CompTIA Security+ Question L-88

An administrator connects VoIP phones to the same switch as the network PCs and printers. Which of the following would provide the BEST logical separation of these three device types while still allowing traffic between them via ACL?

A. Create three VLANs on the switch connected to a router
B. Define three subnets, configure each device to use their own dedicated IP address range, and then connect the network to a router
C. Install a firewall and connect it to the switch
D. Install a firewall and connect it to a dedicated switch for each device type

Answer: A

A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. VLANs are used for traffic management. Communications between ports within the same VLAN occur without hindrance, but communications between VLANs require a routing function.

CompTIA Security+ Question L-53

Peter, the security administrator, has determined that one of his web servers is under attack. Which of the following can help determine where the attack originated from?

A. Capture system image
B. Record time offset
C. Screenshots
D. Network sniffing

Answer: D

Network sniffing is the process of capturing and analyzing the packets sent between systems on the network. A network sniffer is also known as a Protocol Analyzer.

A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing and analyzing the packets sent to the web server will help determine the source IP address of the system sending the packets. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).

CompTIA Security+ Question L-8

A server with the IP address of has been having intermittent connection issues. The logs show repeated connection attempts from the following IPs:
These attempts are overloading the server to the point that it cannot respond to traffic. Which of the following attacks is occurring?

C. DoS
D. Xmas

Answer: B

A Distributed Denial of Service (DDoS) attack is an attack from several different computers targeting a single computer. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload.

A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for periods of time. Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.

CompTIA Security+ Question L-4

An administrator is investigating a system that may potentially be compromised, and sees the following log entries on the router.
*Jul 15 14:47:29.779:%Router1: list 101 permitted tcp (FastEthernet 0/3) -> (6667), 3 packets.
*Jul 15 14:47:38.779:%Router1: list 101 permitted tcp (FastEthernet 0/3) -> (6667), 6 packets.
*Jul 15 14:47:45.779:%Router1: list 101 permitted tcp (FastEthernet 0/3) -> (6667), 8 packets.
Which of the following BEST describes the compromised system?

A. It is running a rogue web server
B. It is being used in a man-in-the-middle attack
C. It is participating in a botnet
D. It is an ARP poisoning attack

Answer: C

In this question, we have a source computer ( sending data to a single destination IP address No data is being received back by source computer which suggests the data being sent is some kind of Denial-of-service attack. This is common practice for computers participating in a botnet. The port used is TCP 6667 which is IRC (Internet Relay Chat). This port is used by many Trojans and is commonly used for DoS attacks.

Software running on infected computers called zombies is often known as a botnet. Bots, by themselves, are but a form of software that runs automatically and autonomously. (For example, Google uses the Googlebot to find web pages and bring back values for the index.) Botnet, however, has come to be the word used to describe malicious software running on a zombie and under the control of a bot-herder. Denial-of-service attacks—DoS and DDoS—can be launched by botnets, as can many forms of adware, spyware, and spam (via spambots). Most bots are written to run in the background with no visible evidence of their presence. Many malware kits can be used to create botnets and modify existing ones.

CompTIA Security+ Question K-87

A user has unknowingly gone to a fraudulent site. The security analyst notices the following system change on the user’s host:
Old `hosts’ file: localhost
New `hosts’ file: localhost
Which of the following attacks has taken place?

A. Spear phishing
B. Pharming
C. Phishing
D. Vishing

Answer: B

We can see in this question that a fraudulent entry has been added to the user’s hosts file. This will point the URL: to instead of the correct IP address. Similar in nature to e-mail phishing, pharming seeks to obtain personal or private (usually financial related) information through domain spoofing. Rather than being spammed with malicious and mischievous e-mail requests for you to visit spoof Web sites which appear legitimate, pharming ‘poisons’ a DNS server (or hosts file) by infusing false information into the DNS server, resulting in a user’s request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing.

CompTIA Security+ Question K-81

A network administrator wants to block both DNS requests and zone transfers coming from outside IP addresses. The company uses a firewall which implements an implicit allow and is currently configured with the following ACL applied to its external interface.
Which of the following rules would accomplish this task? (Select TWO).

A. Change the firewall default settings so that it implements an implicit deny
B. Apply the current ACL to all interfaces of the firewall
C. Remove the current ACL
D. Add the following ACL at the top of the current ACL DENY TCP ANY ANY 53
E. Add the following ACL at the bottom of the current ACL DENY ICMP ANY ANY 53
F. Add the following ACL at the bottom of the current ACL DENY IP ANY ANY 53

Answer: A,F

Implicit deny is the default security stance that says if you aren’t specifically granted access or privileges for a resource, you’re denied access by default. Implicit deny is the default response when an explicit allow or deny isn’t present.

DNS operates over TCP and UDP port 53. TCP port 53 is used for zone transfers. These are zone file exchanges between DNS servers, special manual queries, or used when a response exceeds 512 bytes. UDP port 53 is used for most typical DNS queries.

CompTIA Security+ Question K-75

Peter analyzed the following log and determined the security team should implement which of the following as a mitigation method against further attempts?
00: 01]Successful Login: 015 : local
00: 03]Unsuccessful Login: 022 : RDP
00: 04]UnSuccessful Login: 010 : RDP
00: 07]UnSuccessful Login: 007 : RDP
00: 08]UnSuccessful Login: 003 : RDP

Monitor system logs

Answer: D

We can see a number of unsuccessful login attempts using a Remote Desktop Connection (using the RDP protocol) from a computer with the IP address Someone successfully logged in locally. This is probably an authorized login (for example, Peter logging in). Hardening is the process of securing a system. We can harden (secure) the system by either disallowing remote desktop connections altogether or by restricting which IPs are allowed to initiate remote desktop connections.

CompTIA Security+ Question K-47

Which of the following devices is used for the transparent security inspection of network traffic by redirecting user packets prior to sending the packets to the intended destination?

A. Proxies
B. Load balancers
C. Protocol analyzer
D. VPN concentrator

Answer: A

A proxy is a device that acts on behalf of other(s). A commonly used proxy in computer networks is a web proxy. Web proxy functionality is often combined into a proxy firewall.

A proxy firewall can be thought of as an intermediary between your network and any other network. Proxy firewalls are used to process requests from an outside network; the proxy firewall examines the data and makes rule-based decisions about whether the request should be forwarded or refused. The proxy intercepts all of the packets and reprocesses them for use internally. This process includes hiding IP addresses. The proxy firewall provides better security than packet filtering because of the increased intelligence that a proxy firewall offers. Requests from internal network users are routed through the proxy. The proxy, in turn, repackages the request and sends it along, thereby isolating the user from the external network. The proxy can also offer caching, should the same request be made again, and it can increase the efficiency of data delivery.

CompTIA Security+ Question J-67

Which of the following is a step in deploying a WPA2-Enterprise wireless network?

A. Install a token on the authentication server
B. Install a DHCP server on the authentication server
C. Install an encryption key on the authentication server
D. Install a digital certificate on the authentication server

Answer: D

When setting up a wireless network, you’ll find two very different modes of Wi-Fi Protected Access (WPA) security, which apply to both the WPA and WPA2 versions. The easiest to setup is the Personal mode, technically called the Pre-Shared Key (PSK) mode. It doesn’t require anything beyond the wireless router or access points (APs) and uses a single passphrase or password for all users/devices. The other is the Enterprise mode —which should be used by businesses and organizations—and is also known as the RADIUS, 802.1X, 802.11i, or EAP mode. It provides better security and key management, and supports other enterprise-type functionality, such as VLANs and NAP. However, it requires an external authentication server, called a Remote Authentication Dial In User Service (RADIUS) server to handle the 802.1X authentication of users.

To help you better understand the process of setting up WPA/WPA2-Enterprise and 802.1X, here’s the basic overall steps: Choose, install, and configure a RADIUS server, or use a hosted service.

Create a certificate authority (CA), so you can issue and install a digital certificate onto the RADIUS server, which may be done as a part of the RADIUS server installation and configuration. Alternatively, you could purchase a digital certificate from a public CA, such as GoDaddy or Verisign, so you don’t have to install the server certificate on all the clients. If using EAP-TLS, you’d also create digital certificates for each end-user. On the server, populate the RADIUS client database with the IP address and shared secret for each AP. On the server, populate user data with usernames and passwords for each end-user. On each AP, configure the security for WPA/WPA2-Enterprise and input the RADIUS server IP address and the shared secret you created for that particular AP. On each Wi-Fi computer and device, configure the security for WPA/WPA2-Enterprise and set the 802.1X authentication settings.

CompTIA Security+ Question J-46

A security analyst noticed a colleague typing the following command:
`Telnet some-host 443’
Which of the following was the colleague performing?

A. A hacking attempt to the some-host web server with the purpose of achieving a distributed denial of service attack.
B. A quick test to see if there is a service running on some-host TCP/443, which is being routed correctly and not blocked by a firewall.
C. Trying to establish an insecure remote management session. The colleague should be using SSH or terminal services instead.
D. A mistaken port being entered because telnet servers typically do not listen on port 443.

Answer: B

B: The Telnet program parameters are: telnet is the name or IP address of the remote server to connect to. is the port number of the service to use for the connection. TCP port 443 provides the HTTPS (used for secure web connections) service; it is the default SSL port. By running the Telnet some-host 443 command, the security analyst is checking that routing is done properly and not blocked by a firewall.