Security + SY0 - 601
Angie is investigating a piece of malware found on a Windows system in her organization. She determines that the malware forced a running program to load code stored in a library. What term best describes this attack? A. DLL injection B. SQL injection C. Pointer dereference D. Buffer overflow
A. DLL injection This attack is a DLL injection attack. In a DLL injection, the attacker forces an existing process to load a dynamically linked library which contains unauthorized code.
Jaime is concerned that users in her organization may fall victim to DNS poisoning attacks. Which one of the following controls would be most helpful in protecting against these attacks? A. DNSSEC B. Redundant DNS servers C. Off-site DNS servers D. Firewall rules
A. DNSSEC DNS poisoning works by injecting false information into a users local DNS servers. Adding redundant or off-site DNS servers would not reduce the likelihood of a successful attack. Blocking DNS traffic with firewall rules would disrupt the service for legitimate users. The DNSSEC protocol adds a verification layer to ensure that DNS updates come from trusted sources, reducing the likelihood of a successful DNS poisoning attack.
After conducting security testing, Bruce identifies a memory leak issue on one of his servers that runs an internally developed application. Which one of the following team members is most likely able correct this issue? A. Developer B. System administrator C. Storage administrator D. Security analyst
A. Developer A memory leak is a software flaw and, since this is an internally developed application, the developer is the person most likely to be able to correct it. If the issue were in a commercially purchased application, a system administrator may be able to correct the issue by applying a patch but that is not the case in this scenario.
Carl is concerned that his organizations public DNS servers may be used in an amplification attack against a third party. What is the most effective way for Carl to prevent these servers from being used in an amplification attack? A. Disable open resolution B. Block external DNS requests C. Block internal DNS requests D. Block port 53 at the firewall
A. Disable open resolution All of the possible answers have the effect of blocking some DNS requests. The most effective technique to prevent DNS amplification is to disable open resolution so that external users may not make arbitrary recursive requests against the server. Blocking internal requests would have no effect on the attack. Blocking all external requests or blocking port 53 at the firewall would prevent all external requests, preventing the server from fulfilling its purpose as a public DNS server.
Bill is securing a set of terminals used to access a highly sensitive web application. He would like to protect against a man-in-the-browser attack. Which one of the following actions would be most effective in meeting Bill's goal? A. Disabling browser extensions B. Requiring multifactor authentication C. Requiring TLS encryption D. Disabling certificate pinning
A. Disabling browser extensions In a man-in-the-browser attack, the attacker manages to gain a foothold inside the user's browser, normally by exploiting a browser extension. This gives him or her access to all information accessed with the browser, regardless of whether the site uses strong authentication or transport encryption (such as TLS). Certificate pinning is a technique used to protect against inauthentic digital certificates and would not protect against a man-in-the-browser attack.
Barry would like to identify the mail server used by an organization. Which one of the following DNS record types identifies a mail server? A. MX B. A C. CNAME D. SOA
A. MX The MX record identifies the mail server for a domain. A records are used to identify domain names associated with IP addresses while CNAMES are used to create aliases. Start of Authority (SOA) records contain information about the authoritative servers for a DNS zone.
Alan is assessing the results of a penetration test and discovered that the attackers managed to install a back door on one of his systems. What activity were the attackers most likely engaged in when they installed the back door? A. Persistence B. Pivoting C. Privilege escalation D. Lateral movement
A. Persistence Back doors are an example of a persistence technique. They are designed to allow the attacker to regain access to the system even after the original flaw they exploited is patched.
Maureen is implementing TLS encryption to protect transactions run against her company's web services infrastructure. Which one of the following cipher suites would not be an appropriate choice? A. AES256-CCM B. ADH-RC4-MD5 C. ECDHE-RSA-AES256-SHA384 D. DH-RSA-AES256-GCM-SHA384
B. ADH-RC4-MD5 The key to this question is focusing on the encryption algorithms used by each option. Three of the four options use AES 256-bit encryption, which provides strong cryptography. One uses RC4 encryption, which is a weak implementation of cryptography and should be avoided.
Greg recently detected a system on his network that occasionally begins sending streams of TCP SYN packets to port 80 at a single IP address for several hours and then stops. It later resumes, but directs the packets at a different address. What type of attack is taking place? A. Port scanning B. DDoS C. IP scanning D. SQL injection
B. DDoS This is a clear example of a distributed denial of service (DDoS) attack. The system is flooding the target with connection requests, hoping to overwhelm it. The port and IP address are not changing, so this is not indicative of a scanning attack. There is no indication that the connection is completed, so it cannot be a SQL injection attack.
Which one of the following threat sources is likely to have the highest level of sophistication? A. Organized crime B. Hacktivist C. APT D. Script kiddie
C. APT Advance persistent threats (APTs) are characterized by a high level of sophistication and significant financial and technical resources. Other attackers, including script kiddies, criminals, and hacktivists, are not likely to have anywhere near the same sophistication as an APT attacker (such as a national government)
Which one of the following attackers is most likely to understand the design of an organization's business process? A. Script kiddie B. APT C. Insider D. Hacktivist
C. Insider Insider attacks are particularly dangerous because they involve internal employees, contractors, or other individuals with access to systems and knowledge of business processes. Other attackers are less likely to have access to this information.
During a security assessment, Ryan learns that the Accounts Receivable department prints out records containing customer credit card numbers and files them in unlocked filing cabinets. Which one of the following approaches is most appropriate for resolving the security issues this situation raises? A. Physically secure paper records B. Encrypt sensitive information C. Modify business process D. Monitor areas containing sensitive records
C. Modify business process All of the controls mentioned in this question would improve the security of this scenario. However, the best way to handle sensitive information is to not retain it in the first place. It is unlikely that there is a valid business reason for storing copies of records containing customer credit card information. Therefore, the most appropriate solution would be to modify the business process to avoid this inappropriate data retention.
Which one of the following types of penetration test does the attacker not have any access to any information about the target environment prior to beginning the attack? A. Grey box B. White box C. Red box D. Black box
D. Black box In a black box attack, the attacker does not have access to any information about the target environment before beginning the attack. In a grey box attack, the attacker has limited information. In a white box attack, the attacker has full knowledge of the target environment before beginning the attack.
Kevin runs a vulnerability scan on a system on his network and identifies a SQL injection vulnerability. Which one of the following security controls is likely not present on the network? A. TLS B. DLP C. IDS D. WAF
D. WAF A web application firewall (WAF), if present, would likely block SQL injection attempts, making SQL injection vulnerabilities invisible to a vulnerability scanner. A data loss prevention system (DLP) does not protect against web application vulnerabilities, such as SQL injection. An intrusion detection system (IDS) might identify a SQL injection exploit attempt but it is not able to block the attack. Transport layer security (TLS) encrypts web content but encryption would not prevent an attacker from engaging in SQL injection attacks.