CompTIA Security+ Practice Problems
You are using a Linux computer to monitor network traffic. After connecting your computer to the mirror port of a switch, you started logging software on the computer. However, you discover that the only traffic being collected is traffic to or from the Linux computer. You want to collect all traffic going through the switch. Which of the following actions should you take? A. Run the command ifconfig eth0 promisc. B. Run the command ipconfig eth0 promisc. C. Connect the computer to a router. D. Reconfigure the switch.
A You should run the command to enable promiscuous mode on eth0, the network interface card(NIC). Promiscuous mode allows a NIC to process all traffic it receives, instead of only traffic addressed to it. (Pre 6)
Your organization hosts a web application selling digital products. Customers can also post comments related to their purchases. Management suspects that attackers are looking for vulnerabilities that they can exploit. Which of the following will BEST test the cybersecurity resilience of this application? A. Fuzzing B. Input validation C. Error handling D. Anti-malware
A (Pre43) Fuzzing is a type of dynamic code analysis, and it can test the application's cybersecurity resilience. Fuzzing sends random data to an application to verify the random data doesn't crush the application or expose the system to data breach.
A SQL database server was recently attacked. Cybersecurity investigators discovered the attack was self-propagating through the network. When it found the database server, it used well-known credentials to access the database. Which of the following would be the BEST action to prevent this from occurring again? A. Change the default application password. B. Remove the worm. C. Implement 2FA. D. Conduct a code review.
A (Pre 10)
You suspect that attackers have been performing a password spraying attack against a Linux server. Which of the following would be the BEST method of confirming your suspicions? A. Use the cat command to view the auth.log file. B. Implement an account lockout policy. C. Salt passwords to prevent the success of the spraying attack. D. Use the logger command to view unsuccessful logins.
A (Pre 6)
Your network includes dozens of servers. Administrators in your organization are having problems aggregating and correlating the logs from these servers. Which of the following provides the BEST solution for these problems? A.SIEM B. Syslog C. Netflow D. sFlow
A (Pre 7)
After a recent attack, security investigators discovered that attackers logged on with an administrator account. They recommend implementing a solution that will thwart this type of attack in the future. The solution must support the following requirements: - Allow authorized users to access the administrator account without knowing the password. - Allow authorized users to check out the credentials when needed. - Log each time the credentials are used. - Automatically change the password. Which of the following answers would meet these requirements? A. Privileged access management B. Open ID connect C. MAC scheme D. MFA
A (Pre13)
Before Personnel can enter a secure area, they must first place their smartphones in one of several conductive metal lockboxes. The company implemented this policy because management is concerned about risks related to intellectual property. Which of the following represents the GREATEST risk to intellectual property that this policy will mitigate? A. Bluesnarfing B. Theft of the smartphones C. Data exfiltration over a mobile hotspot D. To enable geofencing
A (Pre25) This policy will prevent Bluesnarfing, which is the unauthorized access of information from a wireless device through a Bluetooth connection. The conductive metal lockboxes act as a small Faraday cage and will block Bluetooth signals. While the lockboxes will help prevent theft, there's no need to pay extra for conductive lockboxes if theft is the greatest risk.
Administrators are designing a site-to-site VPN between offices in two different cities. Management mandated the use of certificates for mutual authentication. Additionally, they want to ensure that internal IP addresses are not revealed. Which of the following is the BEST choice to meet these requirements? A. IPsec VPN using Tunnel Mode B. VPN using Transport Mode C. L2TP VPN D. VLAN VPN
A (Pre26) IPsec using Tunnel mode is the best choice of the available answers. IPsec provides mutual authentication and tunnel mode will encrypt both the payload and the packet headers, hiding the internal IP addresses. Transport mode will encrypt the payload only, leaving the internal IP addresses exposed. L2TP only doesn't provide any encryption.
A SIEM system is sending several alerts indicating malware has affected several employee computers. After examining the border firewall and NIDS logs, IT personnel cannot identify malicious traffic entering the network from the Internet. Additionally, they discovered that all of these employees attended the trade show during the past two days. Which of the following is the MOST likely source of this malware? A. A fileless virus embedded in a vCard B. Malware on USB drives C. A Trojan delivered from a botnet D. Worms included in presentation media
A (Pre39) The most likely source is a fileless virus embedded in a vCard, also known as a Virtual Contact file (VCF). People regularly share contact information at trade shows with vCards, but they can sometimes include malicious code.
Ziffcorp is developing a new technology that they expect to become a huge success when it's released. The CIO is concerned about someone stealing their company secrets related to this technology. Which of the following will help the CIO identify potential dangers related to the loss of this technology? A. threat hunting B. vulnerability scan C. SOAR D. SIEM
A (Pre48) Threat hunting is the process of activity looking for threat within a network before an automated tool detects and reports on the threat. A vulnerability scan evaluates vulnerabilities or weaknesses with a network or a specific system, but it doesn't look for threats. A SOAR platform can be configured to automatically respond to low-level incidents, but the scenario indicates that they need to look for more than just low-level threats. A SIEM is used to collect and aggregate logs and can assist with threat hunting, but the threat hunting is much broader.
You are reviewing the report created after a recent vulnerability scan. However, it isn't clear if the scan was run as a credential scan or a non-credential scan. Which of the following would give you the BEST indication that the scan was a credentialed scan? A. The report shows software versions of installed applications. B. The report shows a large number of false positives. C. The report shows a listing of IP addresses it discovered. D. The report shows a listing of open ports.
A (Pre50) A credentialed scan will show software versions of installed applications. A credentialed scan will show fewer false positives, not more. Any scan should list IP addresses it discovered along with open ports on these hosts.
Your organization is planning to expand the data center to support more systems. Management wants the plan to focus on resiliency and uptime. Which of the following methods would BEST support these goals? (Select TWO.) A. UPS B. Cold site C. NIC teaming D. Off-site backups
A and C The UPS ensures the system stays up if power is lost. NIC teaming automatically recovers if one of the NICs or NIC inputs fail. (Pre 1)
You are reviewing security controls and their usefulness. You notice that account lookout policies are in place. Which of the following attacks will these policies thwart? (Select TWO) A. Brute Force B. DNS poisoning C. Dictionary D. Replay E. Buffer overflow
A and C (Pre 11)
Attackers have recently launched several attacks against servers in your organization's DMZ. You are tasked with identifying a solution that will have the best chance at preventing these attacks in the future. Which of the following is the BEST choice? A. An anomaly-based IDS B. An inline IPS C. A passive IDS D. A signature-based IDS
B (Pre 23) The best solution of the given choices is an in-band IPS. Traffic goes through the IPS and the IPS can prevent attacks from reaching internal systems. An IDS is passive and not inline, so it can only detect and react to the attacks, not block them.
A coffee shop recently stopped broadcasting the SSID (coffeewifi) for its wireless network. Instead, paying customers can view it on the receipt and use it to connect to the coffee shop's wireless network. Today, Lisa turned on her laptop computer, saw the SSID coffeewifi, and connected to it. Which of the following attacks is MOST likely occurring? A. Rogue AP B. Evil twin C. Jamming D. Bluejacking
B (Pre 24) An evil twin is a rogue AP with the same or similar SSID as a legitimate access point. The actual SSID coffeewifi has broadcasting turned off, but the evil twin SSID of coffeewifi is broadcasting, allowing users to see it. While it is also a rogue AP, evil twin is a more accurate answer since it is similar to the actual SSID. Jamming typically prevents anyone from connecting to a wireless network. Bluejacking is related to Bluetooth, not wireless networks.
Your organization plans to deploy a server in the screened subnet that will perform the following functions: - Identify mail servers - Provide data integrity - Prevent poisoning attacks - Respond to request for A and AAAA records Which of the following will BEST meet these requirements? A. DNS B. DNSSEC C. TLS D. ESP
B (Pre17)
Your organization is planning to implement a CYOD d deployment model. You're asked to provide input for the new policy. Which of the following concepts are appropriate for this policy? A. SCADA access B. Storage segmentation C. Database security D. Embedded RTOS
B (Pre30) Storage segmentation creates separate storage areas in mobile devices and can be used with a choose your own device (CYOD) mobile device deployment model where users own their devices.
A small business owner has asked you for advice. She wants to improve the company's security posture, but she doesn't have any security staff. Which of the following is the BEST solution to meet her needs? A. SOAR B. MSSP C. SaaS D. XaaS
B (Pre32) A managed security service provider (MSSP) is a third-party vendor that provides security services for an organization, and it is the best solution for this scenario. A SOAR solution automates incident response for some events, but it will augment services already provided by security staff within an organization. SOAR would not work here because the small business doesn't have any security staff. SaaS includes any software or application provided to users over a network such as the Internet. XaaS refers to cloud services beyond SaaS, IaaS and PaaS.
Some protocols include sequence numbers and timestamps. Which of the following attacks are thwarted by using these components? A. MAC flooding B. replay C. SYN flood D. Salting
B (Pre41) Timestamps and sequence numbers act as countermeasures against replay attacks. A MAC flood attack attempts to overload a switch with different MAC addresses. SYN flood attacks disrupt the TCP three-way handshake.
Which of the following BEST describes the purpose of a risk register? A. It shows risks on a plot or graph. B. It provides a listing of risks, the risk owner, and the mitigation measures. C. It shows risks on a color-coded graph. D. It evaluates the supply chain.
B (Pre46) A risk register list risks and often includes the name of the risk, the risk owner, mitigation measures, and the risk score. A risk matrix plots risks onto a graph or chart, and a heat map plots risk onto a color-coded graph or chart. While a risk register may evaluate supply chain risks, it does much more.
Your organization hired a cybersecurity expert to perform a security assessment. After running a vulnerability scan, she sees the following error on a webserver: - Host IP 192.168.1.10 OS Apatch httpd 2.433 Vulnerable to mod_auth exploit However, she verified that the mod_auth module has not been installed or enabled on the server. Which of the following BEST explains this scenario? A. A false negative B. A false positive C. The result of a credential scan D. The result of a non-credential scan
B (Pre49) This is an example of a false positive. The vulnerability scanner is indicating a vulnerability exists with the mod_auth module. However, the mod_auth module is not installed or enabled on the server, so it cannot represent a vulnerability on the server. A false negative occurs when a vulnerability exist, but the scanner doesn't report it. The scenario doesn't give enough information to determine if this is a credentialed or s non-credentialed scan. However, a credentialed scan would allow a vulnerability scanner to have more visibility over the system, allowing it to get a more accurate view of it.
Your organization has decided to move some data to a cloud provider, and management has narrowed their search down to three possible choices. Management wants to ensure that the cloud provider they choose has strong cybersecurity controls in place. Which of the following reports would they MOST likely want this cloud provider to give to them? A. SOC 2 Type I B. SOC 2 Type II C. SOC 3 D. SOC 1
B (Pre53) SOC2 report is a report on organizational controls that cover cybersecurity. A SOC 2 Type II Report identifies the controls in place during a date range of at least six months. A SOC 2 Type I report identifies the controls in place during a specific date. A SOC 3 report is a generalized report sometimes available to the public. A SOC 1 report is a detailed report covering financial and auditable controls for an organization and is sometimes provided by organization that process financial data.
Administrators at your organization want to increase cybersecurity resilience of key servers by adding fault tolerance capabilities. However, they have a limited budget. Which of the following is the BEST choice to meet these needs? A. Alternate processing site B. RAID-10 C. Backups D. Faraday cage
B (Pre55) A redundant array of inexpensive disks 10 (RAID-10) subsystem provides fault tolerance for disks and increases cybersecurity resilience. Backups contribute to resilience, but they do not help with fault tolerance.
An attacker has launched several successful XSS attacks on a web application hosted by your organization. Which of the following are the BEST choices to protect the web application and prevent this attack? (select two) A. Dynamic code analysis B. Input validation C. Code obfuscation D. WAF E. Normalization
B and D (Pre44) Input validation and the WAF are the best choices of the available answers. Both protect against XSS attacks. Input validation validates data before using it to help prevent XSS attacks. A WAF acts as an additional firewall that monitors, filters, and/or blocks HTTP traffic to a webserver. Dynamic code analysis (such as Fuzzing) can test code. Code obfuscation makes the code more difficult to read. Normalization refers to organizing tables and columns in a database to reduce redundant data and improve overall database performance.
IT administrators created a VPN for employees to use while working from home. The VPN is configured to provide AAA services. Which of the following would be presented to the AAA system for identification? A. password B. permissions C. username identification D. tunneling certificate E. hardware token
C (Pre 12)
Your organization wants to combine some of the security controls used to control incoming and outgoing network traffic. At a minimum, the solution should include stateless inspection, malware inspection, and a content filter. Which of the following BEST meets this goal? A. VLAN B. NAT C. UTM D. DNSSEC E. WAF
C (Pre21) A unified threat management (UTM) device is an advanced firewall and combines multiple security controls into a single device such as stateless inspection, malware inspection, and a content filter.
Your IT Department includes a subgroup of employees dedicated to cybersecurity testing. Each member of this group has knowledge of known TTPs and how to use them. Additionally, each member of this group has knowledge of security controls that would be implemented to protect network resources. Which of the following BEST describes members of this team? A. Members of the red team B. Members of the blue team C. Members of the purple team D. Members of the white team
C (Pre51) A purple team is composed of personnel who can perform as either red team members or blue team members. A red team uses tactics, techniques, procedures (TTPs).
The chief information officer (CIO) at your organization suspects someone is entering the data center after normal working hours and stealing sensitive data. Which of the following actions can prevent this? A. Upgrade the CCTV system. B. Require smart cards to enter the data center. C. Implement time-based logins. D. Enable Advanced auditing.
C (pre 9)
Lisa uses a Linux system to regularly connect to a remote server named gcga with a secure SSH connection. However, the SSH account has a complex password and she wants to avoid using it without sacrificing security. Which of the following commands would she use as a first step when creating a passwordless login with the remote system? A. ssh-copy-id -i ~.ssh/id_rsa.pub lisa@gcga B. chmod 644 ~/.ssh/id_rsa C. ssh-keygen -t rsa D. ssh root@gcga
C (pre-16)
You are comparing different types of authentication. Of the following choices, which one uses multifactor authentication? A. A system that requires users to enter a username and password. B. A system that checks an employee's fingerprint and does a vein scan. C. A cipher door lock that requires employees to enter a code to open the door D. A system that requires users to have a smart card and a pin
D (Pre 8)
Your organization is implementing an SDN. Management wants to use an access control scheme that controls access based on attributes. Which of the following is the BEST solution? A. DAC B. MAC C. Role-BAC D. ABAC
D (Pre-15)
Bart incorrectly wired a switch in your organization's network. It effectively disabled the switch as though it was a victim of a denial-of-service attack. Which of the following should be done to prevent this situation in the future? A. Install and IDS. B. Only use layer 2 switches. C. Install SNMPv3 on the switches. D. Implement STP or RSTP.
D (Pre19) Spinning tree protocol (STP) and Rapid STP (RSTP) both prevent switching loop problems. it's rare for a wiring error to take down a switch. However, if two ports on a switch are connected to each other, it creates a switching loop and effectively disables the switch.
Administrators are deploying a new Linux server in the screened subnet. After it is installed, they want to manage it from their desktop computers located within the organization's private network. Which of the following would be the BEST choice to meet this need? A. Forward proxy server B. Reverse proxy server C. Web application firewall D. jump server
D (Pre22) A jump server is a server placed between different security zones, such as an internal network and the screened subnet, and is used to manage devices in the other security zone. In this scenario, administrators could connect to the jump server with SSH and then connect to the Linux server using SSH forwarding on the jump server. A forwarding proxy server (a proxy server) is used by internal clients to access Internet resources, not resources in the screened subnet. Reverse proxy servers accept traffic from the internet, not the internal network, and forward the traffic to one or more internal web servers.
Network administrators are considering adding an HSM to a server in your network. What functions will this add to the server? A. Provide full drive encryption B. Reduce the risk of employees emailing confidential information outside the organization. C. Provide Webmail to clients D. Generate and store keys used with servers
D (Pre27) A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers. The keys can be used to encrypt data sent to and from the server, but they wouldn't be used for full drive encryption. A Trusted Platform Module (TPM) provides full drive encryption and is included in many laptops. A data loss prevention (DLP) device is a device that can reduce the risk of employees emailing and confidential information outside the organization.
Your organization plans to implement desktops via the cloud. Each desktop will include an operating system and a core group of applications needed by employees, and the cloud provider will manage the desktops. Employees with internet access will be able to access these desktops from anywhere and almost any device. Which of the following BEST identifies this service? A. IaaS B. CASB C. SaaS D. XaaS
D (Pre31) XaaS refers to cloud services beyond IaaS, PaaS, and SaaS. It would include desktops as a service. IaaS is the cloud computing option where the vender provides access to a computer. Still, customers must install the operating system and maintain the system. CASB is a software tool used to provide additional security for cloud resources, but it provides the underlying cloud services. SaaS provides access to specific applications such as an email application, but not entire desktops.
You're reviewing the logs for a web server and see several suspicious entries. You suspect that an attacker is attempting to write more data into a web application's memory than it can handle. What does this describe? A. Pointer/object dereference B. Race condition exploit C. DLL injection attack D. Buffer overflow attack
D (Pre42) A buffer overflow attack attempts to write more data into an application's memory than it can handle. A pointer or object dereference is a programming error that can corrupt memory, but programmers, not attackers, cause it. A race condition is a programming conflict when two or more applications attempt to access or modify a resource at the same time. A dynamic link library (DLL) injection attack injects a DLL into memory and causes it to run.
Maggie is performing a risk assessment for an organization. She identifies the loss for the previous year due to a specific risk as $5,000. What does this represent? A. SLE B. ARO C. MTBF D. ALE
D (Pre47) The annual loss expectancy (ALE) identifies the expected loss for a given year based on a specific risk and the existing security controls. The single loss expectancy (SLE) identifies the cost of any single loss. The annual rate of occurrence (ARO) identifies how many times a loss is expected to occur in a year. SLE*ARO=ALE.
You need to identify and mitigate potential single points of failure in your organization's security operations. Which of the following policies would help you? A. A disaster recovery plan B. A business impact analysis C. Annualized loss expectancy D. Separation of duties
D (Pre54) A separation of duties.