CompTIA Security Plus Mock Test Q723

An internal audit has detected that a number of archived tapes are missing from secured storage. There was no recent need for restoration of data from the missing tapes. The location is monitored by access control and CCTV systems. Review of the CCTV system indicates that it has not been recording for three months. The access control system shows numerous valid entries into the storage location during that time. The last audit was six months ago and the tapes were accounted for at that time. Which of the following could have aided the investigation?

A. Testing controls
B. Risk assessment
C. Signed AUP
D. Routine audits

Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
Testing controls come in three types: Technical, Management and Operational.
In this question, the CCTV system has not been recording for three months and no one noticed. Improved testing controls (regular testing to verify the CCTV system is recording)
would ensure that the CCTV is recording as expected.
The CCTV recordings could have aided the investigation into the missing tapes.

Incorrect Answers:
B: A risk assessment might have calculated the chance or risk of the CCTV system not recording or the risk of the tapes going missing. However, the risk assessment itself would not
do anything to ensure that the CCTV system is checked regularly or prevent the tapes from going missing.
C: A signed AUP (Acceptable Use Policy) would do nothing to prevent the loss of the tapes or CCTV system recording failure.
D: Routine audits might have shown sooner that the tapes are missing but they would not help discover what happened to the tapes.

CompTIA Security Plus Mock Test Q722

An administrator has to determine host operating systems on the network and has deployed a transparent proxy. Which of the following fingerprint types would this solution use?

A. Packet
B. Active
C. Port
D. Passive


Correct Answer: D
Section: Threats and Vulnerabilities

Explanation:
TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters
may then be used to infer the remote machine’s operating system (aka, OS fingerprinting), or incorporated into a device fingerprint.
Certain parameters within the TCP protocol definition are left up to the implementation. Different operating systems and different versions of the same operating system set different
defaults for these values. By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP. Just inspecting the Initial
TTL and window size TCP/IP fields is often enough in order to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.
Passive OS fingerprinting is the examination of a passively collected sample of packets from a host in order to determine its operating system platform. It is called passive because it
doesn’t involve communicating with the host being examined.
In this question, the proxy will use passive fingerprinting because the proxy is a ‘transparent proxy’. It isn’t seen by the computer.

Incorrect Answers:
A: Active or Passive fingerprinting can both be called packet fingerprinting because the OS is learned from the TCP/IP packets. However, ‘packet fingerprinting’ is not a specific term
for OS fingerprinting. The other answers are more specific about the type of fingerprinting used.
B: Active fingerprinting involves sending packets to the target system and examining the response. This method is not used with transparent proxies.
C: Port fingerprinting is not a method used to discover the operating system of a computer.

References:
https://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting
http://www.windowsecurity.com/articles-tutorials/intrusion_detection/Operating-System-Fingerprinting-Packets-Part1.html

CompTIA Security Plus Mock Test Q721

An administrator is instructed to disable IP-directed broadcasts on all routers in an organization. Which of the following attacks does this prevent?

A. Pharming
B. Smurf
C. Replay
D. Xmas


Correct Answer: B
Section: Threats and Vulnerabilities

Explanation:
A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING
requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can
support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker’s victim. All the
hosts receiving the PING request reply to this victim’s address instead of the real sender’s address. A single attacker sending hundreds or thousands of these PING messages per
second can fill the victim’s Internet connection with ping replies, bringing their entire Internet service to its knees. Smurfing falls under the general category of Denial of Service attacks
— security attacks that don’t try to steal information, but instead attempt to disable a computer or network.
By disabling IP-directed broadcasts on all routers, we can prevent the smurf attack by blocking the ping requests to broadcast addresses.

Incorrect Answers:
A: Similar in nature to e-mail phishing, pharming seeks to obtain personal or private (usually financial related) information through domain spoofing. Rather than being spammed with
malicious and mischievous e-mail requests for you to visit spoof Web sites which appear legitimate, pharming ‘poisons’ a DNS server by infusing false information into the DNS server,
resulting in a user’s request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult
to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing.
Disabling IP-directed broadcasts would not prevent this attack.
C: A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an
adversary who intercepts the data and retransmits it. Disabling IP-directed broadcasts would not prevent this attack.
D: In information technology, a Christmas (Xmas) tree packet is a packet with every single option set for whatever protocol is in use. Christmas tree packets can be used as a method
of divining the underlying nature of a TCP/IP stack by sending the packets and awaiting and analyzing the responses. When used as part of scanning a system, the TCP header of a
Christmas tree packets has the flags SYN, FIN, URG and PSH set. Many operating systems implement their compliance with the Internet Protocol standard (RFC 791) in varying or
incomplete ways. By observing how a host responds to an odd packet, such as a Christmas tree packet, assumptions can be made regarding the host’s operating system. Disabling
IP-directed broadcasts would not prevent this attack.

References:
http://www.webopedia.com/TERM/S/smurf.html
http://www.webopedia.com/TERM/P/pharming.html
http://en.wikipedia.org/wiki/Christmas_tree_packet

CompTIA Security Plus Mock Test Q719

Which of the following attacks involves the use of previously captured network traffic?

A. Replay
B. Smurf
C. Vishing
D. DDoS


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
Replay attacks are becoming quite common. They occur when information is captured over a network. A replay attack is a kind of access or modification attack. In a distributed
environment, logon and password information is sent between the client and the authentication system. The attacker can capture the information and replay it later. This can also occur
with security certificates from systems such as Kerberos: The attacker resubmits the certificate, hoping to be validated by the authentication system and circumvent any time
sensitivity.
If this attack is successful, the attacker will have all of the rights and privileges from the original certificate. This is the primary reason that most certificates contain a unique session
identifier and a time stamp. If the certificate has expired, it will be rejected and an entry should be made in a security log to notify system administrators.

Incorrect Answers:
B: A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. It does not involve the use
of previously captured network traffic.
C: Vishing is the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. The scammer usually pretends to be
a legitimate business, and fools the victim into thinking he or she will profit. Vishing does not involve the use of previously captured network traffic.
D: A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer. One common method of attack involves saturating the
target machine with external communications requests, so much so that it cannot respond to legitimate traffic or responds so slowly as to be rendered essentially unavailable. Such
attacks usually lead to a server overload. DDoS attacks do not involve the use of previously captured network traffic.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 325

CompTIA Security Plus Mock Test Q718

Which of the following password attacks is MOST likely to crack the largest number of randomly generated passwords?

A. Hybrid
B. Birthday attack
C. Dictionary
D. Rainbow tables



Correct Answer: D

Section: Threats and Vulnerabilities

Explanation:
When a password is “tried” against a system it is “hashed” using encryption so that the actual password is never sent in clear text across the communications line. This prevents
eavesdroppers from intercepting the password. The hash of a password usually looks like a bunch of garbage and is typically a different length than the original password. Your
password might be “shitzu” but the hash of your password would look something like “7378347eedbfdd761619451949225ec1”.
To verify a user, a system takes the hash value created by the password hashing function on the client computer and compares it to the hash value stored in a table on the server. If
the hashes match, then the user is authenticated and granted access.
Password cracking programs work in a similar way to the login process. The cracking program starts by taking plaintext passwords, running them through a hash algorithm, such as
MD5, and then compares the hash output with the hashes in the stolen password file. If it finds a match then the program has cracked the password.
Rainbow Tables are basically huge sets of precomputed tables filled with hash values that are pre-matched to possible plaintext passwords. The Rainbow Tables essentially allow
hackers to reverse the hashing function to determine what the plaintext password might be.
The use of Rainbow Tables allow for passwords to be cracked in a very short amount of time compared with brute-force methods, however, the trade-off is that it takes a lot of storage
(sometimes Terabytes) to hold the Rainbow Tables themselves.
With a rainbow table, all of the possible hashes are computed in advance. In other words, you create a series of tables; each has all the possible two-letter, three-letter, four-letter, and
so forth combinations and the hash of that combination, using a known hashing algorithm like SHA-2. Now if you search the table for a given hash, the letter combination in the table
that produced the hash must be the password you are seeking.

Incorrect Answers:
A: A hybrid attack is a combination of dictionary and brute-force attacks. A dictionary attack uses a list of words to use as passwords. The combination or hybrid attack adds characters
or numbers or even other words to the beginning or end of the password guesses. For example: from a password guess of ‘password multiple combinations could be created such as
‘password1, 1password, password2, 2password. However, a hybrid attack does not guess as many ‘random’ passwords as a rainbow tables attack.
B: A birthday attack is built on a simple premise. If 25 people are in a room, there is some probability that two of those people will have the same birthday. The probability increases as
additional people enter the room. It’s important to remember that probability doesn’t mean that something will occur, only that it’s more likely to occur. To put it another way, if you ask if
anyone has a birthday of March 9th, the odds are 1 in 365 (or 25/365 given the number of people in the room), but if you ask if anyone has the same birthday as any other individual,
the odds of there being a match increase significantly. Although two people may not share a birthday in every gathering, the likelihood is fairly high, and as the number of people
increases, so too do the odds that there will be a match.
A birthday attack works on the same premise: If your key is hashed, the possibility is that given enough time, another value can be created that will give the same hash value. Even
encryption such as that with MD5 has been shown to be vulnerable to a birthday attack. However, a hybrid attack does not guess as many ‘random’ passwords as a rainbow tables
attack.
C: A dictionary attack uses a dictionary of common words to attempt to find the user’s password. A dictionary attack can find passwords that are dictionary words but not passwords
that are random characters.

References:
http://netsecurity.about.com/od/hackertools/a/Rainbow-Tables.htm
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 256, 327

CompTIA Security Plus Mock Test Q716

After working on his doctoral dissertation for two years, Joe, a user, is unable to open his dissertation file. The screen shows a warning that the dissertation file is corrupted because it is infected with a backdoor, and can only be recovered by upgrading the antivirus software from the free version to the commercial version. Which of the following types of malware is the laptop MOST likely infected with?

A. Ransomware
B. Trojan
C. Backdoor
D. Armored virus

Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction
to be removed. Some forms of ransomware encrypt files on the system’s hard drive), while some may simply lock the system and display messages intended to coax the user into
paying.
Ransomware typically propagates as a trojan like a conventional computer worm, entering a system through, for example, a downloaded file or a vulnerability in a network service. The
program will then run a payload: such as one that will begin to encrypt personal files on the hard drive. More sophisticated ransomware may hybrid-encrypt the victim’s plaintext with a
random symmetric key and a fixed public key. The malware author is the only party that knows the needed private decryption key. Some ransomware payloads do not use encryption.
In these cases, the payload is simply an application designed to restrict interaction with the system, typically by setting the Windows Shell to itself, or even modifying the master boot
record and/or partition table (which prevents the operating system from booting at all until it is repaired)
Ransomware payloads utilize elements of scareware to extort money from the system’s user. The payload may, for example, display notices purportedly issued by companies or law
enforcement agencies which falsely claim that the system had been used for illegal activities, or contains illegal content such as pornography and pirated software or media. Some
ransomware payloads imitate Windows’ product activation notices, falsely claiming that their computer’s Windows installation is counterfeit or requires re-activation. These tactics coax
the user into paying the malware’s author to remove the ransomware, either by supplying a program which can decrypt the files, or by sending an unlock code that undoes the changes
the payload has made.

Incorrect Answers:
B: In computers, a Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and
do its chosen form of damage. Ransomware can be distributed as a Trojan but the term Trojan does not specifically describe the attack in this question.
C: A backdoor in a computer system is a method of bypassing normal authentication securing unauthorized remote access to a computer while attempting to remain undetected. The
backdoor may take the form of an installed program or may subvert the system through a rootkit. A backdoor is not what is described in this question.
D: An armored virus is a type of virus that has been designed to thwart attempts by analysts from examining its code by using various methods to make tracing, disassembling and
reverse engineering more difficult. An Armored Virus may also protect itself from antivirus programs, making it more difficult to trace. To do this, the Armored Virus attempts to trick the
antivirus program into believing its location is somewhere other than where it really is on the system. An armored virus is not what is described in this question.

References:
http://en.wikipedia.org/wiki/Ransomware
http://www.webopedia.com/TERM/A/Armored_Virus.html

CompTIA Security Plus Mock Test Q715

A security administrator must implement a network that is immune to ARP spoofing attacks. Which of the following should be implemented to ensure that a malicious insider will not be able to successfully use ARP spoofing techniques?

A. UDP
B. IPv6
C. IPSec
D. VPN


Correct Answer: B
Section: Threats and Vulnerabilities

Explanation
ARP is not used in IPv6 networks.
The Address Resolution Protocol (ARP) is a telecommunication protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access
networks. ARP is used for converting a network address (e.g. an IPv4 address) to a physical address like an Ethernet address (also named a MAC address).
In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor Discovery Protocol (NDP).

Incorrect Answers:
A: UDP (User Datagram Protocol) can be used over IPv6. However, it is more commonly used over IPv4 which relies on ARP and is therefore susceptible to ARP spoofing attacks.
C: IPSec (IP Security) can be used to secure IPv6. However, it is more commonly used to secure IPv4 which relies on ARP and is therefore susceptible to ARP spoofing attacks.
D: A VPN (Virtual Private Network) can be created over IPv6. However, VPNs are more commonly used in IPv4 which relies on ARP and is therefore susceptible to ARP spoofing
attacks.

References:
https://en.wikipedia.org/wiki/Address_Resolution_Protocol

CompTIA Security Plus Mock Test Q714

A network administrator identifies sensitive files being transferred from a workstation in the LAN to an unauthorized outside IP address in a foreign country. An investigation determines that the firewall has not been altered, and antivirus is up-to-date on the workstation. Which of the following is the MOST likely reason for the incident?

A. MAC Spoofing
B. Session Hijacking
C. Impersonation
D. Zero-day


Correct Answer: D
Section: Threats and Vulnerabilities

Explanation:
This question states that antivirus is up-to-date on the workstation and the firewall has not been altered. The antivirus software is up to date with all ‘known’ viruses. A zero day
vulnerability is an unknown vulnerability so a patch or virus definition has not been released yet.
A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it
— this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day”
refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must
protect users.

Incorrect Answers:
A: This is not an example of MAC Spoofing. MAC Spoofing can be used to ‘redirect’ traffic to a different host. However, in this question the data is being sent to another country. The
traffic will therefore be going through several routers. MAC Spoofing only works when the host is on the same broadcast domain as the intended destination host.
B: Session hijacking, also known as TCP session hijacking, is a method of taking over a Web user session by surreptitiously obtaining the session ID and masquerading as the
authorized user. Once the user’s session ID has been accessed (through session prediction), the attacker can masquerade as that user and do anything the user is authorized to do on
the network. In this question, the data is being transferred from a workstation, not a web server so this is not an example of session hijacking.
C: Impersonation is where a person, computer, software application or service pretends to be someone it’s not. It is unlikely that a person in a foreign country is accessing the data by
impersonating someone.

References:
http://www.pctools.com/security-news/zero-day-vulnerability/

CompTIA Security Plus Mock Test Q713

Joe, the information security manager, is tasked with calculating risk and selecting controls to protect a new system. He has identified people, environmental conditions, and events that could affect the new system. Which of the following does he need to estimate NEXT in order to complete his risk calculations?

A. Vulnerabilities
B. Risk
C. Likelihood
D. Threats


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
In this question, the security administrator has identified people, environmental conditions, and events that could affect the new system. The next step of the risk assessment is to
determine the vulnerabilities of the system itself.
Risk assessment deals with the threats, vulnerabilities, and impacts of a loss of information-processing capabilities or a loss of information itself. A vulnerability is a weakness that
could be exploited by a threat. Each risk that can be identified should be outlined, described, and evaluated for the likelihood of it occurring. The key here is to think outside the box.
Conventional threats and risks are often too limited when considering risk assessment.
The key components of a risk-assessment process are outlined here:
Risks to Which the Organization Is Exposed: This component allows you to develop scenarios that can help you evaluate how to deal with these risks if they occur. An operating
system, server, or application may have known risks in certain environments. You should create a plan for how your organization will best deal with these risks and the best way to
respond.
Risks That Need Addressing: The risk-assessment component also allows an organization to provide a reality check on which risks are real and which are unlikely. This process helps
an organization focus on its resources as well as on the risks that are most likely to occur. For example, industrial espionage and theft are likely, but the risk of a hurricane damaging
the server room in Indiana is very low. Therefore, more resources should be allocated to prevent espionage or theft as opposed to the latter possibility.

Incorrect Answers:
B: Risk is the exposure to danger. It is a combination of vulnerability, threat and likelihood. It is not a single aspect to be calculated. Therefore this answer is incorrect.
C: You need to determine a vulnerability and the threat to that vulnerability before you can determine the likelihood of occurrence. Likelihood is not the next step in this question.
D: A threat is something that can attack a vulnerability. You need to determine the vulnerability before you can determine the thread. Therefore this answer is incorrect.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 3-5

CompTIA Security Plus Mock Test Q712

An organization must implement controls to protect the confidentiality of its most sensitive data. The company is currently using a central storage system and group based access control for its sensitive information. Which of the following controls can further secure the data in the central storage system?

A. Data encryption
B. Patching the system
C. Digital signatures
D. File hashing


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
Data encryption makes data unreadable to anyone who does not have the required key to decrypt the data. The question states that the sensitive data is stored on a central storage
system. Group based access control is used to control who can access the sensitive data. However, this offers no physical security for the data. Someone could steal the central
storage system or remove the hard disks from it with the plan of placing the hard disks into another system to read the data on the disks. With the data encrypted, the data would be
unreadable.

Incorrect Answers:
B: The question states that the sensitive data is stored on a central storage system (such as a SAN). A SAN typically does not need patching. Even if the storage was attached to a
system that did need patching (such as a file server), patching the system would still provide no protection against the removal of the hard disks containing the data.
C: A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software, or digital document. Digital signatures would not further secure
the data in the central storage system.
D: File hashing is used to ensure that the version of the file a user receives has not been tampered with when accessing files over a network. It is not used to secure files on a storage
system.