CompTIA Sec+ SY0-601 Chapter 19

You have inherited the responsibility of managing an office network for which there is no documentation. As you perform desktop support duties over time, by viewing network and host configuration reports you notice many users seem to have more privileges on the network than they need. What should you do? A. Delete and re-create all user accounts. B. Conduct a user access and rights review. C. Check server audit logs. D. Enforce stronger user passwords.

B. A user access and rights review identifies the rights and permissions users must have compared to what they have been given. In this case, the review would reveal what needs to be changed so users have only the rights needed to do their jobs.

You are reviewing forwarded log entries for your Internet-facing firewall appliance. Last year, your company did some IP restructuring and began using the 172.16.0.0/16 address space internally. You notice abnormally large amounts of traffic within a short time frame coming from the firewall appliance's public interface, 172.16.29.97, destined for UDP port 53. Which of the following might you conclude from this information, assuming default ports are in use? A. 172.16.29.97 is an invalid IP address. B. 172.16.29.97 is a spoofed IP address. C. The logs on the firewall appliance have been tampered with. D. An HTTP denial-of-service attack was in progress.

B. From the list of choices, the most likely answer is that 172.16.29.97 is a spoofed IP address. IP addresses used on the internal network should not be coming into the network from the outside.

To adhere to new corporate security guidelines, your branch offices must track details regarding web sites visited by employees. What should you install to track this activity? A. VPN B. Proxy server C. Packet-filtering firewall D. NAT gateway

B. Proxy servers can track detailed web-surfing activity including site visited, time of day, user account name, and so on. The reliability of this data relies heavily upon time synchronization of all network devices.

Your network consists of programmable logic controllers (PLCs) that control robotic machinery as well as Linux servers and Windows desktops. Network administrators complain that there are too many similar log events in reports and notifications via e-mail. A solution that can aggregate similar events is needed. What should you suggest? A. PowerShell B. SIEM C. SCCM D. Group Policy

B. SIEM tools provide a centralized way to monitor and manage security incidents. SIEM solutions also combine, or aggregate, like events to reduce duplicate event notifications and provide reports that correlate data.

An administrator reports that a Windows file server is performing much slower than it normally does. The server is fully patched and has an up-to-date virus scanner. You open an RDP connection to the server to investigate the problem. Which of the following should you first use? A. Virus scanner B. Port scanner C. System restore point D. Performance Monitor

D. Windows machines include Performance Monitor to measure which aspect of the software or hardware is not performing as well as it should.

What can be done to prevent malicious users from tampering with and modifying log file entries? (Choose three.) A. Store log files on a secured centralized logging host. B. Encrypt archived log files. C. Run Windows Update. D. Generate file hashes for log files.

A, B, and D. Log files should be encrypted and stored on secured centralized hosts, so if a machine is compromised, there is still a copy of the log. File hashes ensure that files have not been tampered with in any way. a modified file generates a different hash.

As a Windows server administrator for server ALPHA, you configure auditing so that you can track who deletes files on the file share SALES. Where will you view the audit results? A. Security log B. Audit log C. Application log D. Deletion log

A. Windows machines write audit data to the Event Viewer security log. A centralized SIEM system can store audit log data from many devices in a single repository where the data is written once but can be read many times—write once read many (WORM). WORM functionality is sometimes required for regulatory compliance. An additional benefit is deduplication of similar events, which results in less storage space consumed and quicker searching.

Which of the following is true regarding a HIDS? A. Suspicious traffic entering the network can be blocked. B. Encrypted transmissions cannot be monitored. C. It must be installed on each system where needed. D. Log files are not analyzed.

C. A HIDS is a host-based solution and thus must be installed on individual hosts. A HIDS has the benefits of being very application specific and being able to monitor each host at all times.

Match the requirements listed on the left with the solutions listed on the right. Logging, NIDS, HIDS, Auditing A sensitive payroll server must be monitored for suspicious computing activity. Reads and writes to the projects shared folder must be tracked. Your VoIP VLAN must be monitored for suspicious activity.

HIDS software could be installed on the payroll server to detect suspicious activity and alert security analysts. Tracking any read and write activities to a folder is accomplished with auditing. NIDS monitor networks for suspicious activity.

You are monitoring the performance on a Unix server called ALPHA. ALPHA is used to host concurrent remote sessions for users. You notice that long periods of intense server disk activity on ALPHA coincide with remote users working with large documents stored on a separate Unix server called BRAVO. What might be causing the degraded performance on Alpha? A. There is too much network traffic. B. The CPU is too slow. C. The disks are too slow. D. There is not enough RAM.

D. Lack of RAM causes the oldest used data in RAM to be swapped to disk to make room for what must now be placed in RAM (many large documents). This sometimes makes it appear as if the disk is the problem.

A Windows administrator must track key performance metrics for a group of seven Windows servers. What should she do? A. Run Performance Monitor on each host. B. Use RDP to log into each host and run Performance Monitor. C. Use RDP to log into each host and check Event Viewer logs. D. Run Performance Monitor on her machine and add counters from the other seven servers.

D. Like many Microsoft administrative tools, Performance Monitor can run locally but can display data (performance counters) added from remote hosts.

What is the difference between a packet sniffer and a network-based IDS? A. There is no difference. B. Packet sniffers put the network card in promiscuous mode. C. A NIDS puts the network card in promiscuous mode. D. Packet sniffers do not process captured traffic.

D. Packet sniffers (protocol analyzers) capture network traffic, but they do not process the traffic resulting in a decision to allow, deny, or report on the activity. a NIDS does these things.

A user complains that his machine performance has degraded ever since he downloaded a free file recovery utility. You would like to rule out the possibility of any malicious network services running in the background by viewing all active port numbers and connections on the machine. Which Windows command should you use to do this? ____________________

The netstat -a command is a built-in Windows command that displays local listening ports that can accept connections, as well as which network services (and ports) you are connected to.

A corporate network baseline has been established over the course of two weeks. Using this baseline data, you configure your IPSs to notify you of abnormal network activity. A new sales initiative requires sales employees to run high-bandwidth applications across the Internet. As a result, you begin receiving security alerts regarding abnormal network activity. Which of the following types of alerts do you receive? A. False positives B. False negatives C. True positives D. True negatives

A. False positives report there is a problem when in fact there is none, such as in this case, where sales employees are performing legitimate activities. The alert should still be checked to ensure that an attack is not coinciding with this new network activity.

You are the Windows server administrator for a clothing outlet in New York City. Six Windows Server Active Directory computers are used regularly. Files are being modified on servers during nonbusiness hours. You want to audit the system to determine who made the changes and when. What is the quickest method of deploying your audit settings? A. Configure audit settings using Group Policy. B. Configure each server with the appropriate audit settings. C. Configure one server appropriately, export the settings, and import them to the other five. D. Delegate the audit configuration task to six other administrators.

A. In an Active Directory environment, Group Policy can be used to deliver settings to domain computers, such as audit settings for servers.

How do logging and auditing differ? A. Logging tracks more than just security events. auditing tracks specifically configured security events. B. Auditing tracks more than just security events. logging tracks specifically configured security events. C. Logging can track hardware events. auditing cannot. D. Auditing can track hardware events. logging cannot.

A. Logging tracks many different types of events related to hardware and software, but auditing specifically tracks security-related events.

A user reports that his client Windows client station has been slow and unstable since last Tuesday. What should you first do? A. Use System Restore to revert the computer state to last Monday. B. Check log entries for Monday and Tuesday on the computer. C. Run Windows Update. D. Reimage the computer.

B. Before jumping the gun and reimaging or applying a restore point, first check the log files for any indication of changes before the machine became slow and unstable.

You have configured a network-based IPS appliance to prevent web server directory traversal attacks. What type of configuration is this? A. Behavior-based B. Signature-based C. Anomaly-based D. Web-based

B. Comparing known attacks against current activity is called signature-based detection.

What is a potential problem with enabling detailed verbose logging on hosts for long periods of time? A. There is no problem. B. It causes performance degradation. C. Network bandwidth is consumed. D. Verbose logging consumes a user license.

B. Detailed verbose logging presents much more log data than normal logging. therefore, performance is affected. What is being logged and how much activity is occurring will determine how much performance degradation will occur.

You are a firewall appliance administrator for your company. Previously restricted outbound RDP packets are now successfully reaching external hosts, and you did not configure this firewall rule. Where should you look to see who made the firewall change and when? A. Security log B. Firewall log C. Audit log D. Event Viewer log

C. Audit logs differ from regular activity logs because they record administrative configuration activities, such as modifying firewall rules.

You have established a baseline of employee login activity on the VPN. You are configuring notifications of abnormal login events to a security orchestration, automation, and response (SOAR) dashboard to reduce security incident response time. Which term is the most closely related to this scenario? A. Network IPS B. SIEM C. User behavior analysis D. Sentiment analysis

C. Establishing a baseline of normal user login activity facilitates configuring notifications for login anomalies and sending them to a SOAR dashboard.

Your manager has asked you to identify which internal client computers have been controlled using RDP from the Internet. What would be the quickest and most efficient way to accomplish this? A. Check the logs on each computer. B. Check the logs on your RDP servers. C. Check your firewall log. D. Contact your ISP and have them check their logs.

C. Since RDP connections from the Internet would go through the firewall, it would be quickest and easiest to consult your firewall log.

Your manager asks you to configure a honeypot to track malicious user activity. You install the host in the screened subnet without any patches and configure a web site and an SMTP server on it. You have configured nothing else on the host. Identify a problem with this configuration. A. The honeypot needs to be patched. B. Honeypots should not run a web site. C. Honeypot logs are not being forwarded to another secured host. D. Honeypots should not run SMTP services.

C. The honeypot host is unpatched and is therefore vulnerable, so storing the only copy of log files (a default setting) on a honeypot means attackers could delete the contents of logs to remove all traces of their malicious activity.

Which of the following would an administrator most likely use to determine whether there has been unauthorized use of a wireless LAN? A. Protocol analyzer B. Proxy server C. Performance Monitor D. Wireless access point logs

D. Wireless access points as well as wireless router logs can reveal all wireless LAN activity. Some access points may require you to enable logging. In an enterprise, log events should be forwarded to a central logging host to facilitate the detection of suspicious activity.

Which of the following can stop in-progress attacks on your network? A. Network IDS B. Network IPS C. Proxy server D. Packet-filtering firewall

B. A network-based intrusion prevention system (NIPS) analyzes network traffic patterns, generates event logs and alerts system administrators to events, and sometimes stops potential intrusions. Some implementations have a database of known attack patterns, while others can take notice of abnormal traffic for a specific network. The administrator can then take measures to stop the attack, such as dropping offending packets. IPS and other device logs and alerts can be centrally collected, aggregated, correlated, and reported on by a SIEM system.

You are responsible for managing an internal FTP server. A user reports that files available on the server yesterday are no longer available. Where can you look to determine what happened to the missing files? A. Firewall log B. FTP access log C. FTP download log D. FTP upload log

B. File Transfer Protocol (FTP) access logs list file activity on FTP servers, including file deletions or renames.

You are asked to analyze events in a firewall log that occurred six months ago. When you analyze the log file, you notice events go back only two months. What is most likely the problem? A. You must have administrative access to the logs. B. The log file size is too small. C. Firewalls cannot keep logs for more than two months. D. The firewall is not patched.

B. The firewall is probably configured to overwrite the oldest log entries after the maximum log file size has been reached. Even in this case, however, there are normally log archival options available for configuration.

Which of the following are true regarding a network-based IDS? (Choose two.) A. Network traffic is analyzed for malicious packets. B. Alerts and notifications can be configured. C. Malicious packets are dropped. D. Laptops are protected when disconnected from the LAN.

A and B. A NIDS monitors and analyzes network traffic for malicious packets. if it finds any, it then triggers an alert or notification.

Which of the following are true regarding behavior-based network monitoring? (Choose two.) A. A baseline of normal behavior must be established. B. Deviations from acceptable activity cannot be monitored. C. New threats can be blocked. D. A database of known attack patterns is consulted.

A and C. Behavior-based monitoring detects activity that deviates from the norm. A baseline is required to establish what normal is. Because of this, new attacks could potentially be stopped if they do not conform to normal network usage patterns.

User workstations on your network connect through NAT to a screened subnet, where your Internet perimeter firewall exists. On Friday night, a user connects to an inappropriate web site. You happened to have been capturing all network traffic on the screened subnet at the time. What would be the easiest and fastest way to track which user workstation visited the web site? (Choose two.) A. View logs on the NAT router. B. View logs on the perimeter firewall. C. View your packet capture. D. View all workstation web browser histories.

A and C. NAT router logs will list which internal addresses were translated and at what time. This could be used in correlation with captured packet time stamps to establish who visited the web site.

In reviewing your firewall log, you notice a large number of your stations connecting to the web site www.freetripsforyou.com and downloading an EXE file, sometimes in the middle of the night. Your users state they did not visit the web site. Your firewall does not allow any inbound packets initiated from the Internet. What does this most likely indicate? A. User stations are connecting to Windows Update to apply patches. B. User stations have been hijacked and are downloading malware. C. User stations are infected with a password-cracking program. D. User stations are being controlled from the Internet through RDP.

B. If a computer is visiting a web site and downloading an EXE file without the user's knowledge, the machine may most likely be under an attacker's control. This activity could commonly result from malware trying to download additional malicious code.

A server named CHARLIE runs a mission-critical database application. The application encrypts all data from connected client workstations. You would like to monitor CHARLIE for suspicious activity and prevent any potential attacks. What should you deploy? A. Honeypot B. Host-based IPS C. Network-based IDS D. PKI

B. To monitor specific apps running on host computers and prevent potential attacks, you should deploy a HIPS.

.16.255.202, -, 03/15/09, 17:03:11, W3SVC2, SERVER, 192.168.1.1, 4111 A. 199.0.14.202 is not a valid IP address. B. 192.16.255.202 is not a valid IP address. C. Web servers cannot use 192.168.1.1. D. The log is missing entries for a long period of time.

D. There is a large time gap between the second and third lines. Almost nine hours of log activity are unaccounted for. This could indicate that somebody cleared incriminating log entries.