Employees are reporting that they have been receiving a large number of emails advertising products and services. Links in the email direct the users’ browsers to the websites for the items being offered. No reports of increased virus activity have been observed. A security administrator suspects that the users are the targets of:
A. A watering hole attack B. Spear phishing C. A spoofing attack D. A spam campaign
Users in an organization are experiencing when attempting to access certain websites. The users report that when they type in a legitimate URL, different boxes appear on the screen, making it difficult to access the legitimate sites. Which of the following would best mitigate this issue?
A. Pop-up blockers B. URL filtering C. Antivirus D. Anti-spam
During a routine audit it is discovered that someone has been using a state administrator account to log into a seldom used server. The person used server. The person has been using the server to view inappropriate websites that are prohibited to end users. Which of the following could BEST prevent this from occurring again?
A. Credential management B. Group policy management C. Acceptable use policies D. Account expiration policies
After Ann, a user, logs into her banking websites she has access to her financial institution mortgage, credit card, and brokerage websites as well. Which of the following is being described?
A. Trusted OS B. Mandatory access control C. Separation of duties D. Single sign-on
Correct Answer: D Section: Access Control and Identity Management
Single sign-on means that once a user (or other subject) is authenticated into a realm, re-authentication is not required for access to resources on any realm entity. The question states
that when Ann logs into her banking websites she has access to her financial institution mortgage, credit card, and brokerage websites as well. This describes an SSO scenario.
A: Trusted OS requires a particular OS to be present in order to gain access to a resource.
B: Mandatory Access Control allows access to be granted or restricted based on the rules of classification.
C: Separation of duties divides administrator or privileged tasks into separate groupings.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 82, 246, 278, 284
Which of the following devices would be the MOST efficient way to filter external websites for staff on an internal network?
A. Protocol analyzer B. Switch C. Proxy D. Router
Correct Answer: C Section: Application, Data and Host Security
A proxy is a device that acts on behalf of other devices. All internal user communications with the Internet could be controlled through a proxy server, which can be configured to
automatically filter out or block certain sites and content. It can also cache often-accessed sites to improve performance.
A: A protocol analyzer is a packet capturing tool that can collect network traffic. Most analyzers typically offer both capture filters, which specifies which network packets should be
saved to the capture file or buffer, and display filters, which can be used to find captured network packets of interest. It does not block network packets.
B: A switch is a network device that connects many other devices together. The switch uses a media access control (MAC) addresses table pass network traffic it receives to the
intended recipient. It does not offer other sniffing, filtering or blocking features.
D: A router is a network device that connects several network segments. It allows traffic to flow from one network segment to another by using a routing table. It does not offer other
sniffing, filtering or blocking features.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp.102, 103, 118
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 8-9, 9-10, 11, 18
Based on information leaked to industry websites, business management is concerned that unauthorized employees are accessing critical project information for a major, well-known new product. To identify any such users, the security administrator could:
A. Set up a honeypot and place false project documentation on an unsecure share. B. Block access to the project documentation using a firewall. C. Increase antivirus coverage of the project servers. D. Apply security updates and harden the OS on all project servers.
Correct Answer: A Section: Threats and Vulnerabilities
A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies.
According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes:
The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned.
The hacker can be caught and stopped while trying to obtain root access to the system.
By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.
There are two main types of honeypots:
Production – A production honeypot is one used within an organization’s environment to help mitigate risk.
Research – A research honeypot add value to research in computer security by providing a platform to study the threat.
A: Reviewing the design of a system would not help to determine current attack methodologies. You would use a honeypot to determine current attack methodologies. You might then have a design review to counteract the threats.
C: A vulnerability scanner scans a system or network for known vulnerabilities. It is not used to determine new attack methodologies.
D: Reviewing the code of an application would not help to determine current attack methodologies. You would use a honeypot to determine current attack methodologies. You might then have a code review to counteract the threats.
A security administrator looking through IDS logs notices the following entry: (where firstname.lastname@example.org and passwd= ‘or 1==1’) Which of the following attacks had the administrator discovered?
A. SQL injection B. XML injection C. Cross-site script D. Header manipulation
Correct Answer: A Section: Threats and Vulnerabilities
The code in the question is an example of a SQL Injection attack. The code ‘1==1’ will always provide a value of true. This can be included in statement designed to return all rows in a SQL table.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
A: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.
Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug-in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. The code in this question in not used for an XSS attack.
B: When a web user takes advantage of a weakness with SQL by entering values that they should not, it is known as a SQL injection attack. Similarly, when the user enters values that query XML (known as XPath) with values that take advantage of exploits, it is known as an XML injection attack. XPath works in a similar manner to SQL, except that it does not have the same levels of access control, and taking advantage of weaknesses within can return entire documents. The best way to prevent XML injection attacks is to filter the user’s input and sanitize it to make certain that it does not cause XPath to return more data than it should. The code in this question in not XML code. This is therefore not an XML Injection attack.
D: Header manipulation is an attack on an application that access web pages or web services. It involves introducing unvalidated data in an HTTP response header which can enable cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect. The code in the question is not the code you would expect to see in a header manipulation attack. This answer is therefore incorrect.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 337
A company hosts its public websites internally. The administrator would like to make some changes to the architecture. The three goals are:
reduce the number of public IP addresses in use by the web servers drive all the web traffic through a central point of control mitigate automated attacks that are based on IP address scanning
Which of the following would meet all three goals?
A. Firewall B. Load balancer C. URL filter D. Reverse proxy
Correct Answer: D Section: Compliance and Operational Security
The purpose of a proxy server is to serve as a proxy or middle man between clients and servers. Using a reverse proxy you will be able to meet the three stated goals.
A: A firewall can be used to provide protection by controlling traffic entering and leaving the network, but not all the stated goals in the question.
B: Load balancers are used to spread the network traffic load across several links and devices so as to prevent bottlenecks from forming. This is only part of the goals that will be met.
C: A URL filter is used to block access to a site based on all or even just a part of the URL that is used to request the access. Thus a URL filter can meet the goal of mitigating automated attacks that are based on IP address scanning, but not all the goals.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 11, 19, 178
A technician has just installed a new firewall onto the network. Users are reporting that they cannot reach any website. Upon further investigation, the technician determines that websites can be reached by entering their IP addresses. Which of the following ports may have been closed to cause this issue?
A. HTTP B. DHCP C. DNS D. NetBIOS
Correct Answer: C Section: Network Security
DNS links IP addresses and human-friendly fully qualified domain names (FQDNs), which are made up of the Top-level domain (TLD), the registered domain name, and the Subdomain or hostname. Therefore, if the DNS ports are blocked websites will not be reachable.
A: HTTP is responsible for the transmission of HTML documents and embedded multimedia components.
B: Dynamic Host Configuration Protocol (DHCP) allows DHCP servers to assign, or lease, IP addresses to computers and other devices that are enabled as DHCP clients.
D: NetBIOS is a program that allows applications on different computers to communicate within a local area network (LAN).
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 42, 46