CompTIA Security Certification
Question No: 571 – (Topic 3)
Mike, a user, states that he is receiving several unwanted emails about home loans. Which of the following is this an example of?
Answer: D Explanation:
Spam is most often considered to be electronic junk mail or junk newsgroup postings. Some people define spam even more generally as any unsolicited email. However, if a long-lost brother finds your email address and sends you a message, this could hardly be called spam, even though it is unsolicited. Real spam is generally email advertising for some product sent to a mailing list or newsgroup.
In addition to wasting people#39;s time with unwanted e-mail, spam also eats up a lot of network bandwidth. Consequently, there are many organizations, as well as individuals, who have taken it upon themselves to fight spam with a variety of techniques. But because the Internet is public, there is really little that can be done to prevent spam, just as it is impossible to prevent junk mail. However, some online services have instituted policies to prevent spammers from spamming their subscribers.
There is some debate about why it is called spam, but the generally accepted version is that it comes from the Monty Python song, quot;Spam spam spam spam, spam spam spam spam, lovely spam, wonderful spamquot;. Like the song, spam is an endless repetition of worthless text. Another school of thought maintains that it comes from the computer group lab at the University of Southern California who gave it the name because it has many of the same characteristics as the lunch meat Spam:
Nobody wants it or ever asks for it.
No one ever eats it; it is the first item to be pushed to the side when eating the entree. Sometimes it is actually tasty, like 1% of junk mail that is really useful to some people. The term spam can also be used to describe any quot;unwantedquot; email from a company or website – typically at some point a user would have agreed to receive the email via subscription list opt-in – a newer term called graymail is used to describe this particular type of spam.
Question No: 572 – (Topic 3)
Which of the following network devices is used to analyze traffic between various network
Answer: D Explanation:
A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This doesn’t generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.
Question No: 573 – (Topic 3)
After viewing wireless traffic, an attacker notices the following networks are being broadcasted by local access points:
Corpnet Coffeeshop FreePublicWifi
Using this information the attacker spoofs a response to make nearby laptops connect back to a malicious device. Which of the following has the attacker created?
Infrastructure as a Service
Answer: C Explanation:
In this question, the attacker has created another wireless network that is impersonating one of more of the three wireless networks listed in the question. This is known as an Evil Twin.
An evil twin, in the context of network security, is a rogue or fake wireless access point (WAP) that appears as a genuine hotspot offered by a legitimate provider.
In an evil twin attack, an eavesdropper or hacker fraudulently creates this rogue hotspot to collect the personal data of unsuspecting users. Sensitive data can be stolen by spying on a connection or using a phishing technique.
For example, a hacker using an evil twin exploit may be positioned near an authentic Wi-Fi access point and discover the service set identifier (SSID) and frequency. The hacker may then send a radio signal using the exact same frequency and SSID. To end users, the rogue evil twin appears as their legitimate hotspot with the same name.
In wireless transmissions, evil twins are not a new phenomenon. Historically, they were known as honeypots or base station clones. With the advancement of wireless technology and the use of wireless devices in public areas, it is very easy for novice users to set up evil twin exploits.
Question No: 574 – (Topic 3)
Which of the following tools will allow a technician to detect security-related TCP connection anomalies?
Public key infrastructure
Trusted platform module
Answer: B Explanation:
Performance Monitor in a Windows system can monitor many different ‘counters’. For TCP network connections, you can monitor specific TCP related counters including the following:
Connection Failures Connections Active Connections Established Connections Passive
Connections Reset Segments Received/sec Segments Retransmitted/sec Segments Sent/sec
By monitoring the counters listed above, you will be able to detect security-related TCP connection anomalies.
Question No: 575 – (Topic 3)
An administrator notices that former temporary employees’ accounts are still active on a domain.
Which of the following can be implemented to increase security and prevent this from happening?
Implement a password expiration policy.
Implement an account expiration date for permanent employees.
Implement time of day restrictions for all temporary employees.
Run a last logon script to look for inactive accounts.
Answer: D Explanation:
You can run a script to return a list of all accounts that haven’t been used for a number of days, for example 30 days. If an account hasn’t been logged into for 30 days, it’s a safe bet that the user the account belonged to is no longer with the company. You can then disable all the accounts that the script returns. A disabled account cannot be used to log in to a system. This is a good security measure. As soon as an employee leaves the company, the employees account should always be disabled.
Question No: 576 – (Topic 3)
How often, at a MINIMUM, should Sara, an administrator, review the accesses and rights of the users on her system?
Immediately after an employee is terminated
Every five years
Every time they patch the server
Answer: A Explanation:
Reviewing the accesses and rights of the users on a system at least annually is acceptable practice. More frequently would be desirable but too frequently would be a waste of administrative time.
Question No: 577 – (Topic 3)
Based on information leaked to industry websites, business management is concerned that unauthorized employees are accessing critical project information for a major, well-known new product. To identify any such users, the security administrator could:
Set up a honeypot and place false project documentation on an unsecure share.
Block access to the project documentation using a firewall.
Increase antivirus coverage of the project servers.
Apply security updates and harden the OS on all project servers.
Answer: A Explanation:
In this scenario, we would use a honeypot as a ‘trap’ to catch unauthorized employees who are accessing critical project information.
A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies.
According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes:
The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned.
The hacker can be caught and stopped while trying to obtain root access to the system.
By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.
There are two main types of honeypots:
Production – A production honeypot is one used within an organization#39;s environment to help mitigate risk.
Research – A research honeypot add value to research in computer security by providing a platform to study the threat.
Question No: 578 – (Topic 3)
A security administrator needs to determine which system a particular user is trying to login to at various times of the day. Which of the following log types would the administrator check?
Answer: D Explanation:
The security log records events such as valid and invalid logon attempts, as well as events related to resource use, such as the creating, opening, or deleting of files. For example, when logon auditing is enabled, an event is recorded in the security log each time a user attempts to log on to the computer. You must be logged on as Administrator or as a member of the Administrators group in order to turn on, use, and specify which events are recorded in the security log.
Question No: 579 – (Topic 3)
Several users’ computers are no longer responding normally and sending out spam email to the users’ entire contact list. This is an example of which of the following?
A worm is similar to a virus but is typically less malicious. A virus will usually cause damage to the system or files whereas a worm will usually just spread itself either using the network or by sending emails.
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
Question No: 580 – (Topic 3)
Timestamps and sequence numbers act as countermeasures against which of the following types of attacks?
Answer: D Explanation:
A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).
For example: Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is eavesdropping on the conversation and keeps the password (or the hash). After the interchange is over, Eve (posing as Alice) connects to Bob; when asked for a proof of identity, Eve sends Alice#39;s password (or hash) read from the last session, which Bob accepts thus granting access to Eve.
Countermeasures: A way to avoid replay attacks is by using session tokens: Bob sends a
one-time token to Alice, which Alice uses to transform the password and send the result to Bob (e.g. computing a hash function of the session token appended to the password). On his side Bob performs the same computation; if and only if both values match, the login is successful. Now suppose Eve has captured this value and tries to use it on another session; Bob sends a different session token, and when Eve replies with the captured value it will be different from Bob#39;s computation.
Session tokens should be chosen by a (pseudo-) random process. Otherwise Eve may be able to pose as Bob, presenting some predicted future token, and convince Alice to use that token in her transformation. Eve can then replay her reply at a later time (when the previously predicted token is actually presented by Bob), and Bob will accept the authentication.
One-time passwords are similar to session tokens in that the password expires after it has been used or after a very short amount of time. They can be used to authenticate individual transactions in addition to sessions. The technique has been widely implemented in personal online banking systems.
Bob can also send nonces but should then include a message authentication code (MAC), which Alice should check.
Timestamping is another way of preventing a replay attack. Synchronization should be achieved using a secure protocol. For example Bob periodically broadcasts the time on his clock together with a MAC. When Alice wants to send Bob a message, she includes her best estimate of the time on his clock in her message, which is also authenticated. Bob only accepts messages for which the timestamp is within a reasonable tolerance. The advantage of this scheme is that Bob does not need to generate (pseudo-) random numbers, with the trade-off being that replay attacks, if they are performed quickly enough
i.e. within that #39;reasonable#39; limit, could succeed.
100% Ensurepass Free Download!
–Download Free Demo:SY0-401 Demo PDF
100% Ensurepass Free Guaranteed!
–Download 2018 EnsurePass SY0-401 Full Exam PDF and VCE
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|