1. Which of the following would NOT be useful in defending against a zeroday threat?
Answer: Patching is a great way to combat threats and protect your system. It is not effective against
zero-day threats. By definition a zero-day threat is a flaw in software, hardware or firmware that is
unknown to the parties responsible for fixing the software. The attack has no time (or days) between
the time of vulnerability is discovered and the first attack.
Threat intelligence, segmentation and whitelisting would help a zero day attack.
Whitelisting is a security approach that allows only approved applications, files, or IP addresses to run
or access a system, while blocking all others by default. This method helps to prevent unauthorized or
malicious software from executing, enhancing overall system security.
Network segmentation is the practice of dividing a computer network into smaller, distinct subnetworks, or segments. Each segment functions as an independent network, which can enhance
security, performance, and manageability.
Common methods for network segmentation include.
VLANS: Logical segmentation within a physical network that allows multiple networks to exist on the
same hardware.
Firewalls: Using firewalls to control traffic between segments based on security policies
Subnets: Dividing a larger network into smaller IP rangers to create separate networks
2. Which analysis framework makes no allowance for an adversary retreat in its
analysis?
Answer: The Lockheed Martin cyber kill chain implicitly assumes a unidirectional workflow.
Therefore, it fails to consider that an adversary may retreat during an attack. MITRE and Diamond's
models are more dynamic systems that allow for a broader range of adversary behaviors. AlienVault
was specifically designed to avoid the rigidity of the Lockheed Martin cyber kill chain.
Yes, the Lockheed Martin Cyber Kill Chain is a relevant concept for the CompTIA Security+ (SY0701) exam. The Cyber Kill Chain is a framework developed by Lockheed Martin to understand and
counteract cyber threats by breaking down the stages of an attack. It helps security professionals
identify and disrupt the steps attackers take to compromise a network.
The Seven Steps of the Cyber Kill Chain:
1. Reconnaissance: Attackers gather information about the target to identify vulnerabilities.
2. Weaponization: Attackers create a deliverable payload, such as malware or an exploit.
3. Delivery: Attackers transmit the payload to the target, often via email, web, or removable
media.
4. Exploitation: The payload is triggered, exploiting a vulnerability to gain access.
5. Installation: Attackers install malware or backdoors to maintain access.
6. Command and Control (C2): Attackers establish communication channels to control the
compromised system.
7. Actions on Objectives: Attackers achieve their goals, which could include data theft,
destruction, or further system compromise.
Relevance to CompTIA Security+ (SY0-701):
The CompTIA Security+ exam covers various aspects of cybersecurity, including threat analysis,
incident response, and mitigation strategies. Understanding the Cyber Kill Chain helps in:
• Identifying Attack Vectors: Recognizing the different stages of an attack can help in
identifying how threats are delivered and executed.
• Developing Defensive Measures: Implementing security controls to disrupt the kill chain at
various stages.
• Incident Response: Effectively responding to and mitigating the impact of an attack by
understanding its progression.
Exam Objectives Related to the Cyber Kill Chain:
• Threats, Attacks, and Vulnerabilities: Understanding different types of attacks and their
characteristics.
• Security Operations and Monitoring: Implementing and managing security measures to
detect and respond to threats.
• Incident Response: Processes and procedures for handling security incidents.
In summary, the Lockheed Martin Cyber Kill Chain is a valuable framework that aligns with the
knowledge and skills required for the CompTIA Security+ (SY0-701) exam, particularly in the areas of
threat detection, analysis, and response.
The analysis framework that makes no allowance for an adversary retreat in its analysis is the
Lockheed Martin Cyber Kill Chain. Here's why:
Lockheed Martin Cyber Kill Chain
The Lockheed Martin Cyber Kill Chain is a linear model that outlines the steps an adversary takes to
achieve their objectives, from initial reconnaissance to executing their mission. The seven steps are:
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control (C2)
7. Actions on Objectives
The model is designed to identify and disrupt each stage of an attack, but it assumes a forward
progression towards the attacker's goal and does not explicitly account for adversaries retreating or
backing out at any stage.
MITRE ATT&CK Framework
In contrast, the MITRE ATT&CK framework is not linear but rather a matrix of tactics and techniques
that adversaries use during different phases of an attack. The tactics represent the "why" of an attacker's
actions (e.g., initial access, execution, persistence), and the techniques represent the "how."
The MITRE ATT&CK framework is more flexible and comprehensive, capturing a wide range of
adversary behaviors, including lateral movement, defense evasion, and persistence. It does not
prescribe a fixed order of operations and allows for more dynamic analysis, including the possibility of
retreat or reattempt by adversaries.
Why Lockheed Martin and Not MITRE ATT&CK
The reason the Lockheed Martin Cyber Kill Chain does not account for adversary retreat is due to its
linear nature and focus on progressing through specific stages to achieve an objective. It is designed to
break down and disrupt each step of the attack chain in sequence, which inherently assumes a forward
movement without considering the possibility of retreat or fallback.
The MITRE ATT&CK framework, with its matrix structure, is inherently more adaptable and reflective
of the iterative and often non-linear nature of real-world cyber attacks, including the potential for
adversaries to retreat and regroup. Therefore, it is more accommodating of the complexities and fluidity
of cyber threat landscapes compared to the linear perspective of the Lockheed Martin Cyber Kill Chain.
3. During which phase of the incident response process does an organization
assemble an incident response toolkit?
During the preparation phase, the incident response team conducts training, prepares their incident
response kits, and researches threats and intelligence. During the detection and analysis phase, an
organization focuses on monitoring and detecting any possible malicious events or attacks. During the
containment, eradication, and recovery phase of an incident response, an analyst must preserve forensic
and incident information for future needs, to prevent future attacks, or to bring up an attacker on
criminal charges. During the post-incident activity phase, the organization conducts after-action reports,
creates lessons learned, and conducts follow-up actions to better prevent another incident from
occurring.
The incident response process is a structured approach used to manage and address security incidents.
It involves several phases that help an organization prepare for, detect, analyze, respond to, and recover
from security incidents. The typical phases of the incident response process are:
1. Preparation
• Develop incident response policies, procedures, and guidelines.
• Assemble and train the incident response team.
• Gather and maintain the incident response toolkit.
• Conduct training and awareness programs.
• Establish communication protocols.
2. Identification
• Detect and identify potential security incidents.
• Monitor systems and networks for signs of incidents.
• Analyze alerts and reports from various sources.
• Confirm and classify the incident.
3. Containment
• Implement short-term containment measures to limit the impact of the incident.
• Develop and implement long-term containment strategies to isolate affected systems.
• Prevent the spread of the incident to other parts of the network.
4. Eradication
• Identify and remove the root cause of the incident.
• Eliminate malware, vulnerabilities, and unauthorized access.
• Ensure that affected systems are clean and free of threats.
5. Recovery
• Restore affected systems and services to normal operation.
• Verify that systems are functioning correctly and securely.
• Monitor systems for any signs of residual issues or re-infection.
6. Lessons Learned
•
•
•
•
Conduct a post-incident review to analyze the response process.
Document the incident, response actions, and outcomes.
Identify areas for improvement and update the incident response plan.
Implement changes to policies, procedures, and controls to prevent future incidents.
By following this structured process, organizations can effectively manage security incidents, minimize
damage, and improve their overall security posture
4. You have been investigating how a malicious actor was able to exfiltrate
confidential data from a web server to a remote host. After an in-depth forensic
review, you determine that the web server’s BIOS had been modified by the
installation of a rootkit. After you remove the rootkit and reflash the BIOS to a
known good image, what should you do in order to prevent the malicious actor
from affecting the BIOS again?
By Utilizing secure boot.
Since you are trying to protect the BIOS, utilizing secure boot is the best choice. Secure boot is a
security system offered by UEFI. It is designed to prevent a computer from being hijacked by a
malicious OS. Under secure boot, UEFI is configured with digital certificates from valid OS vendors.
The system firmware checks the operating system boot loader using the stored certificate to ensure that
it has been digitally signed by the OS vendor. This prevents a boot loader that has been changed by
malware (or an OS installed without authorization) from being used. The TPM can also be invoked to
compare hashes of key system state data (boot firmware, boot loader, and OS kernel) to ensure they
have not been tampered with by a rootkit. The other options are all good security practices, but they
only apply once you have already booted into the operating system. This makes them ineffective
against boot sector or rootkit attacks.
5. Which of the following types of attacks occurs when an attacker sends
unsolicited messages over Facebook messenger?
Spim is a type of spam targeting users of instant messaging (IM) services, SMS, or private messages
within websites and social media. If the unsolicited messages were sent by email, they would have
instead been classified as Spam.
Definition: SPIM is the term used for unsolicited messages sent over instant messaging (IM) services,
including chat applications like WhatsApp, Facebook Messenger, Slack, Microsoft Teams, and others.
Definition: Spam refers to unsolicited messages sent via email, typically in bulk, to a large number of
recipients.
5. You have signed up for a web-based appointment scheduling application to help
you manage your new IT technical support business. What type of solution would
this be categorized as?
Software as a Service (SaaS) is used to provide web applications to end-users. This can be a calendar,
scheduling, invoicing, word processor, database, or other programs. For example, Google Docs and
Officer 365 are both word processing SaaS solutions. QuickBooks Online is one example of a SaaS
solution for accounting.
1. Infrastructure as a Service (IaaS)
• Definition: IaaS provides virtualized computing resources over the internet.
• Key Features:
• Users can rent IT infrastructure (servers, storage, networking) on a pay-as-you-go basis.
• Offers flexibility and scalability, allowing users to adjust resources based on demand.
• Examples: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP).
2. Platform as a Service (PaaS)
• Definition: PaaS offers a platform allowing developers to build, deploy, and manage
applications without dealing with the underlying infrastructure.
• Key Features:
• Provides development tools, middleware, database management, and application
hosting.
• Enables faster development and deployment cycles.
• Examples: Heroku, Google App Engine, Microsoft Azure App Service.
3. Software as a Service (SaaS)
• Definition: SaaS delivers software applications over the internet on a subscription basis.
• Key Features:
• Accessible via web browsers, eliminating the need for local installations.
• Managed by the service provider, including maintenance and updates.
• Examples: Google Workspace, Salesforce, Zoom.
6. Review the network diagram provided. Which of the following ACL entries
should be added to the firewall to allow only the system administrator’s computer
(IT) to have SSH access to the FTP, Email, and Web servers in the DMZ? ??(Note:
The firewall in this network is using implicit deny to maintain a higher level of
security. ACL entries are in the format of Source IP, Destination IP, Port Number,
TCP/UDP, Allow/Deny.)
Corrrect Answer: 172.16.1.4, 192.168.0.0/24, 22, TCP, ALLOW
Since the scenario requires you to set up SSH access from the IT computer to all three servers in the
DMZ, you will need to use a /24 subnet to set up the ACL rule correctly (or have 3 separate ACL
entries). Since you can only select one in this example, you will have to use the /24 for the destination
network. This means that the Source IP is 172.16.1.4 (IT computer), the Destination IP is
192.168.0.0/24 (the entire DMZ), the port is 22 for SSH and operates over TCP, and the condition is set
to ALLOW
Incorrect Answers:
192.168.0.3/24, 172.16.1.4, ANY, TCP, ALLOW
192.168.0.0/24, 172.16.1.4, 22, TCP, ALLOW
172.16.1.0/24, 192.168.0.0/24, ANY, TCP, ALLOW
7. What technique is most effective in determining whether or not increasing enduser security training would be beneficial to the organization during your
technical assessment of their network?
Social engineering refers to psychological manipulation of people into performing actions or divulging
confidential information. During your technical assessment, utilizing social engineering techniques
such as phishing or pharming can help you determine if additional end-user security training should be
included in the organization. The other three options focus solely on technical controls. Therefore
adding end-user training would have no effect on these technology options.
Incorrect Anwsers:
Network Sniffing , Application security testing, Vulnerability scanning
8. Dion Training allows its visiting business partners from CompTIA to use an
available Ethernet port in their conference room to establish a VPN connection
back to the CompTIA internal network. The CompTIA employees should be able to
obtain internet access from the Ethernet port in the conference room, but nowhere
else in the building. Additionally, if a Dion Training employee uses the same
Ethernet port in the conference room, they should be able to access Dion
Training's secure internal network. Which of the following technologies would
allow you to configure this port and support both requirements?
Correct Answer: Implement NAC
Incorrect Answers: MAC filtering, Configure a SIEM, Create an ACL to allow access
Network Access Control (NAC) uses a set of protocols to define and implement a policy that describes
how to secure access to network nodes whenever a device initially attempts to access the network.
NAC can utilize an automatic remediation process by fixing non-compliant hosts before allowing
network access. Network Access Control can control access to a network with policies, including preadmission endpoint security policy checks and post-admission controls over where users and devices
can go on a network and what they can do. In this scenario, implementing NAC can identify which
machines are known and trusted Dion Training assets, and provide them with access to the secure
internal network. NAC could also determine which are unknown machines (assumed to be those of
CompTIA employees), and provide them with direct internet access only by placing them onto a guest
network or VLAN. While MAC filtering could be used to allow or deny access to the network, it
cannot by itself control which set of network resources could be utilized from a single ethernet port. A
security information and event management (SIEM) system provides real-time analysis of security
alerts generated by applications and network hardware. An access control list could define what ports,
protocols, or IP addresses the ethernet port could be utilized, but it would be unable to distinguish
between a Dion Training employee's laptop and a CompTIA employee's laptop like a NAC
implementation could.
9. What type of malicious application does not require user intervention or
another application to act as a host in order for it to replicate?
Correct Answer: Worm
A worm is a self-replicating type of malware that does not require user intervention or another
application to act as a host in order for it to replicate. Viruses and Macros require user intervention to
spread, and Trojans are hosted within another application that appears to be harmless.
Worms
Definition: A worm is a type of malware that replicates itself to spread to other computers, usually over
a network.
Characteristics:
• Self-replicating: Worms can spread without user intervention by exploiting vulnerabilities in
software or operating systems.
• Network-based: They often spread through network connections, email, or internet downloads.
• Impact: Can consume bandwidth, slow down systems, and cause network congestion.
Viruses
Definition: A virus is a type of malware that attaches itself to a legitimate program or file and requires
user action to execute.
Characteristics:
• Requires a host: Viruses need to attach to a host file or program to spread.
• User-initiated: Typically spread when users open infected files or run infected programs.
• Impact: Can corrupt or delete files, and slow down system performance.
Trojans
Definition: A trojan (or trojan horse) is a type of malware that disguises itself as a legitimate program
to trick users into installing it.
Characteristics:
• Deceptive: Trojans do not self-replicate; they rely on users to download and install them.
• Payload delivery: Often designed to create backdoors, steal data, or facilitate other types of
malware.
• Impact: Can lead to unauthorized access, data theft, or system damage.
10. Joseph would like to prevent hosts from connecting to known malware
distribution domains. What type of solution should be used without deploying
endpoint protection software or an IPS system?
Correct Answer: DNS blackholing
DNS blackholing is a process that uses a list of known domains/IP addresses belonging to malicious
hosts and uses an internal DNS server to create a fake reply. Route poisoning prevents networks from
sending data somewhere when the destination is invalid. Routers do not usually have an anti-malware
filter, and this would be reserved for a unified threat management system. Subdomain whitelisting
would not apply here because it would imply that you are implicitly denying all traffic and only allow
whitelisted subdomains to be accessed from the hosts that would affect their operational utility to the
organization.
Route poisoning and subdomain whitelisting serve different purposes than DNS blackholing or Pi-hole.
Here’s why they wouldn't be suitable answers for preventing hosts from connecting to known malware
distribution systems:
Route Poisoning
Definition: Route poisoning is a technique used in network routing to prevent routing loops by
marking a route as unreachable.
Why It’s Not Suitable:
• Routing Focus: Route poisoning is about managing routing tables and ensuring data packets
are directed properly within a network, not about blocking specific domain names or preventing
access to malicious content.
• Doesn’t Address DNS Level: It doesn’t function at the DNS level, so it won't prevent requests
to known malware domains; it deals with how data packets are routed through the network.
Subdomain Whitelisting
Definition: Subdomain whitelisting is a security measure that allows only specified subdomains to be
accessed or resolved.
Why It’s Not Suitable:
• Restrictive Approach: Whitelisting requires a predefined list of allowed domains or
subdomains, which may not be practical for blocking newly discovered malware domains.
• Not Proactive: It doesn't actively prevent access to malicious domains but rather limits access
to specific known good domains, which could lead to missed threats if they aren't on the
whitelist.
• Complex Management: Maintaining an up-to-date whitelist can be complex and timeconsuming, especially in a dynamic threat landscape.
11. Which of the following attacks would most likely be used to create an
inadvertent disclosure of information from an organization's database?
A SQL injection poses the most direct and more impactful threat to an organization's database. A SQL
injection could allow the attacker to execute remote commands on the database server and lead to the
disclosure of sensitive information. A buffer overflow attack attempts to overwrite the memory buffer
in order to send additional data into adjacent memory locations. A buffer overflow attack might target a
database server, but it isn't intended to cause a disclosure of information directly. Instead, a buffer
overflow attack may be used to gain initial access to a server and allow for the running of other
malicious code. A denial of service targets the availability of the information by attempting to take the
server offline. A cross-site scripting attack typically is focused against the user, not the server or
database.
12. An employee contacts the service desk because they are unable to open an
attachment they receive in their email. The service desk agent conducts a screen
sharing session with the user and investigates the issue. The agent notices that the
attached file is named Invoice1043.pdf, and a black pop-up window appears and
then disappears quickly when the attachment was double-clicked. Which of the
following is most likely causing this issue?
Correct Answer: The attachment is using a double file extension to mask its identity
Incorrect Answer: The file contains an embedded link to a malicious website
The message contains a file attachment in the hope that the user will execute or open it. The nature of
the attachment might be disguised by formatting tricks such as using a double file extension, such as
Invoice1043.pdf.exe, where the user only sees the first extension since .exe is a known file type in
Windows. This would explain the black pop-up window that appears and then disappeared, especially if
the exe file was running a command-line tool. This file is most likely not a PDF, so there is no need for
a PDF reader. Additionally, most modern web browsers, such as Chrome and Edge, can open PDF files
by default for the user. The file would not contain an embedded link since an embedded link is another
popular attack vector that embeds a link to a malicious site within the email body, not within the file.
This email is likely not spam and would be better categorized as a phishing attempt instead.
13. As a cybersecurity analyst conducting vulnerability scans, you have just
completed your first scan of an enterprise network comprising over 10,000
workstations. As you examine your findings, you note that you have less than 1
critical finding per 100 workstations. Which of the following statement does BEST
explain these results?
Correct Answer: An uncredentialed scan of the network was performed
Incorrect Answer: The network has exceptionally strong security posture
Uncredentialed scans are generally unable to detect many vulnerabilities on a device. When conducting
an internal assessment, you should perform an authenticated (credentialed) scan of the environment to
most accurately determine the vulnerability posture of the network. In most enterprise networks, if a
vulnerability exists on one machine, it also exists on most of the other workstations since they use a
common baseline or image. If the scanner failed to connect to the workstations, an error would have
been generated in the report.
14. Which of the following is not normally part of an endpoint security suite?
Correct Answer: VPN
Incorrect Answers: IPS, Softwarefirewall, Anti-Virus
Endpoint security includes software host-based firewalls, host-based intrusion protection systems
(HIPS), and anti-virus software. A VPN is not typically considered an endpoint security tool because it
is a network security tool.
15. Which of the following cryptographic algorithms is classified as asymmetric?
Correct Answer: PGP
Incorrect Answer: AES, RC4, 3DES
Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and
authentication for data communication. PGP is used for signing, encrypting, and decrypting texts,
emails, files, directories, and whole disk partitions and to increase the security of email
communications. PGP is a public-key cryptosystem and relies on an asymmetric algorithm. AES, RC4,
and 3DES are all symmetric algorithms.
16. Which law requires that government agencies and other organizations that
operate systems on behalf of government agencies to comply with security
standards?
Correct Answer: FISMA
The Federal Information Security Management Act (FISMA) is a United States federal law that defines
a comprehensive framework to protect government information, operations, and assets against natural
or man-made threats. FISMA requires that government agencies and other organizations that operate
systems on behalf of government agencies comply with security standards. The Health Insurance
Portability and Accountability Act (HIPPA) is a United States federal law designed to provide privacy
standards to protect patients' medical records and other health information provided to health plans,
doctors, hospitals, and other health care providers. The Children's Online Privacy Protection Act
(COPPA) is a United States federal law that imposes certain requirements on operators of websites or
online services directed to children under 13 years of age, and on operators of other websites or online
services that have actual knowledge that they are collecting personal information online from a child
under 13 years of age. Sarbanes–Oxley (SOX) is a United States federal law that set new or expanded
requirements for all U.S. public company boards, management, and public accounting firms.
17. Which of the following would NOT be included in a company's password
policy?
Correct Answer: Password Style
Incorrect Answers: Password history, age, or complexity requirements
A password policy is a set of rules designed to enhance computer security by encouraging users to
employ strong passwords and use them properly. A password policy is often part of an organization's
official regulations and may be taught as part of security awareness training. It contains items like
password complexity, password age, and password history requirements.
18. An internet marketing company decided that they didn't want to following the
rules for GDPR because it would create too much work for them. They wanted to
buy insurance, but no insurance company would write them a policy to cover any
fines received. They considered how much the fines might be, and decided to
simply ignore the regulation and its requirements. Which of the following risk
strategies did the company choose?
Correct Answer: Acceptance
Incorrect Answer: Avoidance, Mitigation, Transference
The internet marketing company initial tried to transfer the risk (buy insurance), but then decided to
accept the risk. To avoid the risk, the company would have changed they way it did business or would
prevent European customers from signing up on their mailing list using geolocation blocks.
19. A cybersecurity analyst is reviewing the logs of a proxy server and saw the
following URL, http://test.diontraining.com/../../../../etc/shadow. What type of
attack has likely occurred?
Correct Answer: Directory traversal
Incorrect Answer: XML injection, Buffer overflow, SQL injection
This is an example of a directory traversal. A directory traversal attack aims to access files and
directories that are stored outside the webroot folder. By manipulating variables or URLs that
reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it
may be possible to access arbitrary files and directories stored on the file system, including application
source code or configuration and critical system files. A buffer overflow is an exploit that attempts to
write data to a buffer and exceed that buffer's boundary to overwrite an adjacent memory location.
XML Injection is an attack technique used to manipulate or compromise the logic of an XML
application or service. SQL injection is the placement of malicious code in SQL statements, via web
page input.
20. An attacker has compromised a virtualized server. You are conducting forensic
analysis as part of the recovery effort but found that the attacker deleted a virtual
machine image as part of their malicious activity. Which of the following
challenges do you now have to overcome as part of the recovery and remediation
efforts?
Correct Answer: The attack widley fragmented the image across the host file system
Incorrect Answers: File formats used by some hypervisors cannot be analyzed with traditional forensic
tools
All log files are stored within the VM disk image, therefore across the host file system
You will need to roll back to an early snapshot and then merge any checkpoints to the main image
Due to the deletion of the VM disk image, you will now have to conduct file carving or other data
recovery techniques to recover and remediate the virtualized server. If the server's host uses a
proprietary file system, such as VMFS on ESXi, this can further limit support by data recovery tools.
The attacker may have widely-fragmented the image across the host file system when they deleted the
disk image. VM instances are most useful when they are elastic (meaning they optimally spin up when
needed) and then destroyed without preserving any local data when security has performed the task, but
this can lead to the potential of lost system logs. To prevent this, most VMs also save their logs to an
external syslog server or file. Virtual machine file formats are image-based and written to a mass
storage device. Depending on the configuration and VM state, security must merge any checkpoints to
the main image, using a hypervisor tool, not recovery from an old snapshot, and then roll forward. It is
possible to load VM data into a memory analysis tool, such as Volatility, although the file formats used
by some hypervisors require conversion first, or it may not support the analysis tool.
21. Your company just installed a new webserver within your DMZ. You have been
asked to open up the port for secure web browsing on the firewall. Which port
should you set as open to allow users to access this new server?
Correct Answer
Port 443 is used for HTTPS traffic. Therefore, this port must be opened. This is secure web browsing
over SSL or TLS. Port 21 is used for the File Transfer Protocol (FTP). Port 80 is used for unsecured
web browsing (HTTP). Port 143 is used for Internet Mail Application Protocol (IMAP).
22. Which of the following is the leading cause for cross-site scripting, SQL
injection, and XML injection attacks?
Correct Answer: Faulty input validation
Incorrect Answers: Output Encoding, File inclusions, Directory traverals
A primary vector for attacking applications is to exploit faulty input validation. The input could include
user data entered into a form or URL, passed by another application or link. This is heavily exploited
by cross-site scripting, SQL injection, and XML injection attacks. Directory traversal is the practice of
accessing a file from a location that the user is unauthorized to access. The attacker does this by
ordering an application to backtrack through the directory path so that the application reads or executes
a file in a parent directory. In a file inclusion attack, the attacker adds a file to the running process of a
web app or website. The file is either constructed to be malicious or manipulated to serve the attacker's
malicious purposes. Cross-site scripting (XSS) is one of the most powerful input validation exploits.
XSS involves a trusted site, a client browsing the trusted site, and the attacker's site.
23. You have run finished running an nmap scan on a server are see the following
output:
Based on the output above, which of the following ports listed as open represents the most significant
security vulnerability to your network?
Correct Answer: Port 23
Port 23 is used by telnet and is not considered secure because it sends all of its data in cleartext,
including authentication data like usernames and passwords. As an analyst, you should recommend that
telnet is disabled and blocked from use. The other ports that are open are for SSH (port 22), DNS (port
53), and HTTPS (port 443).
24. You have just received some unusual alerts on your SIEM dashboard and want
to collect the payload associated with it. Which of the following should you
implement to effectively collect these malicious payloads that the attackers are
sending towards your systems without impacting your organization's normal
business operations?
Correct Answer. Honeypot
Incorrect Answer: Containerization, Jumpbox, Sandbox
A honeypot is a host set up with the purpose of luring attackers away from the actual network
components and/or discovering attack strategies and weaknesses in the security configuration. A
jumpbox is a hardened server that provides access to other hosts. A sandbox is a computing
environment that is isolated from a host system to guarantee that the environment runs in a controlled,
secure fashion. Containerization is a type of virtualization applied by a host operating system to
provision an isolated execution environment for an application.
25. You have been hired to perform a web application security test. During the
test, you notice that the site is dynamic and, therefore, must be using a backend
database. You decide you want to test to determine if the site is susceptible to a
SQL injection. What is the first character that you should attempt to use in
breaking a valid SQL request?
Correct Answer: Single quote
Incorrect Answer: Double quote, Exclamation mark, Semicolon
The single quote character (') is used because this is the character limiter in SQL. With a single quote,'
you delimit strings, and therefore you can test whether the strings are properly escaped in the targeted
application or not. If they are not escaped directly, you can end any string supplied to the application
and add other SQL code after that, which is a common technique for SQL injections. A semicolon is a
commonly used character at the end of a line of code or command in many programming languages. An
exclamation mark is often used to comment a line of code in several languages. Double quotes are
often used to contain a string being passed to a variable.
26. What access control model will a network switch utilize if it requires
multilayer switches to use authentication via RADIUS/TACACS+?
Correct Answer: 802.1x
Incorrect Answer: 802.11ac, 802.3af, 202.1q
If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol.
27. Which of the following is a senior role with the ultimate responsibility for
maintaining confidentiality, integrity, and availability in a system?
Correct Answer: Data owner
Incorrecr Answer: Data custodian, Data steward, Privacy officer
A data owner is a person responsible for the confidentiality, integrity, availability, and privacy of
information assets. They are usually senior executives and somebody with authority and responsibility.
A data owner is responsible for labeling the asset and ensuring that it is protected with appropriate
controls. The data owner typically selects the data steward and data custodian and has the authority to
direct their actions, budgets, and resource allocations. The data steward is primarily responsible for data
quality. This involves tasks such as ensuring data are labeled and identified with appropriate metadata,
and that data is collected and stored in a format and with values that comply with applicable laws and
regulations. The data custodian is the role that handles managing the system on which the data assets
are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery
measures. The privacy officer is the role responsible for oversight of any PII/SPI/PHI assets managed
by the company.
28. Which type of monitoring would utilize a network tap?
Correct Answer: Passive
Incorrect Answer: Router-based, Active, SNMP
Network taps are devices that allow a copy of network traffic to be captured for analysis. They conduct
passive network monitoring and visibility without interfering with the network traffic itself. Active
monitoring relies on the scanning of targeted systems, not a network tap. Router-based monitoring
would involve looking over the router's logs and configuration files. SNMP is used to monitor network
devices, but is considered a form of active monitoring and doesn't rely on network taps.
29. Which of the following types of attacks occurs when an attacker calls up
people over the phone and attempts to trick them into providing their credit card
information?
Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be
from reputable companies in order to induce individuals to reveal personal information, such as bank
details and credit card numbers.
30. What tool can be used as an exploitation framework during your penetration
tests?
Correct Answer: Metasploit
Incorrect Answer: Nmap, Autopsy, Nessus
The Metasploit Project is a computer security project that provides information about security
vulnerabilities and aids in penetration testing and IDS signature development. Nessus is a very popular
vulnerability scanner. It can be used to check how vulnerable your network is by using various plugins
to test for vulnerabilities. Also, Nessus can be used to perform compliance auditing, like internal and
external PCI DSS audit scans. The nmap tool is a port scanner. BeEF is short for The Browser
Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
Metasploit
• Purpose: Metasploit is an exploitation framework used in penetration testing. It allows security
professionals to find, exploit, and validate vulnerabilities in systems.
• Features: It contains a vast library of exploits for different vulnerabilities and payloads to test
systems.
• Relevance to Exam: For the Security+ exam, you should understand what an exploitation
framework is and how it's used in penetration testing. You don't need to know how to use
Metasploit in depth, but knowing it is a tool used for exploitation in pen testing is crucial.
Nmap
• Purpose: Nmap (Network Mapper) is a network scanning tool used to discover hosts and
services on a network by sending packets and analyzing the responses.
• Features: It can identify live hosts, open ports, services running on those ports, and their
versions, and even perform OS detection.
• Relevance to Exam: Nmap is important for understanding network reconnaissance and
scanning. You should know what network scanning is, how it's used to gather information about
a network, and that Nmap is a common tool for this purpose.
Autopsy
• Purpose: Autopsy is a digital forensics platform used to analyze hard drives and mobile devices
to recover and examine digital evidence.
• Features: It provides a graphical interface to The Sleuth Kit (a collection of command-line
tools for digital forensics), allowing for timeline analysis, hash filtering, keyword searching,
and more.
• Relevance to Exam: For the Security+ exam, you should be aware of the basic concepts of
digital forensics and incident response. While detailed knowledge of Autopsy is not required,
knowing that it is a tool used in digital forensics is important.
Nessus
• Purpose: Nessus is a vulnerability scanner used to identify vulnerabilities, misconfigurations,
and other security issues within a network.
• Features: It scans systems for vulnerabilities and provides reports on findings, often with
recommendations for remediation.
• Relevance to Exam: Understanding vulnerability assessment is crucial for Security+. You
should know the purpose of vulnerability scanning, how it fits into the security lifecycle, and
that Nessus is a popular tool for conducting these scans.
Summary for Security+ (SY0-701) Exam
•
•
•
•
Metasploit: Know it's an exploitation framework used for penetration testing.
Nmap: Understand it's a network scanner used for reconnaissance and network mapping.
Autopsy: Be aware it's a digital forensics tool used for examining digital evidence.
Nessus: Recognize it's a vulnerability scanner used to identify security weaknesses.
These tools represent different stages and aspects of the cybersecurity process, from identifying
vulnerabilities (Nessus) and mapping the network (Nmap) to exploiting vulnerabilities (Metasploit) and
analyzing post-incident data (Autopsy). Understanding their purposes and how they fit into the broader
context of cybersecurity practices is essential for the exam.
31. You have been asked to install a computer in a public workspace. The
computer should only be used by an authorized user. Which of the following
security requirements should you implement to prevent unauthorized users from
accessing the network with this computer?
Correct Answer: Require authentication on wake-up
Incorrect Answer: Remove the guest account from the administrator group
Disable single sign-on
Issue the same strong and complex password for all users
To prevent the computer from being used inadvertently to access the network, the system should be
configured to require authentication whenever the computer is woken up. Therefore, if an authorized
user walks away from the computer and it goes to sleep, when another person tries to use the computer,
it will ask for a username and password prior to granting them access to the network.
32. What is a reverse proxy commonly used for?
Correct Answer: Directing traffic to internal services if the contents of the traffic comply with the
policy
A reverse proxy is positioned at the cloud network edge and directs traffic to cloud services if the
contents of that traffic comply with the policy. This does not require the configuration of the users'
devices. This approach is only possible if the cloud application has proxy support. You can deploy a
reverse proxy and configure it to listen for client requests from a public network, like the internet. The
proxy then creates the appropriate request to the internal server on the corporate network and passes the
response from the server back to the external client. They are not generally intended to obfuscate the
source of communication, nor are they necessarily specific to the cloud. A cloud access security broker
(CASB) can be used to prevent unauthorized use of cloud services from the local network.
33. What is the utilization of insights gained from threat research and threat
modeling to proactively discover evidence of adversarial TTPs within a network
or system called?
Correct Answer: Thread hunting
Incorrect Answer: Information assurance, Penetration Testing, Incident response
Threat hunting is the utilization of insights gained from threat research and threat modeling to
proactively discover evidence of adversarial TTPs within a network or system. Penetration testing uses
active tools and security utilities to evaluate security by simulating an attack on a system. A penetration
test verifies that a threat exists, then actively test and bypass security controls, and finally exploit
vulnerabilities on the system. Information assurance (IA) is the practice of assuring information and
managing risks related to the use, processing, storage, and transmission of information or data and the
systems and processes used for those purposes. Incident response is an organized approach to
addressing and managing the aftermath of a security breach or cyberattack, also known as an IT
incident, computer incident, or security incident. The goal is to handle the situation in a way that limits
damage and reduces recovery time and costs.
34. Dion Training has an open wireless network called "InstructorDemos" for its
instructors to use during class, but they do not want any students connecting to
this wireless network. The instructors need the "InstructorDemos" network to
remain open since some of their IoT devices used during course demonstrations
do not support encryption. Based on the requirements provided, which of the
following configuration settings should you use to satisfy the instructor's
requirements and prevent students from using the "InstructorDemos" network?
Correct Answer: Mac Filtering
Incorrect Answers: NAT, QoS, Signal strength
Since the instructors need to keep the wireless network open, the BEST option is to implement MAC
filtering to prevent the students from connecting to the network while still keeping the network open.
Since the instructors would most likely use the same devices to connect to the network, it would be
relatively easy to implement a MAC filtering based whitelist of devices that are allowed to use the open
network and reject any other devices not listed by the instructors (like the student's laptops or phones).
Reducing the signal strength would not solve this issue since students and instructors are both in the
same classrooms. Using Network Address Translation and Quality of Service will not prevent the
students from accessing or using the open network.
35. The Security Operations Center Director for Dion Training received a pop-up
message on his workstation that said, “You will regret firing me; just wait until
Christmas!” He suspects the message came from a disgruntled former employee
that may have set up a piece of software to create this pop-up on his machine. The
director is now concerned that other code might be lurking within the network that
could create a negative effect on Christmas. He directs his team of cybersecurity
analysts to begin searching the network for this suspicious code. What type of
malware should they be searching for?
Correct Answer: Logic bomb
Incorrect Answer: Trojan, Adware, Worm
A logic bomb is a piece of code intentionally inserted into a software system that will set off a
malicious function when specified conditions are met. For example, a programmer may hide a piece of
code that starts deleting files should they ever be terminated from the company. The director is
concerned that a logic bomb may have been created and installed on his system or across the network
before the analyst was fired.
35. Expanded
Logic Bomb
A logic bomb is a type of malicious code that is triggered by a specific event or condition. In this case,
the pop-up message “You will regret firing me; just wait until Christmas!” suggests that the former
employee has set up the code to activate on Christmas. This type of malware remains dormant within a
system until the trigger condition is met. Logic bombs are typically used by insiders who have a
detailed understanding of the organization's network and want to cause damage at a specific time.
Relevance to Security+ (SY0-701) Exam:
For the Security+ exam, understanding logic bombs is important as they fall under the category of
threats and vulnerabilities. The exam covers various types of malware and their characteristics,
including how they are deployed and activated. You should know that logic bombs are time-based or
condition-based threats designed to execute harmful actions when triggered by specific conditions.
Trojan
A Trojan is a type of malware that disguises itself as legitimate software. It tricks users into installing it,
thereby providing attackers access to the victim's system. Trojans can perform a variety of malicious
activities such as stealing data, installing additional malware, or giving remote access to attackers.
Why It's Incorrect:
In this scenario, the primary concern is a timed or event-based attack rather than a disguise or social
engineering attack. The description implies that the malicious code is already present and waiting to
activate, fitting the behavior of a logic bomb rather than a Trojan.
Adware
Adware is software designed to display advertisements on a user’s device, typically to generate revenue
for its creator. While it can be intrusive and impact user experience, adware is not usually designed to
cause serious harm or activate based on specific conditions.
Why It's Incorrect:
The threat described in the scenario involves a timed malicious action, not advertising. Adware does
not typically have the capability to execute time-based or condition-based attacks, which makes it an
incorrect answer.
Worm
A worm is a type of malware that replicates itself and spreads across networks without needing to
attach itself to an existing program. Worms can cause widespread damage by consuming bandwidth,
overloading systems, or delivering payloads like viruses.
Why It's Incorrect:
While worms are dangerous and can cause extensive network issues, they do not typically rely on a
specific condition or date to activate. The scenario specifies a timed activation (Christmas), which is
characteristic of a logic bomb, not a worm.
Summary
The scenario described involves a specific activation condition (Christmas), which is the defining
characteristic of a logic bomb. Understanding different types of malware and their behaviors is
essential for the Security+ exam. Logic bombs are covered under the exam objectives related to threats,
vulnerabilities, and malware types, and you need to be able to identify and differentiate between
various types of malware based on their behaviors and characteristics.
36. Dion Training has a $15,000 server that has been crashing frequently. Over
the past 12 months, the server has crashed 10 times, requiring the server to be
rebooted in order to recover from the crash. Each time, this has resulted in a 5%
loss of functionality or data. Based on this information, what is the Annual Loss
Expectancy (ALE) for this server?
Correct Answer: $7,500
Incorrect Answers: $1500,
To calculate the ALE, you need to multiple the Single Loss Expectancy (SLE) by the Annual Rate of
Occurrence (ARO). The SLE is calculated by multiplying the Exposure Factor (EF) by the Asset Value
(AV). Therefore, SLE = EF x AV, and ALE = SLE x ARO. For this scenario, the asset value is $15,000,
the annual rate of occurrence is 10 times per year, and the exposure factor is 5% (or 0.05). To calculate
the SLE, SLE = 0.05 x $15,000 = $750. Therefore, the ALE = SLE x ARO = $750 x 10 = $7,500.
37. Which party in a federation provides services to members of the federation?
Correct Answer: RP
Incorrect Answer: SAML, SSO,IdP
Relying parties (RPs) provide services to members of a federation. An identity provider (IdP) provides
identities, makes assertions about those identities, and releases information about the identity holders.
The Security Assertion Markup Language (SAML) is an open standard for exchanging authentication
and authorization data between parties between an identity provider and a service provider (SP) or
relaying party (RP). Single sign-on (SSO) is an authentication scheme that allows a user to log in with
a single ID and password to any of several related yet independent software systems across a
federation. SAML and SSO are not parties. Therefore, they cannot possibly be the right answer to this
question.
38. Review the following packet captured at your NIDS:
After reviewing the packet above, you discovered there is an unauthorized service running on the host.
Which of the following ACL entries should be implemented to prevent further access to the
unauthorized service while maintaining full access to the approved services running on this host?
Correct Answer: DENY TCP ANY HOST 71.168.10.45 EQ 3389
Incorrect Answers: DENY IP HOST 86.18.10.3 EQ 3389
DENY IP HOST 71.168.10.45 ANY EQ 25
DENY TCP ANY HOST 86.18.10.3 EQ 25
Since the question asks you to prevent access to the unauthorized service, we need to block port 3389
from accepting connections on 71.168.10.45 (the host). This option will deny ANY workstation from
connecting to this machine (host) over the Remote Desktop Protocol service that is unauthorized (port
3389).
39. If you are unable to ping a target because you are receiving no response or a
response that states the destination is unreachable, then ICMP may be disabled on
the remote end. If you wanted to try to elicit a response from a host using TCP,
what tool would you use?
Correct Answer: Hping
Incorrect Answers: Broadcast Ping, TCP ping, Traceroute
Hping is a handy little utility that assembles and sends custom ICMP, UDP, or TCP packets and then
displays any replies. It was inspired by the ping command but offered far more control over the probes
sent. It also has a handy traceroute mode and supports IP fragmentation. Hping is particularly useful
when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard
utilities. This often allows you to map out firewall rule sets. It is also great for learning more about
TCP/IP and experimenting with IP protocols. Hping does not support IPv6, though, so the creators of
NMAP have created Nping to fill this gap and serve as an updated variant of Hping. Traceroute and
tracert are computer network diagnostic commands for displaying the route and measuring transit
delays of packets across an Internet Protocol network. Traceroute uses icmp and not TCP. Broadcast
ping is simply pinging the broadcast IP of the subnet using the ping command, but if a regular ping
does not work, neither will a broadcast ping. Ptunnel is an application that allows you to reliably tunnel
TCP connections to a remote host using ICMP echo request and reply packets, commonly known as
ping requests and replies. This is used as a covert channel, not as a method of eliciting a response from
a host using TCP.
39. Nicole's organization does not have the budget or staff to conduct 24/7
security monitoring of their network. To supplement her team, she contracts with a
managed SOC service. Which of the following services or providers would be best
suited for this role?
Corrrect Answer: MSSP
Incorrect Answers: PaaS, IaaS, SaaS
A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and
SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of
their core service offerings. Security as a service or a managed service provider (MSP) would be better
suited for this role. This question may seem beyond the scope of the exam, but the objectives allow for
"other examples of technologies, processes, or tasks pertaining to each objective may also be included
on the exam although not listed or covered" in the bulletized lists of the objectives. The exam tests the
equivalent to 4 years of hands-on experience in a technical cybersecurity job role. The content
examples listed in the objectives are meant to clarify the test objectives and should not be construed as
a comprehensive listing of all the content of this examination. Therefore, questions like this are fair
game on test day. That said, your goal isn’t to score 100% on the exam; it is to pass it. Don't let
questions like this throw you off on test day. If you aren't sure, take your best guess and move on!
40. You have been asked to write a new security policy to reduce the risk of
employees working together to steal information from the Dion Training corporate
network. Which of the following policies should you create to counter this threat?
Correct Answer: Mandatory vacation policy
Incorrect Answers: Least privilege policy, Acceptable use policy, Privacy Policy
A mandatory vacation policy requires that all users take time away from work to enjoy a break from the
day to day rountine of their jobs. But, there is a major side benefit to mandatory vacations in regards to
your company's security posture. By requiring mandatory vacations, it will require the company to
have another employee fill in for the vacationing employee's normal roles and responsibilities. By
doing this, the employee who is filling in might come across fraud, abuse, or theft that the vacationing
employee is a part of. The concept of least privilege may not stop this theft from occurring, since two
employees could work together to steal information that each of them has access to as part of their job.
Also, acceptable use simply outlines the types of activities that are allowed and not allowed; it won't
prevent theft from occurring. A privacy policy discusses how information should be properly stored and
secured, but this won't stop an employee from stealing information or detecting if the information was
stolen.