Security+ SY0-601 Domain 1: Attacks, Threats, and Vulnerabilities

You are the security analyst for your organization and have discovered evidence that someone is attempting to brute-force the root password on the web server. Which classification of attack type is this?

Active Explanation Active attacks are when perpetrators attempt to compromise or affect the operations of a system in some way. For example, trying to brute-force the root password on a web server is considered an active attack. A distributed denial-of-service (DDoS) attack is also an active attack. Passive attacks occur when perpetrators attempt to gather information without affecting the flow of that information on the network. Packet sniffing and port scanning are passive attacks. External attacks are when unauthorized individuals try to breach a network from off-site. Remember that perpetrators of external attacks are unauthorized for any level of access to the network. Inside attacks are initiated by authorized individuals inside the network's security perimeter who attempt to access systems or resources to which they're not authorized. For example, an inside attack could be a disgruntled employee accessing unauthorized company documents and leaking them to the public. References 5.8.2 Network Threats Facts

In an effort to increase the security of your organization, programmers have been informed they can no longer bypass security during development. Which vulnerability are you attempting to prevent?

Backdoor Explanation A backdoor is an unprotected access method or pathway. Backdoors: Include hard-coded passwords and hidden service accounts. Are often added during development as a shortcut to circumvent security. If they are not removed, they present a security problem. Can be added by attackers who have gained unauthorized access to a device. When added, the backdoor can be used at a future time to easily bypass security controls. Can be used to remotely control the device at a later date. Rely on secrecy to maintain security. Social engineering attacks involve stealing information or convincing someone to perform an inappropriate activity via email, phone, or in person. A replay attack is a network attack that occurs when an attacker intercepts data and fraudulently delays or re-transmits it. Privilege escalation allows a user to take advantage of a software bug or design flaw in an application to gain access to system resources or additional privileges that aren't typically available to that user. References 5.9.2 Device Vulnerability Facts

Which of the following are functions of gateway email spam filters? (Select two.)

Blocks email from specific senders and Filters messages containing specific content. Explanation Gateway email spam filters can be used to block the following: Messages from specific senders Email containing threats (such as false links) Messages containing specific content Web threat filtering prevents users from visiting websites with known malicious content. Website and content filtering can be used to enforce the organization's internet usage policy. Anti-phishing software scans content to identify and dispose of phishing attempts, preventing outsiders from accessing confidential information. References 13.3.2, 13.3.3, 2.3.1, 2.3.10, 2.3.11, 2.3.2 all through 2.3.9, 5.6.1 and 5.6.4.

A programmer that fails to check the length of input before processing leaves his code vulnerable to which form of common attack?

Buffer overflow attack Explanation Buffer overflow attacks are made possible by the oversight of programmers. A simple check on the length (and sometimes format) of input data before processing eliminates buffer overflow attacks. A backdoor is a developer-planted or cracker-planted entry device that bypasses security to gain access to a system or software. A developer-planted backdoor is often a debugging tool that was mistakenly left in place when the software went to market. A cracker-planted device is often a remote access server that listens for inbound connections on a specific port. Either method can be used by an intruder to gain entry into a secured environment. Session hijacking is the concept of being able to take over a communication session between a client and server. This usually involves taking over the identity of the client and fooling the server into communicating with the pseudo-client. Privilege escalation is the act of a user stealing or obtaining higher-level privileges in a computer system. References 10.3.14 Web Application Attack Facts

Which SIEM component is responsible for gathering all event logs from configured devices and securely sending them to the SIEM system?

Collectors Explanation Collectors are responsible for gathering all event logs from configured devices and securely sending them to the Security Information and Event Management (SIEM) system. Collectors are basically the middleman between devices and the SIEM system. The data handling component receives the data from the collectors and then reads, analyzes, and separates the data into different categories. SIEM alerts are responsible for triggering alerts if any data exceeds the established thresholds. Security automation is a feature of a SOAR system. References 11.4.4 SIEM and SOAR Facts

While using the internet, you type the URL of one of your favorite sites in the browser. Instead of going to the correct site, the browser displays a completely different website. When you use the IP address of the web server, the correct site is displayed. Which type of attack has likely occurred?

DNS poisoning Explanation Because the correct site shows when you use the IP address, you know that the main website is still functional and that the problem is likely caused by an incorrect domain name mapping. DNS poisoning occurs when a name server receives malicious or misleading data that incorrectly maps host names and IP addresses. In a DNS poisoning attack: Incorrect DNS data is introduced into the cache of a primary DNS server. The incorrect mapping is made available to client applications through the resolver. Spoofing is used to hide the true source of packets or redirect traffic to another location. Spoofing attacks use modified source and/or destination addresses in packets and can include site spoofing that tricks users into revealing information. A man-in-the-middle attack is used to intercept information passing between two communication partners. TCP/IP hijacking is an extension of a man-in-the-middle attack in which the attacker steals an open and active communication session from a legitimate user. With spoofing, man-in-the-middle, and hijacking, the attack would be successful regardless of whether the DNS name or the IP address were used. References 11.6.2 Analyzing Network Attacks Facts

DNS tunneling is a common method that allows an attacker to accomplish which attack?

Data exfiltration Explanation A common tactic attackers use for data exfiltration is DNS tunneling. DNS tunneling is a method that allows an attacker to hide data being sent to an outside host by disguising it as DNS traffic on UDP port 53. Because DNS is critical to most network operations, it is generally not blocked on the firewall. The other answers are not directly associated with DNS tunneling. 2.4.4 Impact of vulnerabilities facts

You are cleaning your desk at work. You toss several stacks of paper in the trash, including a sticky note with your password written on it. Which of the following types of non-technical password attacks have you enabled?

Dumpster diving Explanation Dumpster diving relies on finding sensitive information that has been discarded in garbage cans, dumpsters, or other unsecured places that create access for attackers. Shoulder surfing is watching and recording a password, pin, or access code that is being entered by someone nearby. Social engineering relies on human error. It works by feigning trustworthiness to convince someone to give the attacker access. Password guessing happens when someone is able to easily guess a password, typically because it is very common, like a pet's name or a hobby. References 11.7.2, 2.3.1, 2.3.10, 2.3.11, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9.

You have installed antivirus software on the computers on your network. You update the definition and engine files and configure the software to update those files every day. What else should you do to protect your systems from malware? (Select two.)

Educate users about malware. Schedule regular full-system scans. Explanation You should schedule regular full-system scans to look for any malware. In addition, educate users about the dangers of downloading software and the importance of anti-malware protections. You should enable User Account Control (UAC) to prevent unauthorized administrative changes to your system. Use account lockout to help protect your system from hackers trying to guess passwords. Use chassis intrusion detection to identify when the system case has been opened. References 2.2.3 Malware Protection Facts

Which type of attack is WEP extremely vulnerable to?

IV Attack Explanation Wired Equivalent Privacy (WEP) is extremely vulnerable to initialization vector (IV) attacks because WEP reuses the IVs. This makes it easy for attackers to crack them and compromise the encryption. An evil twin attack is a type of rogue access point attack. Bluesnarfing is a Bluetooth attack. Cloning is an RFID attack. references 8.2.2 Wireless Attack Facts

An attacker inserts SQL database commands into a data input field of an order form used by a web-based application. When submitted, these commands are executed on the remote database server, causing customer contact information from the database to be sent to the malicious user's web browser. Which practice would have prevented this exploit?

Implementing client-side validation Explanation Client-side validation should have been used on the local system to identify input errors in the order form before the data was ever sent to the server. In this example, if the user entered SQL commands in an order form field, the error would have been immediately detected and blocked before the data was submitted to the server. Using the latest browser version and patch level, installing anti-malware software, and using a script blocker are valuable security measures. But these would not have prevented the exploit in this scenario. References 10.3.14 Web Application Attack Facts

The IT manager in your organization proposes taking steps to deflect a potential threat actor. The proposal includes the following: Create and follow on-boarding and off-boarding procedures. Employ the principal of least privilege. Have appropriate physical security controls in place. Which type of threat actor do these steps guard against?

Insider Explanation Because insiders are one of the most dangerous and overlooked threats to an organization, you need to take the appropriate steps to protect against them, such as requiring mandatory vacations, creating and following onboarding and off-boarding procedure, employing the principal of least privilege, and having appropriate physical security controls in place. A script kiddie is an individual who carries out an attack by using scripts or programs written by more advanced hackers. A hacktivist is any individual whose attacks are politically motivated. A competitor threat actor carries out attacks on behalf of an organization and targets competing companies. Reference 2.1.2 Threat Agents Overview

Which of the following best describes spyware?

It monitors the actions you take on your machine and sends the information back to its originating source. Explanation Spyware monitors the actions you take on your machine and sends the information back to its originating source. Adware monitors the actions of the user that denote their personal preferences and then sends pop-ups and ads to the user that match their tastes. A virus is a program that attempts to damage a computer system and replicate itself to other computer systems. A Trojan horse is a malicious program disguised as legitimate software. See Malware Facts

You are the security analyst for your organization. Clients are complaining about being unable to connect to the wireless network. After looking into the issue, you have noticed short bursts of high-intensity RF signals are interfering with your wireless network's signal. Which type of attack are you most likely experiencing?

Jamming Explanation In a jamming attack, a transmitter is tuned to the same frequency and type of modulation as the wireless network. The jamming signal overrides the legitimate wireless network radio signals. This scenario is a spark jamming attack. A disassociation attack occurs when a user is tricked into giving a fake router responsibility for forwarding packets. Bluesnarfing is a Bluetooth attack. Cloning is an RFID attack. reference 8.2.2 Wireless Attack Facts

A script kiddie is a threat actor who lacks knowledge and sophistication. Script kiddie attacks often seek to exploit well-known vulnerabilities in systems. What is the BEST defense against script kiddie attacks?

Keep systems up to date and use standard security practices. Explanation Because script kiddies lack knowledge and sophistication, their attacks often seek to exploit well-known vulnerabilities in systems. As such, defense against script kiddies involves keeping systems up-to-date and using standard security practices. Having appropriate physical security controls in place is one of the steps that can be used to protect insider threat actors. Implementing email filtering systems and proper securing and storing data backups are two of the steps that can be used to protect against organized crime threat actors. Because nation states use so many different attack vectors and unknown exploits, defending against these attacks involves building a comprehensive security approach that uses all aspects of threat prevention and protection. Reference 2.1.2 Threats agents overview

Which of the following attacks, if successful, causes a switch to function like a hub?

MAC flooding Explanation MAC flooding overloads the switch's MAC forwarding table to make the switch function like a hub. The attacker floods the switch with packets, each containing different source MAC addresses. The flood of packets fills up the forwarding table and consumes so much of the memory in the switch that it causes the switch to enter a state called fail open mode. While in this mode, all incoming packets are broadcast out of all ports (as with a hub), instead of just to the correct ports, as per normal operation. ARP poisoning associates the attacker's MAC address with the IP address of victim devices. When computers send an ARP request to get the MAC address of a known IP address, the attacker's system responds with its own MAC address. MAC spoofing is changing the source MAC address on frames sent by the attacker. In a replay attack, the attacker uses a protocol analyzer or sniffer to capture authentication information going from the client to the server. The attacker then uses this information to connect at a later time and pretend to be the client. References 5.11.7 Switch Attack Facts

Which step in the penetration testing life cycle is accomplished using rootkits or Trojan horse programs?

Maintain access Explanation Once a penetration tester has gained access, maintaining that access becomes the next priority. This can be done by installing backdoors, rootkits, or Trojans. Gain access is the third phase of the penetration test life cycle and uses the information gathered in earlier phases to exploit discovered vulnerabilities. Reconnaissance is the first phase in the penetration testing process. This is when the penetration tester begins gathering information. Enumeration is the second phase in the penetration testing process. The penetration tester uses scanning techniques to extract information such as usernames and computer names. References 11.1.2 Penetration Testing Facts

Sam has used malware to access Sally's computer on the network. He has found information that allows him to use the underlying NTLM to escalate his privileges without needing the plaintext password. Which of the following types of attacks did he use?

Pass-the-hash attack Explanation A pass-the-hash attack is a hacking technique where an attacker uses an underlying NTLM or hash of a user's password to gain access to a server without ever using the actual plaintext password. In a dictionary attack, word lists, often taken straight from dictionaries, are tested against password databases. Password sniffing is a passive way for attackers to gain access to an account. The sniffer collects data that is in transit in a LAN. If access is gained on one system in a LAN, the attacker can gather information being sent from any other system in the network. Rainbow attacks are similar to dictionary attacks. Instead of endlessly testing dictionary lists, this method uses tables that are precomputed with word lists and their hashes. References 10.3.14 web application Attack Facts

Which type of reconnaissance is dumpster diving?

Passive xplanation Dumpster diving is when an attacker goes through the trash to find important information that may have accidentally been thrown away. Because there is no direct interaction with the target, dumpster diving is a form of passive reconnaissance. Active reconnaissance is the process of gathering information by interacting with the target in some manner. Dumpster diving does not fall under this category. Open-source intelligence (OSINT) is any data that is collected from publicly available sources. Dumpster diving does not fall under this category. Packet sniffing is the process of capturing data packets that are flowing across a network and analyzing them for important information. Dumpster diving does not fall under this category. References 11.2.8 Reconnaissance Facts

Which of the following is an attack that injects malicious scripts into web pages to redirect users to fake websites to gather personal information?

XSS Explanation Cross-site scripting (XSS) is an attack that injects scripts into web pages. When a user views the web page, the malicious scripts run, allowing the attacker to capture information or perform other actions. XSS often relies on social engineering or phishing to entice users to click on links to web pages that contain the malicious scripts. Some scripts redirect users to legitimate websites, but run in the background to capture information sent to the legitimate site. Scripts can be written to read (steal) cookies that contain identity information (such as session information). Scripts can also be designed to run under the security context of the current user. For example, scripts might execute with full privileges on the local system, or the scripts might run using the credentials used on a financial website. A drive-by download is an attack where software or malware is downloaded and installed without explicit consent from the user. An SQL injection attack occurs when an attacker includes database commands within user data input fields on a form, and those commands subsequently execute on the server. A DLL injection attack occurs when a program is forced to load a dynamic-link library (DLL). This DLL then executes under the security context of the running application and executes malicious code included with the injected DLL reference 10.3.11 preventing cross-site scripting (demo) 10.3.14 web Applications Attack Facts