×

Quiz Session - Attempts With Random Questions

CompTIA Security+ (SY0-601) Exam Questions

Page 1 of 50

1.

An employee in the finance department of a company needs access to a specific folder on a file server in order to retrieve a file to perform their work. The administrator gives the employee read and write access to the folder with the file they need. 

What type of security policy is being ignored in this situation?

  • Least privilege

  • Job rotation

  • Mandatory vacation

  • Separation of duties

Correct answer: Least privilege

In this case, the employee should be allowed to read but not write to the folder. Least privilege assigns an employee the minimum set of permissions needed for their job. This reduces the risk and impact of a security incident since it limits the damage that can be done by a malicious user or a compromised account.

Job rotation involves moving employees around between different roles. This can help to prevent fraud and reduce the potential risk of single points of failure. Mandatory vacation forces employees to take vacations. This can help to prevent fraud because other employees will need to cover for the vacationer and may detect fraud or other issues. Separation of duties breaks critical processes into multiple steps assigned to different employees. This helps to prevent fraud and reduce the risk that someone will fall for a phishing attack. 

2.

You are investigating an incident in which the perpetrator performed an XSS attack. What type of threat vector was used by the attacker?

  • Web

  • Supply chain

  • Social engineering

  • Default credentials

Correct answer: Web

The National Institute of Standards and Technology (NIST) provides attack vectors that can be useful for classifying an attack. Cross-site scripting (XSS) is executed from a website or web application; therefore, they would be classified under the web threat vector.

Supply chain attacks come from third-party services or products an organization uses. Social engineering attacks involve tricking users through communicative means. Default credentials refers to installing devices without changing their factory defaults.

3.

A startup organization is working on launching a new software as a service (SaaS) and wants to identify the possibility of an attack or other unfortunate event that can disrupt their business. 

What are they trying to identify in this scenario?

  • Risk

  • Threat

  • Vulnerability

  • Malware

Correct answer: Risk

In the realm of computer security, risk is the possibility of a malicious attack or other threat causing damage or downtime to a computer system. Risk is calculated with threats to determine the price it takes to protect the resource.

A threat is something that can potentially exploit vulnerabilities. A vulnerability is a weakness in a system. Malware is a type of threat.

4.

An administrator is responding to reports that multiple systems are seemingly targeting their web server and it is currently unavailable. The administrator checks the system and notices that it does not have enough resources to respond to the significant number of requests. 

Which of the following is this an example of?

  • DDoS

  • Injection

  • Credential replay

  • Pharming attack

Correct answer: DDoS

Distributed denial of service (DDoS) attacks are a form of resource exhaustion that seeks to make systems unavailable to other users. Essentially, they perform a request or function in such a significant number that the victim system simply cannot keep up. For example, if a botnet consisting of hundreds or thousands of workstations is directed to make many requests per second to a single web server, it is likely that the web server will be rendered unavailable while trying to respond to every request.

An injection attack inserts malicious code into an application. A credential replay attack occurs when an attacker intercepts authentication credentials to later gain unauthorized access to a system. A pharming attack sends a user to a compromised site to gain access to sensitive information.

5.

A network administrator has just installed a router at a client site. The administrator now wants to ensure that the device is hardened and prepared to deal with malicious activity. What do most network devices include that should be changed immediately for security?

  • Default account

  • Outdated firmware

  • Console access

  • Browser-based administrative interface

Correct answer: Default account

Each network device includes a default account for configurations. This account is named "administrator" or "admin" or something similar. This is the first account an attacker attempts to hack, so the account name should immediately be changed, as well as the password.

Immediately updating firmware is not typically required unless there is a known vulnerability. Console access may be required to gain local, administrative access to a device. A browser-based administrative interface may be necessary to manage a device remotely.

6.

A company uses a third-party company to provide ongoing management of its IT infrastructure. What type of threat vector does this introduce?

  • MSP

  • Vendor

  • Supplier

  • Open service ports

Correct answer: MSP

A managed service provider (MSP) provides ongoing management, monitoring, and support for services such as IT for their client. By having a third party handle this, it may increase the threat surface if the MSP does not have proper controls.

Vendors and suppliers offer goods and components in addition to services. Open service ports are vulnerabilities caused by running applications that are not needed.

7.

At which stage in the incident response process does the first responder first become involved in the incident response process?

  • Identification

  • Containment

  • Eradication

  • Preparation

Correct answer: Identification

The Security+ exam defines a seven-step incident response process. The steps include:

  1. Preparation: Before an incident occurs, the organization should prepare by creating an incident response team (IRT) and defining the processes and procedures that they will follow when managing an incident. Also, the rest of the organization should be trained on their security responsibilities and how to respond if an incident occurs.
  2. Identification, or detection: At some point, a user may notice that a potential incident has occurred and alert the incident response team. A first responder will validate that an incident has occurred and either handle or escalate it.
  3. Analysis: An identified incident should be analyzed to see what its impact could be.
  4. Containment: After verifying the issue, the first responder should isolate it to manage the scope and impact of the incident. This might include disconnecting infected systems from the network to prevent the spread of a virus.
  5. Eradication: When the incident is contained, the incident response team will investigate it and develop and implement a remediation strategy. For example, the IRT might wipe a computer, use an endpoint security solution to remove a virus, update firewall rules, or take similar actions.
  6. Recovery: After the incident is over, the IRT can restore the system to a normal operation based on predefined procedures. For example, a verified-clean computer can be reconnected to the network.
  7. Lessons learned: After the recovery is complete, the IRT should perform a retrospective to determine what did and didn't go well. This might help with identifying inefficient IR processes or the root cause of the incident that can be corrected to prevent future, similar incidents from occurring.

8.

Robert is configuring a home wireless router and is presented with a few options for a Wi-Fi encryption protocol. Some of the options offered are WEP, WPA, and WPA2, but Robert is unsure which to select and is afraid of it being insecure. 

What Wi-Fi encryption protocol is now deprecated and considered insecure?

  • WEP

  • WPA2

  • WPA

  • WPA3

Correct answer: WEP

WEP is one wireless router encryption option that you find in most older Wi-Fi access points. It's considered insecure; WPA, WPA2, or WPA3 should be used instead. WPA provides significantly increased security through the incorporation of Temporal Key Integrity Protocol (TKIP) and message integrity checks. TKIP provides a per-packet key system, which greatly enhances security over the fixed key of WEP.

9.

Of the following, which is a web application vulnerability that can be perpetrated when an attacker embeds malicious HTML or JavaScript into a website for it to execute when the victim visits the web page?

  • XSS

  • CSRF

  • DLL injection

  • SQL injection

Correct answer: XSS

Cross-site scripting (XSS) is a web application vulnerability that arises when attackers are able to embed malicious scripts (HTML, JavaScript, etc.) within a web page that will be run when a user visits the page. These XSS attackers can extract sensitive information, such as login cookies, and provide it to the attacker to use to impersonate a user's login.

Cross-site Request Forgery (CSRF) is when an attacker tricks a user into making an unintended web application request where the user is authenticated. A DLL injection is when an attacker inserts malicious code into shared library files. An SQL injection is when an attacker inserts malicious SQL code into a web application's database.

10.

An automation engineer is working with a security administrator at Acme Inc. to ensure that the embedded systems that are deployed are secure. Which of the following would NOT be a consideration for the security of an embedded system?

  • Encrypting the file store

  • Keeping the system up to date

  • Implementing an air-gapped network

  • Checking for issues with default configurations

Correct answer: Encrypting the file store

Embedded devices are items like multi-function printers, wireless cameras, or even smart TVs and refrigerators. While most individuals recognize that workstations and servers need to stay current with patches, embedded systems typically do not receive as much consideration. Both vendors and end users are unlikely to consider that the printer on the network might have a vulnerability, or that a wireless camera might be compromised and joined to a botnet. 

To secure embedded systems, ensure that the system is current and patched and potentially removed from public access networks and that any default settings are removed, such as default username and password combinations.

11.

A security research company wants to analyze what attackers do when they have compromised a system. To that end, they set up a DNS server with a known vulnerability that can be easily exploited. 

What type of deception technology are they using?

  • Honeypot

  • Honeynet

  • Honeyfile

  • Fake telemetry

Correct answer: Honeypot

A honeypot is a computer that pretends to be real and is intentionally vulnerable. It is designed to attract an attacker's attention, waste their time, and provide useful data for security personnel. These are often virtual machines because virtualization makes it easier to reset them to a clean state after an attack.

A honeynet is an entire fake network made up of honeypots. It requires more work than a honeypot or honeyfiles. Honeyfiles are fake files on a real system filled with data designed to entice an attacker. For example, a file named passwords.txt can detect an intrusion if the attacker opens it. Fake telemetry is fake data designed to test solutions that analyze security solutions that monitor and use this telemetry data. It is not a deceptive technology.

12.

A new web application is being developed for Acme Inc.'s customers. The executives are concerned that there might be vulnerabilities in the entry fields and other areas, so they want to perform testing. 

Which type of testing sends random data to an application to test for vulnerabilities?

  • Fuzz testing

  • Stress testing

  • Static analysis

  • Load testing

Correct answer: Fuzz testing

Fuzz testing (also referred to as fuzzing) sends random data to a website to test for vulnerabilities. This type of testing is done without knowing the source code of the application.

Stress testing involves sending large amounts of traffic to a service until it fails. Static analysis involves examining source code. Load testing involves seeing how an application behaves at different load levels.

13.

Which of the following is recommended for password storage to protect against rainbow table attacks?

  • Salting

  • Hashing

  • Tokenization

  • Normalization

Correct answer: Salting

Salting adds a random, unique value to data before it is hashed, ensuring that identical inputs produce different hashes. This is recommended for password storage and protects against rainbow tables.

Hashing performs an irreversible operation on data, replacing it with a fixed-size hash. The original data can't be retrieved, but it is possible to verify that another piece of data matches the original data by comparing their hashes. Tokenization replaces sensitive data in a database with a non-sensitive token. The mapping of tokens to data is stored securely elsewhere and can be used to look up the sensitive data if needed. Normalization is when databases are broken up into multiple tables to reduce the level of redundancy.

14.

The executives of a company that is growing exponentially want to begin outlining the risks and potential impacts to the business in the event of system or process failures or natural disasters. They would like the report to indicate which systems should be prioritized in the event of a total restoration requirement. 

Which of the following reports examines critical versus noncritical functions for a disaster recovery plan?

  • Business impact

  • Recovery time objective

  • Recovery point objective

  • Emergency response plan

Correct answer: Business impact

A disaster recovery plan has several components. One of these components is the business impact analysis. This analysis is the examination of critical versus noncritical functions to determine which resources are most critical to the organization.

A recovery time objective (RTO) is the target time in which a service must be restored. A recovery point objective (RPO) is the amount of data that can acceptably be lost during an incident. An emergency response plan outlines immediate actions to take in case of an event.

15.

A startup company needs to start creating user guidance and training for new employees they are hiring. They want to create a module in their training to help them notice anomalous behavior at the workforce. 

What type of training should they include for this?

  • Situational awareness

  • Password management

  • Operational security

  • Remote work environments

Correct answer: Situational awareness

Situational awareness is a topic for user guidance and training that involves updating users on threats that face the organization and can be recognized by anomalous behavior.

Password management is a training topic for educating users about password standards. Operational security is a training topic about day-to-day security concerns such as access control and keeping information safe. Remote work environments is a training topic about securing data when working from home.

16.

Training videos hosted on the corporate intranet are BEST described by which of the following?

  • Computer-based training

  • Role-based training

  • Gamification

  • Capture the flag

Correct answer: Computer-based training

Cybersecurity awareness training can be delivered in various ways. Some methods to be aware of include the following:

  • Gamification creates rewards and incentives for security training, such as rewarding the person who completes training first or has the best score for reporting phishing emails in a month or quarter.
  • Capture the flag exercises set challenges for a user and set flags that they collect to prove that they completed them. These are commonly used when training security personnel on various skill sets.
  • Phishing campaigns or simulations involve sending fake phishing emails to users to evaluate the effectiveness of phishing training and to train them on the latest phishing tactics and threats.
  • Computer-based training (CBT) involves self-study tools such as videos available on the corporate intranet.
  • Role-based training tailors training to an employee's role. For example, financial employees may have a phishing focus, while developers may be trained on common software vulnerabilities.

17.

After asking an IT administrator for the passphrase to connect to a Wi-Fi router, the administrator instead presses a button on the router to automatically create the connection. Which of the following technologies was utilized?

  • WPS

  • PSK

  • WEP

  • WAF

Correct answer: WPS

Wi-Fi Protected Setup (WPS) is a feature on wireless routers that enables users to more easily connect to the wireless network. This feature is rather insecure as it is susceptible to brute force attacks. It should be disabled on any device that has it as an option.

A pre-shared key (PSK) is a passphrase for connecting to a Wi-Fi network. WEP is an obsolete method for securing wireless traffic. A web application firewall (WAF) is a specific type of firewall that protects from web application attacks.

18.

Which of the following wireless security methods authenticates a wireless access point to the client in WPA3 without a password?

  • SAE

  • LEAP

  • AES

  • TKIP

Correct answer: SAE

WiFi-Protected Access 3 (WPA3) introduced Simultaneous Authentication of Equals (SAE), which performs mutual authentication between the access point and the client. SAE means that all WPA3-capable devices will have an encrypted connection to the access point even if no password or authentication server is configured.

LEAP is a deprecated authentication protocol developed by Cisco. AES is an encryption protocol. TKIP is a deprecated encryption protocol used with WPA.

19.

An organization is suffering from a rash of social engineering attacks that lead to malware infection. The users are being tricked into thinking emails are from other employees telling them there is a new company application and to install it using the attached program.

What can an administrator do to help reduce malware incidents resulting from users not recognizing phishing attempts?

  • Provide security awareness training

  • Provide reprimands and write-ups with increasing severity

  • Have users sign an acceptable use policy

  • Provide documentation on the latest malware

Correct answer: Provide security awareness training

Security awareness training has been shown to greatly improve user understanding of malware and phishing attempts. An administrator can provide training to teach users the red flags concerning phishing emails. Providing user education is one of the most effective solutions in countering a whole host of social engineering attacks such as phishing.

20.

The Cyber Kill Chain is a series of steps outlining the stages of a cyber attack. Of the following, which is NOT one of the stages?

  • Reporting

  • Weaponization

  • Delivery

  • Reconnaissance

Correct answer: Reporting

The Cyber Kill Chain is a series of steps that outline and trace the stages of a cyber attack. Security experts use this model to assist in understanding how threat actors perform their attacks. The steps include:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command & Control
  7. Actions on Objectives

Reporting is not one of the steps.

×