CompTIA Security+ Simulation 15

Configure the firewall to allow these four rules:

Correct Answer:

Use the following answer for this simulation task.

Source IP Destination IP Port number TCP/UDP Allow/Deny
10.4.255.10/24 10.4.255.101 443 TCP Allow
10.4.255.10/23 10.4.255.2 22 TCP Allow
10.4.255.10/25 10.4.255.101 Any Any Allow
10.4.255.10/25 10.4.255.102 Any Any Allow

Firewall rules act like ACLs, and they are used to dictate what traffic can pass between the firewall and the internal network. Three possible actions can be taken based on the rule’s criteria:
– Block the connection
– Allow the connection
– Allow the connection only if it is secured

TCP is responsible for providing a reliable, one-to-one, connection-oriented session. TCP establishes a connection and ensures that the other end receives any packets sent. Two hosts communicate packet results with each other. TCP also ensures that packets are decoded and sequenced properly. This connection is persistent during the session. When the session ends, the connection is torn down.

UDP provides an unreliable connectionless communication method between hosts. UDP is considered a best-effort protocol, but it’s considerably faster than TCP. The sessions don’t establish a synchronized session like the kind used in TCP, and UDP doesn’t guarantee error-free communications. The primary purpose of UDP is to send small packets of information. The application is responsible for acknowledging the correct reception of the data.

Port 22 is used by both SSH and SCP with UDP.
Port 443 is used for secure web connections – HTTPS and is a TCP port.

Thus to make sure only the Accounting computer has HTTPS access to the Administrative server you should use TCP port 443 and set the rule to allow communication between 10.4.255.10/24 (Accounting) and 10.4.255.101 (Administrative server1)

Thus to make sure that only the HR computer has access to Server2 over SCP you need use of TCP port 22 and set the rule to allow communication between 10.4.255.10/23 (HR) and 10.4.255.2 (server2)

Thus to make sure that the IT computer can access both the Administrative servers you need to use a port and accompanying port number and set the rule to allow communication between:
10.4.255.10.25 (IT computer) and 10.4.255.101 (Administrative server1)
10.4.255.10.25 (IT computer) and 10.4.255.102 (Administrative server2)

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sybex, Indianapolis

CompTIA Security+ Simulation 14

For each of the given items, select the appropriate authentication category from the drop down choices.

Select the appropriate authentication type for the following items:

Correct Answer:


Biometrics refers to a collection of physical attributes of the human body that can be used as identification or an authentication factor. Fingerprints and retinas are physical attributes of the human body.

Two types of tokens exist, Time-based one-time password (TOTP) tokens and HMAC-based onetime password (HOTP). TOTP tokens generate passwords at fixed time intervals, whereas HOTP tokens generate passwords not based on fixed time intervals but instead based on a nonrepeating one-way function, such as a hash or HMAC operation.

Smart cards can have Multi-factor and proximity authentication embedded into it.

PAP allows for two entities to share a password in advance and use the password as the basis of
authentication. The same goes for PIN numbers.

http://en.wikipedia.org/wiki/Password_authentication_protocol#Working_cycle
http://en.wikipedia.org/wiki/Smart_card#Security

CompTIA Security+ Simulation 13

Which of the following BEST describes the type of attack that is occurring?
A. Smurf Attack
B. Man in the middle
C. Backdoor
D. Replay
E. Spear Phishing
F. Xmas Attack
G. Blue Jacking
H. Ping of Death



Correct Answer: A

The exhibit shows that all the computers on the network are being ‘pinged’. This indicates that the ping request was sent to the network broadcast address. We can also see that all the replies were received by one (probably with a spoofed address) host on the network. This is typical of a smurf attack.

A smurf attack is a type of network security breach in which a network connected to the Internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker’s victim. All the hosts receiving the PING request reply to this victim’s address instead of the real sender’s address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim’s T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees.

Smurfing falls under the general category of Denial of Service attacks — security attacks that don’t try to steal information, but instead attempt to disable a computer or network.

CompTIA Security+ Simulation 12

Which of the following BEST describes the type of attack that is occurring? (Select TWO).

A. DNS spoofing
B. Man-in-the-middle
C. Backdoor
D. Replay
E. ARP attack
F. Spear phishing
G. Xmas attack






Correct Answer: A, E

We have a legit bank web site and a hacker bank web site. The hacker has a laptop connected to the network. The hacker is redirecting bank web site users to the hacker bank web site instead of the legit bank web site. This can be done using two methods: DNS Spoofing and ARP Attack (ARP Poisoning).

A: DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver’s cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker’s computer (or any other computer).

A domain name system server translates a human-readable domain name (such as example.com) into a numerical IP address that is used to route communications between nodes. Normally if the server doesn’t know a requested translation it will ask another server, and the process continues recursively. To increase performance, a server will typically remember (cache) these translations for a certain amount of time, so that, if it receives another request for the same translation, it can reply without having to ask the other server again.

When a DNS server has received a false translation and caches it for performance optimization, it is considered poisoned, and it supplies the false data to clients. If a DNS server is poisoned, it may return an incorrect IP address, diverting traffic to another computer (in this case, the hacker bank web site server).

E: Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer’s ARP cache with a forged ARP request and reply packets. This modifies the layer -Ethernet MAC address into the hacker’s known MAC address to monitor it. Because the ARP replies are forged, the target computer unintentionally sends the frames to the hacker’s computer first instead of sending it to the original destination. As a result, both the user’s data and privacy are compromised. An effective ARP poisoning attempt is undetectable to the user. ARP poisoning is also known as ARP cache poisoning or ARP poison routing (APR).

CompTIA Security+ Simulation 11

A security administrator discovers that an attack has been completed against a node on the corporate network. All available logs were collected and stored.

You must review all network logs to discover the scope of the attack, check the box of the node(s) that have been compromised and drag and drop the appropriate actions to complete the incident response on the network. The environment is a critical production environment; perform the LEAST disruptive actions on the network, while still performing the appropriate incident responses.

Instructions: The web server, database server, IDS, and User PC are clickable. Check the box of the node(s) that have been compromised and drag and drop the appropriate actions to complete the incident response on the network. Not all actions may be used, and order is not important. If at anytime you would like to bring back the initial state of the simulation, please select the Reset button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Correct Answer:

Database server was attacked; actions should be to capture network traffic and Chain of Custody.

Explanation:
(The database server logs shows the Audit Failure and Audit Success attempts)It is only logical that all the logs will be stored on the database server and the least disruption action on the network to take as a response to the incident would be to check the logs (since these are already collected and stored) and maintain a chain of custody of those logs.


IDS Server Log:

Web Server Log:


Database Server Log:

Users PC Log:

CompTIA Security+ Simulation 10

Drag the items on the left to show the different types of security for the shown devices. Not all fields need to be filled. Not all items need to be used.

Correct Answer:

Mobile Device Security
GPS tracking
Remote wipe
Device Encryption
Strong password

Server in Data Center Security
FM-200
Biometrics
Proximity Badges
Mantrap

CompTIA Security+ Simulation 9

DRAG DROP
A forensic analyst is asked to respond to an ongoing network attack on a server. Place the items in the list below in the correct order in which the forensic analyst should preserve them.

Select and Place:

Correct Answer:


Section: Compliance and Operational Security

When dealing with multiple issues, address them in order of volatility (OOV); always deal with the most volatile first. Volatility can be thought of as the amount of time that you have to collect certain data before a window of opportunity is gone. Naturally, in an investigation you want to collect everything, but some data will exist longer than others, and you cannot possibly collect all of it once. As an example, the OOV in an investigation may be RAM, hard drive data, CDs/DVDs, and printouts.

Order of volatility: Capture system images as a snapshot of what exists, look at network traffic and logs, capture any relevant video/screenshots/hashes, record time offset on the systems, talk to witnesses, and track total man-hours and expenses associated with the investigation.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sybex, Indianapolis

CompTIA Security+ Simulation 8

HOTSPOT
The security administrator has installed a new firewall which implements an implicit DENY policy by default Click on the firewall and configure it to allow ONLY the following communication.

1. The Accounting workstation can ONLY access the web server on the public network over the default HTTPS port. The accounting workstation should not access other networks.
2. The HR workstation should be restricted to communicate with the Financial server ONLY, over the default SCP port
3. The Admin workstation should ONLY be able to access the servers on the secure network over the default TFTP port.

Instructions: The firewall will process the rules in a top-down manner in order as a first match. The port number must be typed in and only one port number can be entered per rule Type ANY for all ports. The original firewall configuration can be reset at any time by pressing the reset button. Once you have met the simulation requirements, click save and then Done to submit.


Correct Answer:



Implicit deny is the default security stance that says if you aren’t specifically granted access or privileges for a resource, you’re denied access by default.

Rule #1 allows the Accounting workstation to ONLY access the web server on the public network over the default HTTPS port, which is TCP port 443.

Rule #2 allows the HR workstation to ONLY communicate with the Financial server over the default SCP port, which is TCP Port 22

Rule #3 & Rule #4 allow the Admin workstation to ONLY access the Financial and Purchasing servers located on the secure network over the default TFTP port, which is Port 69.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

CompTIA Security+ Simulation 7

A Security administrator wants to implement strong security on the company smart phones and terminal servers located in the data center. Drag and Drop the applicable controls to each asset type.

Instructions: Controls can be used multiple times and not all placeholders needs to be filled. When you have completed the simulation, Please select Done to submit.

Correct Answer:


Cable locks are used as a hardware lock mechanism – thus best used on a Data Center Terminal Server.

Network monitors are also known as sniffers – thus best used on a Data Center Terminal Server.

Install antivirus software. Antivirus software should be installed and definitions kept current on all hosts. Antivirus software should run on the server as well as on every workstation. In addition to active monitoring of incoming fi les, scans should be conducted regularly to catch any infections that have slipped through- thus best used on a Data Center Terminal Server.

Proximity readers are used as part of physical barriers which makes it more appropriate to use on a center’s entrance to protect the terminal server.

Mentor app is an Apple application used for personal development and is best used on a mobile device such as a smart phone.

Remote wipe is an application that can be used on devices that are stolen to keep data safe. It is basically a command to a phone that will remotely clear the data on that phone. This process is known as a remote wipe, and it is intended to be used if the phone is stolen or going to another user.

Should a device be stolen, GPS (Global Positioning System) tracking can be used to identify its location and allow authorities to find it – thus best used on a smart phone.

Screen Lock is where the display should be configured to time out after a short period of inactivity and the screen locked with a password. To be able to access the system again, the user must provide the password. After a certain number of attempts, the user should not be allowed to attempt any additional logons; this is called lockout – thus best used on a smart phone.

Strong Password since passwords are always important, but even more so when you consider that the device could be stolen and in the possession of someone who has unlimited access and time to try various values – thus best use strong passwords on a smartphone as it can be stolen more easily than a terminal server in a data center.

Device Encryption- Data should be encrypted on the device so that if it does fall into the wrong hands, it cannot be accessed in a usable form without the correct passwords. It is recommended to you use Trusted Platform Module (TPM) for all mobile devices where possible.

Use pop-up blockers. Not only are pop-ups irritating, but they are also a security threat. Pop-ups (including pop-unders) represent unwanted programs running on the system, and they can jeopardize the system’s well-being. This will be more effective on a mobile device rather than a terminal server.

Use host-based firewalls. A firewall is the first line of defense against attackers and malware. Almost every current operating system includes a firewall, and most are turned on by Default- thus best used on a Data Center Terminal Server.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex,
Indianapolis

CompTIA Security+ Simulation 6

A security administrator is given the security and availability profiles for servers that are being deployed.
1) Match each RAID type with the correct configuration and MINIMUM number of drives.
2) Review the server profiles and match them with the appropriate RAID type based on integrity, availability, I/O, storage requirements.

Instructions:
• All drive definitions can be dragged as many times as necessary
• Not all placeholders may be filled in the RAID configuration boxes
• If parity is required, please select the appropriate number of parity check boxes
• Server profiles may be dragged only once

If at any time you would like to bring back the initial state of the simulation, please select the Reset
button. When you have completed the simulation, please select the Done

Correct Answer:


RAID-0 is known as striping. It is not a fault tolerant solution but does improve disk performance for read/write operations. Striping requires a minimum of two disks and does not use parity. RAID-0 can be used where performance is required over fault tolerance, such as a media streaming server.

RAID-1 is known as mirroring because the same data is written to two disks so that the two disks have identical data. This is a fault tolerant solution that halves the storage space. A minimum of two disks are used in mirroring and does not use parity. RAID-1 can be used where fault tolerance is required over performance, such as on an authentication server.

RAID-5 is a fault tolerant solution that uses parity and striping. A minimum of three disks are required for RAID-5 with one disk’s worth of space being used for parity information. However, the parity information is distributed across all the disks. RAID-5 can recover from a sing disk failure.

RAID-6 is a fault tolerant solution that uses dual parity and striping. A minimum of four disks are required for RAID-6. Dual parity allows RAID-6 to recover from the simultaneous failure of up to two disks. Critical data should be stored on a RAID-6 system.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis