CompTIA Security+ Question A-80

A network administrator identifies sensitive files being transferred from a workstation in the LAN to an unauthorized outside IP address in a foreign country. An investigation determines that the firewall has not been altered, and antivirus is up-to-date on the workstation. Which of the following is the MOST likely reason for the incident?

A. MAC Spoofing
B. Session Hijacking
C. Impersonation
D. Zero-day

Answer: D

Explanation:
This question states that antivirus is up-to-date on the workstation and the firewall has not been altered. The antivirus software is up to date with all ‘known’ viruses. A zero day vulnerability is an unknown vulnerability so a patch or virus definition has not been released yet.

A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term “zero day” refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.

CompTIA Security+ Question A-79

An overseas branch office within a company has many more technical and non-technical security incidents than other parts of the company. Which of the following management controls should be introduced to the branch office to improve their state of security?

A. Initial baseline configuration snapshots
B. Firewall, IPS and network segmentation
C. Event log analysis and incident response
D. Continuous security monitoring processes

Answer: D

Explanation:
Continuous monitoring may involve regular measurements of network traffic levels, routine evaluations for regulatory compliance, and checks of network security device configurations. It also points toward the never-ending review of what resources a user actually accesses, which is critical for preventing insider threats.

Incorrect Options:

A: An initial baseline configuration snapshot would allow for the standardized minimal level of security that all systems in an organization must comply with to be enforced. This will not cover the non-technical security incidents.

B: A Firewall, IPS and network segmentation will offer technical protection, but not non-technical security protection.

C: Event log analysis and incident response will not cover the non-technical security incidents.

Reference:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 154.

Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 207, 208

CompTIA Security+ Question A-78

A company would like to take electronic orders from a partner; however, they are concerned that a non-authorized person may send an order. The legal department asks if there is a solution that provides non-repudiation. Which of the following would meet the requirements of this scenario?

A. Encryption
B. Digital signatures
C. Steganography
D. Hashing
E. Perfect forward secrecy

Answer: B

Explanation:
A digital signature is an electronic mechanism to prove that a message was sent from a specific user (that is, it provides for non-repudiation) and that the message wasn’t changed while in transit (it also provides integrity). Thus digital signatures will meet the stated requirements.

CompTIA Security+ Question A-77

When employees that use certificates leave the company they should be added to which of the following?

A. PKI
B. CA
C. CRL
D. TKIP

Answer: C

Explanation:
The certificates of the leaving employees must be made unusable. This is done by revoking them. The revoke certificates end up in the CRL. Note: The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release.

CompTIA Security+ Question A-76

An organization is required to log all user internet activity. Which of the following would accomplish this requirement?

A. Configure an access list on the default gateway router. Configure the default gateway router to log all web traffic to a syslog server
B. Configure a firewall on the internal network. On the client IP address configuration, use the IP address of the firewall as the default gateway, configure the firewall to log all traffic to a syslog server
C. Configure a proxy server on the internal network and configure the proxy server to log all web traffic to a syslog server
D. Configure an access list on the core switch, configure the core switch to log all web traffic to a syslog server

Answer: C

CompTIA Security+ Question A-75

Which of the following is required to allow multiple servers to exist on one physical server?

A. Software as a Service (SaaS)
B. Platform as a Service (PaaS)
C. Virtualization
D. Infrastructure as a Service (IaaS)

Answer: C

Explanation:
Virtualization allows a single set of hardware to host multiple virtual machines.

CompTIA Security+ Question A-74

The IT department has setup a share point site to be used on the intranet. Security has established the groups and permissions on the site. No one may modify the permissions and all requests for access are centrally managed by the security team. This is an example of which of the following control types?

A. Rule based access control
B. Mandatory access control
C. User assigned privilege
D. Discretionary access control

Answer: D

Explanation:
Discretionary access control (DAC) allows access to be granted or restricted by an object’s owner based on user identity and on the discretion of the object owner.

CompTIA Security+ Question A-73

A security administrator is notified that users attached to a particular switch are having intermittent connectivity issues. Upon further research, the administrator finds evidence of an ARP spoofing attack. Which of the following could be utilized to provide protection from this type of attack?

A. Configure MAC filtering on the switch.
B. Configure loop protection on the switch.
C. Configure flood guards on the switch.
D. Configure 802.1x authentication on the switch.

Answer: C

Explanation:
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address. ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol. To perform ARP spoofing the attacker floods the network with spoofed ARP packets. As other hosts on the LAN cache the spoofed ARP packets, data that those hosts send to the victim will go to the attacker instead. From here, the attacker can steal data or launch a more sophisticated follow-up attack.

A flood guard configured on the network switch will block the flood of spoofed ARP packets.

CompTIA Security+ Question A-72

It is MOST important to make sure that the firewall is configured to do which of the following?

A. Alert management of a possible intrusion.
B. Deny all traffic and only permit by exception.
C. Deny all traffic based on known signatures.
D. Alert the administrator of a possible intrusion.

Answer: B

Explanation:
Firewalls manage traffic using filters, which is just a rule or set of rules. A recommended guideline for firewall rules is, “deny by default; allow by exception”.

CompTIA Security+ Question A-71

Jane, a VPN administrator, was asked to implement an encryption cipher with a MINIMUM effective security of 128-bits. Which of the following should Jane select for the tunnel encryption?

A. Blowfish
B. DES
C. SHA256
D. HMAC

Answer: A

Explanation:
Blowfish is an encryption system that performs a 64-bit block cipher at very fast speeds. It is a symmetric block cipher that can use variable-length keys (from 32 bits to 448 bits). Among the alternatives listed above, it is the only cipher that can use a 128-bit key and which does provide additional security through a symmetric key.