminal services
H. Rlogin
I. Rsync
J. Telnet


Correct Answer: B,C,F,J
Section: Threats and Vulnerabilities

Explanation:
The question states that Jane was able to establish a connection to an internal router. Typical ports and protocols used to connect to a router include the following:
B, F: Port 22 which is used by SSH (Secure Shell).
C, J: Port 23 which is used by Telnet.
SSH and Telnet both provide command line interfaces for administering network devices such as routers and switches.

Incorrect Answers:
A: Port 21 is used by FTP (File Transfer Protocol). It is used for downloading and uploading files over a network using a TCP connection. It is not used for connecting to network
devices such as routers or switches.
D: Port 69 is used by TFTP (Trivial File Transfer Protocol). It is used for downloading and uploading files over a network using a UDP connection. It is not used for connecting to
network devices such as routers or switches.
E: Port 3389 is used by Remote Desktop Protocol (RDP). RDP is used for connecting to Windows computers. It is not used for connecting to network devices such as routers or
switches.
G: Terminal Services is an earlier name for Remote Desktop Services. Terminal Services uses Remote Desktop Protocol (RDP) on port 3389. It is not used for connecting to network
devices such as routers or switches.
H: Rlogin (Remote Login) uses port 513 and is used for connecting to Linux or Unix computers. It is not used for connecting to network devices such as routers or switches.
I: RSync is a file synchronization protocol that uses port 873. It is used for synchronizing files between Linux or Unix computers. It is not used for connecting to network devices such
as routers or switches.

References:
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

CompTIA Security Plus Mock Test Q613

A vulnerability assessment indicates that a router can be accessed from default port 80 and default port 22. Which of the following should be executed on the router to prevent access via these ports? (Select TWO).

A. FTP service should be disabled
B. HTTPS service should be disabled
C. SSH service should be disabled
D. HTTP service should disabled
E. Telnet service should be disabled


Correct Answer: C,D
Section: Threats and Vulnerabilities

Explanation:
Port 80 is used by HTTP. Port 22 is used by SSH. By disabling the HTTP and Telnet services, you will prevent access to the router on ports 80 and 22.

Incorrect Answers:
A: FTP uses ports 20 and 21. Disabling this service will not prevent access to the router on ports 80 or 22.
B: HTTPS uses port 443. Disabling this service will not prevent access to the router on ports 80 or 22.
E: Telnet uses port 23. Disabling this service will not prevent access to the router on ports 80 or 22.

References:
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

CompTIA Security Plus Mock Test Q578

A victim is logged onto a popular home router forum site in order to troubleshoot some router configuration issues. The router is a fairly standard configuration and has an IP address of 192.168.1.1. The victim is logged into their router administrative interface in one tab and clicks a forum link in another tab. Due to clicking the forum link, the home router reboots. Which of the following attacks MOST likely occurred?

A. Brute force password attack
B. Cross-site request forgery
C. Cross-site scripting
D. Fuzzing

Correct Answer: B
Section: Threats and Vulnerabilities

Explanation:
Cross-Site Request Forgery — also known as XSRF, session riding, and one-click attack — involves unauthorized commands coming from a trusted user to the website. This is often done without the user’s knowledge, and it employs some type of social networking to pull it off. For example, assume that Evan and Spencer are chatting through Facebook. Spencer sends Evan a link to what he purports is a funny video that will crack him up. Evan clicks the link, but it actually brings up Evan’s bank account information in another browser tab, takes a screenshot of it, closes the tab, and sends the information to Spencer. The reason the attack is possible is because Evan is a trusted user with his own bank. In order for it to work, Evan would need to have recently accessed that bank’s website and have a cookie that had yet to expire. The best protection against cross-site scripting is to disable the running of scripts (and browser profi les).

Incorrect Answers:
A: A Brute Force attack is usually carried out by software that attempts to guess a password by sending multiple authentication requests will different passwords until authentication is successful. This is not what is described in this question.
C: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, Cross-Site Request Forgery exploits the trust that a site has in a user’s browser.
D: Fuzz testing or fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by inputting massive amounts of random data, called fuzz, to the system in an attempt to make it crash. If a vulnerability is found, a tool called a fuzz tester (or fuzzer), indicates potential causes. Fuzz testing was originally developed by Barton Miller at the University of Wisconsin in 1989. This is not what is described in this question.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 335
http://searchsecurity.techtarget.com/definition/fuzz-testing

CompTIA Security Plus Mock Test Q329

Results from a vulnerability analysis indicate that all enabled virtual terminals on a router can be accessed using the same password. The company’s network device security policy mandates that at least one virtual terminal have a different password than the other virtual terminals. Which of the following sets of commands would meet this requirement?

A. line vty 0 6 P@s5W0Rd password line vty 7 Qwer++!Y password
B. line console 0 password password line vty 0 4 password P@s5W0Rd
C. line vty 0 3 password Qwer++!Y line vty 4 password P@s5W0Rd
D. line vty 0 3 password Qwer++!Y line console 0 password P@s5W0Rd

Correct Answer: C
Section: Compliance and Operational Security

Explanation:
The VTY lines are the Virtual Terminal lines of the router, used solely to control inbound Telnet connections. They are virtual, in the sense that they are a function of software – there is no hardware associated with them. Two numbers follow the keyword VTY because there is more than one VTY line for router access. The default number of lines is five on many Cisco routers. Here, I’m configuring one password for all terminal (VTY) lines. I can specify the actual terminal or VTY line numbers as a range. The syntax that you’ll see most often, vty 0 4, covers all five terminal access lines.

Incorrect Answers:
A: The number 6 is highly unlikely to be used since the default number of lines is 5 on most Cisco routers.
B: Using a 0 vty means that there are no passwords.
D: The command will not yield a different password for the virtual terminal.

References:
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-110/45843-configpasswords.html
http://www.techrepublic.com/article/basic-access-security-for-cisco-network-devices/

CompTIA Security Plus Mock Test Q306

After a recent security breach, the network administrator has been tasked to update and backup all router and switch configurations. The security administrator has been tasked to enforce stricter security policies. All users were forced to undergo additional user awareness training. All of these actions are due to which of the following types of risk mitigation strategies?

A. Change management
B. Implementing policies to prevent data loss
C. User rights and permissions review
D. Lessons learned

Correct Answer: D
Section: Compliance and Operational Security

Explanation:
Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. Described in the question is a situation where a security breach had occurred and its response which shows that lessons have been learned and used to put in place measures that will prevent any future security breaches of the same kind.

Incorrect Answers:
A: Change Management refers to the structured approach that is followed to secure a company’s assets. Described in the question is a case of incident response. And incident response is but a part of change management.
B: Policies preventing data loss involves monitoring the contents of systems to make sure that key content is not deleted or removed. This is not the updating and backup of all router and switch configurations.
C: Audits usually address user rights and permission reviews which forms part of risk mitigation.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 10, 429