×

Quiz Session - Attempts With Random Questions

CompTIA Security+ (SY0-701) Exam Questions

Page 5 of 50

81.

After an incident, an investigator generates a hash from the contents of a hard drive. What purpose does this hash value serve in an investigation?

  • Nonrepudiation

  • E-discovery

  • Data recovery

  • Secure wipe

Correct answer: Nonrepudiation

Nonrepudiation means that there is proof that someone cannot deny something, which can be accomplished by taking a hash value. Taking a hash value shows if the data has changed since it was first discovered.

82.

At Acme Inc., they initiate a backup of the entire system every Sunday. Each following night, the system backs up all files that have changed since the last entire backup. On Sunday, another complete backup is made, and then the process repeats. 

What type of backup style are they utilizing?

  • Differential

  • Incremental

  • Full

  • Snapshot

Correct answer: Differential 

A differential backup copies only the content of a folder that has changed since the last full backup. A differential backup must be preceded by a full backup. 

The difference between a differential backup and an incremental backup is that an incremental backs up files from the last backup, whether it was a full backup or another incremental backup. A differential backup only copies files that have changed since the last full backup. A snapshot also keeps track of the system state.

83.

An administrator is planning the certificate requirements for a few new websites that will be made available to the public. They want to have the same root domain for several subdomains that divide up the applications. 

Which of the following would work BEST for their situation?

  • Wildcard

  • Multiple certificates

  • Self-signed certificate

  • Root CA certificate

Correct answer: Wildcard

A wildcard certificate begins with an asterisk (*) and can be bound to many websites that have different URLs, or names but bind back to the same root certificate. For example, if Acme Inc. used a wildcard certificate for *.acmeinc.com, they could have many subdomains, such as clients.acmeinc.com, blog.acmeinc.com, or mail.acmeinc.com and have the certificate work for each.

Multiple certificates are not as efficient as wildcard certificates for subdomains. Self-signed certificates are used for domains that do not need to be trusted outside of an organization. Root CA certificates are self-signed.

84.

An administrator at Acme Inc. has just finished creating the user account for a new hire and is applying all the appropriate permissions and roles to the account so that the new user can perform all necessary job functions. 

Which of the following processes is the administrator performing?

  • Provisioning

  • Deprovisioning

  • Change management

  • Identity proofing

Correct answer: Provisioning

Typically, provisioning and deprovisioning refer to user accounts in regard to the creation and deletion of them, respectively. During the provisioning process, an administrator creates the user account and assigns all the necessary privileges so that they have appropriate access. 

Deprovisioning is exactly the opposite, where an administrator removes a user's access to their systems. This can be as simple as disabling the account. Change management is the process for responsibly implementing new technologies or methods into an organization. Identity proofing is the method of validating that a user account is tied to a real person.

85.

An organization is suffering from a rash of social engineering attacks that lead to malware infection. The users are being tricked into thinking emails are from other employees telling them there is a new company application and to install it using the attached program.

What can an administrator do to help reduce malware incidents resulting from users not recognizing phishing attempts?

  • Provide security awareness training

  • Provide reprimands and write-ups with increasing severity

  • Have users sign an acceptable use policy

  • Provide documentation on the latest malware

Correct answer: Provide security awareness training

Security awareness training has been shown to greatly improve user understanding of malware and phishing attempts. An administrator can provide training to teach users the red flags concerning phishing emails. Providing user education is one of the most effective solutions in countering a whole host of social engineering attacks such as phishing.

86.

An attacker gains access to an older company's network and begins footprinting the environment. The attacker discovers that the network is still using NTLM for authentication due to the presence of Windows XP and Server 2003 machines. The attacker is able to intercept the authentication stream and resend the encoded password to gain access to various systems. 

Which of the following MOST likely occurred in this scenario?

  • Pass the hash attack

  • Dictionary attack

  • Birthday attack

  • Rainbow table attack

Correct answer: Pass the hash attack

A pass the hash attack is when an attacker is able to determine the hash of a user's password and then essentially tricks the system into believing that the attacker actually entered a valid password. Any authentication protocol that sends hashes unencrypted over the network is susceptible to this attack, especially Microsoft LAN Manager (LM) and NT LAN Manager (NTLM).

A dictionary attack uses dictionary words and similar variants to crack a password. Birthday attacks use probability to help crack passwords. A rainbow table attack uses pre-computed hash tables.

87.

The Cyber Kill Chain is a series of steps outlining the stages of a cyber attack. Of the following, which is NOT one of the stages?

  • Reporting

  • Weaponization

  • Delivery

  • Reconnaissance

Correct answer: Reporting

The Cyber Kill Chain is a series of steps that outline and trace the stages of a cyber attack. Security experts use this model to assist in understanding how threat actors perform their attacks. The steps include:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command & Control
  7. Actions on Objectives

Reporting is not one of the steps.

88.

What does a firewall use to permit or deny actions?

  • Access lists

  • Honeypots

  • FIM

  • EDR

Correct answer: Access lists

Access lists, or access control lists (ACLs), are rules that either permit or deny actions. Different types of firewalls can use various factors to make their decisions, such as IP address, time of day, or type of traffic.

Honeypots are used to attract threat actors to study their actions. File integrity monitoring (FIM) is used to determine if files have been altered. Electronic detection and response (EDR) is used for detecting and mitigating threats on devices or endpoints.

89.

MD5 is a common hashing algorithm that was determined to be vulnerable with the advent of increased computing power but is still used to verify the integrity of files, emails, etc. Of the following vulnerabilities, which is MD5 MOST susceptible to?

  • Collision

  • Man-in-the-middle

  • Brute force

  • Decryption

Correct answer: Collision

A collision happens when two files receive the same MD5 hash, reducing their integrity. MD5 is also vulnerable to rainbow table attacks and pre-image attacks. Despite these vulnerabilities, MD5 is still used to verify files that have been downloaded from the internet, executable files, sensitive information, and more.

Man-in-the-middle attacks are likely in unencrypted networking protocols such as HTTP. Brute force attacks are likely with weak passwords. Decryption is likely with weak encryption protocols.

90.

Which of the following types of NIDS requires frequent updates to be effective?

  • Signature-based

  • Anomaly-based

  • Heuristic-based

  • Behavior-based

Correct answer: Signature-based

A signature-based NIDS maintains a database of signatures that describe unique features of known threats. Based on these signatures, it can detect attack traffic with a very low false positive rate. However, it is blind to zero-day attacks and requires frequent signature updates.

An anomaly, or behavior-based, detection IDS will develop a baseline of normal behavior and look for deviations from this baseline. This can detect zero-day attacks but can also be prone to false positives. A heuristic or rule-based system will have predefined rules used to detect potentially suspicious or malicious behavior. For example, a system may be configured to alert on an excessive volume of a certain type of packet because this traffic pattern is known to be associated with a DDoS attack.

91.

Which cloud computing resource packages applications into portable units?

  • Containers

  • Hypervisors

  • Security groups

  • Virtual machines

Correct answer: Containers

Containers are self-sufficient applications that include the dependencies and libraries they need to run. That makes them easy to deploy and scale.

Hypervisors are systems used to load and manage virtual machines. Security groups are used to filter traffic in the cloud. Virtual machines are full virtualized operating systems.

92.

Acme Inc. is using software that is hosted on the vendor's website. The software provides payroll and accounting features, as well as some CRM components. All of the services are maintained by the vendor. 

Which of the following is Acme using?

  • SaaS

  • IaaS

  • PaaS

  • FaaS

Correct answer: SaaS

Software as a service (SaaS) is a way for companies to have their software hosted in the cloud. Users and employees can access applications over the internet, provided by a third party. The application does not need to be installed on the local computer but is run from a web browser.

Infrastructure as a service (IaaS) is used by customers to provision networks, systems, and resources through the cloud. Platform as a service (PaaS) is used to procure a development environment in the cloud. Function as a service (FaaS) is used to access individual functions through the cloud.

93.

A user receives a call from an individual claiming to be a manager. They state that they urgently need information in order to close a business deal. The user trusts the caller and provides them with the information, only to learn it was used in an attack just a few days later. 

What do we call the act of manipulating users into revealing confidential information?

  • Social engineering

  • Malware

  • Brute force attack

  • SQL injection

Correct answer: Social engineering

Social engineering is an attack that tricks users into revealing confidential information. Usually, the attacker tricks the user into giving authorization credentials. Social engineering can be in the form of a phishing email, a phone call, or even an on-site attack where the hacker tricks the user into giving them access to the premises. Some of the methods or techniques that may be employed by a social engineer include:

  • Flattery or conning
  • Acting as though they are an individual with authority
  • Pushing an individual to perform a risky act
  • Encouraging a user to disclose sensitive information
  • Impersonation
  • Tailgating

Malware is a software attack. Brute force attacks are used on passwords. SQL injection attacks a web application by sending database queries.

94.

Recent development updates that were applied to the production environment at Acme Inc. have caused a disruption in business operations. Not all the modifications in the update were approved, and it necessitated some immediate patches in order to be usable again. Executive management wants to avoid this at all costs in the future and ensure that developers will not be making unauthorized updates or patches. 

Which of the following could they implement to mitigate this issue?

  • Change management

  • Secure DevOps

  • Waterfall method

  • SDLC

Correct answer: Change management

When dealing with production systems, it is important to consider any and all impact on operations that can arise from deploying a new change to the system. Change management seeks to iron out those issues through careful review of the change and ensuring it obtains approval before being pushed out into the production environment. This can help mitigate bugs and unauthorized changes that can impact the organization.

Secure DevOps is an approach to software development involving continuous security testing. The Waterfall method is an approach to software development that follows a rigid sequence. The software development life cycle (SDLC) is a process for developing and maintaining software.

95.

The executives of a company that is growing exponentially want to begin outlining the risks and potential impacts to the business in the event of system or process failures or natural disasters. They would like the report to indicate which systems should be prioritized in the event of a total restoration requirement. 

Which of the following reports examines critical versus noncritical functions for a disaster recovery plan?

  • Business impact

  • Recovery time objective

  • Recovery point objective

  • Emergency response plan

Correct answer: Business impact

A disaster recovery plan has several components. One of these components is the business impact analysis. This analysis is the examination of critical versus noncritical functions to determine which resources are most critical to the organization.

A recovery time objective (RTO) is the target time in which a service must be restored. A recovery point objective (RPO) is the amount of data that can acceptably be lost during an incident. An emergency response plan outlines immediate actions to take in case of an event.

96.

A group of penetration testers was provided with a spreadsheet containing network information but no map. They were also given some details about the applications that are in use, but there is no information about the operating systems that have been deployed. 

Which of the following testing strategies is being employed in this scenario?

  • Partially known environment

  • Known environment

  • Unknown environment

  • Fully known environment

Correct answer: Partially known environment

While known environment testing would have all the information and unknown environment testing would have none, partially known environment testing is somewhere in between, with various pieces of information but not the whole picture. This leaves pen testers to fill in the gaps, and usually, they are encouraged to document their findings so that subsequent tests and audits can be performed more easily, and they can gradually move toward known environment testing.

97.

Which sanitization technique involves using strong magnetic fields to make a drive's data unreadable?

  • Degaussing

  • Shredding

  • Incineration

  • Pulping

Correct answer: Degaussing

Degaussing is a technique to make a drive unreadable. It uses a strong magnet to randomize the magnetic orientation of the drive medium's particles.

Shredding turns drives into small pieces. Incineration burns a drive. Pulping is used to destroy paper.

98.

An attacker is modifying the hosts file on a computer. Which of the following attacks are they MOST likely to be performing?

  • DNS poisoning

  • Domain hijacking

  • URL redirection

  • Domain reputation

Correct answer: DNS poisoning

DNS poisoning involves changing DNS entries to point them to malicious, attacker-controlled sites. This can be accomplished by attacking a DNS server or modifying the hosts file on a computer.

Domain hijacking is when an attacker takes over a legitimate domain, allowing them to redirect it to an attacker-controlled site. URL redirection uses redirects to make a legitimate-looking URL send a user to a malicious site. Domain reputation is a label on a domain that states whether the domain is known to send phishing messages.

99.

Which process does a legal hold enable?

  • E-discovery

  • Chain of custody

  • Ephemeral credentials

  • Threat hunting

Correct answer: E-discovery

A legal hold is issued by legal counsel before pending litigation, and it requires an organization to preserve data. That data can then be accessed through e-discovery by both sides of a legal case.

A chain of custody and threat hunting can be used regardless of legal proceedings. Ephemeral credentials are authentication tokens used for single sessions.

100.

After asking an IT administrator for the passphrase to connect to a Wi-Fi router, the administrator instead presses a button on the router to automatically create the connection. Which of the following technologies was utilized?

  • WPS

  • PSK

  • WEP

  • WAF

Correct answer: WPS

Wi-Fi Protected Setup (WPS) is a feature on wireless routers that enables users to more easily connect to the wireless network. This feature is rather insecure as it is susceptible to brute force attacks. It should be disabled on any device that has it as an option.

A pre-shared key (PSK) is a passphrase for connecting to a Wi-Fi network. WEP is an obsolete method for securing wireless traffic. A web application firewall (WAF) is a specific type of firewall that protects from web application attacks.

×