CompTIA Security Plus Mock Test Q1746

A computer on a company network was infected with a zero-day exploit after an employee accidently opened an email that contained malicious content. The employee recognized the email as malicious and was attempting to delete it, but accidently opened it. Which of the following should be done to prevent this scenario from occurring again in the future?

A. Install host-based firewalls on all computers that have an email client installed
B. Set the email program default to open messages in plain text
C. Install end-point protection on all computers that access web email
D. Create new email spam filters to delete all messages from that sender


Correct Answer: C
Section: Mixed Questions

CompTIA Security Plus Mock Test Q605

Which of the following may cause Jane, the security administrator, to seek an ACL work around?

A. Zero day exploit
B. Dumpster diving
C. Virus outbreak
D. Tailgating


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
A zero day vulnerability is an unknown vulnerability so there is no fix or patch for it. One way to attempt to work around a zero day vulnerability would be to restrict the permissions by using an ACL (Access Control List) A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it — this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.

Incorrect Answers:
B: Dumpster diving is looking for treasure in someone else’s trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn’t limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. To prevent dumpster divers from learning anything valuable from your trash, experts recommend that your company establish a disposal policy where all paper, including print-outs, is shredded in a cross-cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash. Using proximity card readers instead of the traditional key punch doors would not prevent dumpster diving. You cannot prevent dumpster diving by using an ACL. This answer is therefore incorrect.
C: A virus outbreak is a virus spreading around multiple computers. A virus can be stopped by using antivirus software. A virus could possibly be restricted by an ACL on a single computer but it would be difficult to configure ACLs quickly on several computers.
D: Tailgating in IT security would be an unauthorized person following and authorized person into a building or room such as a datacenter. If a building has a card reader where an authorized person can hold up a card to the reader to unlock the door, someone tailgating could follow the authorized person into the building by walking through the door before it closes and locks. You cannot prevent tailgating by using an ACL. This answer is therefore incorrect.

References:
http://www.pctools.com/security-news/zero-day-vulnerability/
http://searchsecurity.techtarget.com/definition/dumpster-diving

CompTIA Security Plus Mock Test Q337

A security researcher wants to reverse engineer an executable file to determine if it is malicious. The file was found on an underused server and appears to contain a zero-day exploit. Which of the following can the researcher do to determine if the file is malicious in nature?

A. TCP/IP socket design review
B. Executable code review
C. OS Baseline comparison
D. Software architecture review

Correct Answer: C
Section: Compliance and Operational Security

Explanation:
Zero-Day Exploits begin exploiting holes in any software the very day it is discovered. It is very difficult to respond to a zero-day exploit. Often, the only thing that you as a security administrator can do is to turn off the service. Although this can be a costly undertaking in terms of productivity, it is the only way to keep the network safe. In this case you want to check if the executable file is malicious. Since a baseline represents a secure state is would be possible to check the nature of the executable file in an isolated environment against the OS baseline.

Incorrect Answers:
A: A socket is a combination of IP address and port number. A TCP/IP socket design review is useful since sockets are the primary method used to communicate with services and applications such as the Web and Telnet. It is not used to check if an underused server may have a zero-day exploitable file.
B: Executable code review. Executable scripts often run at elevated permission levels and infect more components in your network. This is best done with the underused server in isolation. The purpose of code review is to look at all custom written code for holes that may exist. The review needs also to examine changes that the code — most likely in the form of a finished application — may make: configuration files, libraries, and the like. This could be unwise to run if you suspect a zero-day exploit.
D: Software architecture review is not the way to check if an existing file on a server is malicious nor not. Comparing the existing files to a baseline would be a better option.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 338, 345-346
http://www.techrepublic.com/blog/software-engineer/reverse-engineering-your-net-applications/