CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 151:

  After analyzing and correlating activity from multiple sensors, the security administrator has determined that a group of very well organized individuals from an enemy country is responsible for various attempts to breach the company network, through the use of very sophisticated and targeted attacks. Which of the following is this an example of?

  A. Privilege escalation

  B. Advanced persistent threat

  C. Malicious insider threat

  D. Spear phishing

  Correct Answer: B

  Definitions of precisely what an APT is can vary widely, but can best be summarized by their named requirements: Advanced Criminal operators behind the threat utilize the full spectrum of computer intrusion technologies and techniques. While individual components of the attack may not be classed as particularly "advanced" (e.g. malware components generated from commonly available DIY construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They combine multiple attack methodologies and tools in order to reach and compromise their target. Persistent Criminal operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. This distinction implies that the attackers are guided by external entities. The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a "low-and-slow" approach is usually more successful. Threat means that there is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The criminal operators have a specific objective and are skilled, motivated, organized and well funded.

  Incorrect Answers:

  A: Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The attack described in the question is not an example of privilege escalation. Therefore, this answer is incorrect.

  C: A malicious insider threat as the name suggests is carried out by an insider. In this question, the attackers are in an enemy country. Therefore, this answer is incorrect.

  D: Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority. The attack described in the question is not an example of spear phishing. Therefore, this answer is incorrect.

  References:

  https://www.damballa.com/advanced-persistent-threats-a-brief-description/ http://searchsecurity.techtarget.com/definition/spear-phishing

• Question 152:

  A new security analyst is given the task of determining whether any of the company's servers are vulnerable to a recently discovered attack on an old version of SSH. Which of the following is the quickest FIRST step toward determining the version of SSH running on these servers?

  A. Passive scanning

  B. Banner grabbing

  C. Protocol analysis

  D. Penetration testing

  Correct Answer: B

  B: Banner grabbing looks at the banner, or header information messages sent with data to find out about the system(s). Banners often identify the host, the operating system running on it, and other information that can be useful if you are going to attempt to later breach the security of it. Banners can be snagged with Telnet as well as tools like netcat or Nmap. In other words Banner grabbing looks at the banner, or header, information messages sent with data to find out about the system(s). Thus a quick way to check which version of SSH is running on your server.

  Incorrect Answers:

  A: Passive scanning is implemented to allow you to identify specific vulnerabilities on your network and is not the quickest way to determine which version of SSH is running on your servers.

  C: Protocol analysis is similar to packet sniffing and is a tool used for network monitoring, the data that is being transmitted across a network - especially in real- time.

  D: A penetration test will use the same techniques a hacker would use to find any flaws in your system's security. This means bypassing whatever security controls that might have been implemented. This is not the quickest way to check which version of SSH was running on your servers.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 344, 458, 459.

• Question 153:

  Which device monitors network traffic in a passive manner?

  A. Sniffer

  B. IDS

  C. Firewall

  D. Web browser

  Correct Answer: A

  A sniffer is another name for a protocol analyzer. A protocol analyzer performs its function in a passive manner. In other words, computers on the network do not know that their data packets have been captured.

  A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing packets sent from a computer system is known as packet sniffing.

  Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).

  A sniffer (packet sniffer) is a tool that intercepts data flowing in a network. If computers are connected to a local area network that is not filtered or switched, the traffic can be broadcast to all computers contained in the same segment. This

  doesn't generally occur, since computers are generally told to ignore all the comings and goings of traffic from other computers. However, in the case of a sniffer, all traffic is shared when the sniffer software commands the Network Interface

  Card (NIC) to stop ignoring the traffic. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is flowing in the network, which can

  lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer.

  Incorrect Answers:

  B: An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of "flavors"

  and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may attempt to stop an intrusion attempt but this is neither required

  nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. An IDS does not passively monitor

  network traffic. Therefore, this answer is incorrect.

  C: A firewall is used to block or allow network traffic according to rules specifying source address, destination address, protocol or port number. It does not passively monitor network traffic. Therefore, this answer is incorrect.

  D: A Web browser is used to view web sites. It does not monitor network traffic. Therefore, this answer is incorrect.

  References:

  http://www.techopedia.com/definition/4113/sniffer

  http://en.wikipedia.org/wiki/Intrusion_detection_system

• Question 154:

  Sara, the Chief Information Officer (CIO), has requested an audit take place to determine what services and operating systems are running on the corporate network. Which of the following should be used to complete this task?

  A. Fingerprinting and password crackers

  B. Fuzzing and a port scan

  C. Vulnerability scan and fuzzing

  D. Port scan and fingerprinting

  Correct Answer: D

  Different services use different ports. When a service is enabled on a computer, a network port is opened for that service. For example, enabling the HTTP service on a web server will open port 80 on the server. By determining which ports are open on a remote server, we can determine which services are running on that server. A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it. A port scan or portscan can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploiting a known vulnerability of that service. However the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine.

  Fingerprinting is a means of ascertaining the operating system of a remote computer on a network. Fingerprinting is more generally used to detect specific versions of applications or protocols that are run on network servers. Fingerprinting can be accomplished "passively" by sniffing network packets passing between hosts, or it can be accomplished "actively" by transmitting specially created packets to the target machine and analyzing the response

  Incorrect Answers:

  A: Fingerprinting is a means of ascertaining the operating system of a remote computer on a network. However, a password cracker is not used to determine which services are running on network computers. Therefore, this answer is incorrect.

  B: A port scan can be used to determine which services are running on network computers. However fuzzing is not used to determine which operating system the computers are running. Fuzzing is a security assessment technique that allows testers to analyze the behavior of software applications by entering unexpected input. Therefore, this answer is incorrect.

  C: A vulnerability scanner is software designed to assess computers, computer systems, networks or applications for weaknesses. A vulnerability scan will scan for weaknesses (vulnerabilities) in a system. It could provide information about which services are running but it is not specifically designed for this purpose. Fuzzing is not used to determine which operating system the computers are running or which services are running on the computers. Fuzzing is a security assessment technique that allows testers to analyze the behavior of software applications by entering unexpected input. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Port_scanner http://www.yourdictionary.com/fingerprinting

• Question 155:

  Which of the following tools would a security administrator use in order to identify all running services throughout an organization?

  A. Architectural review

  B. Penetration test

  C. Port scanner

  D. Design review

  Correct Answer: C

  Different services use different ports. When a service is enabled on a computer, a network port is opened for that service. For example, enabling the HTTP service on a web server will open port 80 on the server. By determining which ports are open on a remote server, we can determine which services are running on that server. A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it. A port scan or portscan can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploiting a known vulnerability of that service. However the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine.

  Incorrect Answers:

  A: An architectural review is a review of the network structure (servers, switches, routers, network topology etc.). It does not list running services on computers.

  Therefore, this answer is incorrect.

  B: Penetration testing evaluates an organization's ability to protect its networks, applications, computers and users from attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. It is not used to

  list services running on computers.

  Therefore, this answer is incorrect.

  D: A design review is the process of reviewing the design of something; examples include reviewing the design of the network or the design of a software application. It is not used to list services running on computers. Therefore, this answer

  is incorrect.

  References: http://en.wikipedia.org/wiki/Port_scanner

• Question 156:

  During a security assessment, an administrator wishes to see which services are running on a remote server. Which of the following should the administrator use?

  A. Port scanner

  B. Network sniffer

  C. Protocol analyzer

  D. Process list

  Correct Answer: A

  Different services use different ports. When a service is enabled on a computer, a network port is opened for that service. For example, enabling the HTTP service on a web server will open port 80 on the server. By determining which ports are open on a remote server, we can determine which services are running on that server. A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it. A port scan or portscan can be defined as a process that sends client requests to a range of server port addresses on a host, with the goal of finding an active port. While not a nefarious process in and of itself, it is one used by hackers to probe target machine services with the aim of exploiting a known vulnerability of that service. However the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine.

  Incorrect Answers:

  B: A network sniffer is another name for a protocol analyzer. A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. It may be

  possible to determine which services are open on a server by analyzing the network traffic to and from the server. However, it would be administratively difficult. A port scanner is a much simpler solution. Therefore, this answer is incorrect.

  C: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. It may be possible to determine which services are open on a server by

  analyzing the network traffic to and from the server. However, it would be administratively difficult. A port scanner is a much simpler solution. Therefore, this answer is incorrect.

  D: A process list would list all processes running on a computer, including services. However, this question is asking about a remote server. It would be difficult to obtain a process list from a remote server without having full access to the

  server. You can scan the server for open ports without having full access to the server.

  Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Port_scanner

• Question 157:

  A security administrator wants to get a real time look at what attackers are doing in the wild, hoping to lower the risk of zero-day attacks. Which of the following should be used to accomplish this goal?

  A. Penetration testing

  B. Honeynets

  C. Vulnerability scanning

  D. Baseline reporting

  Correct Answer: B

  A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increase network security. A honeynet contains one or more honey pots, which are computer systems on the Internet expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems. Although the primary purpose of a honeynet is to gather information about attackers' methods and motives, the decoy network can benefit its operator in other ways, for example by diverting attackers from a real network and its resources. The Honeynet Project, a non-profit research organization dedicated to computer security and information sharing, actively promotes the deployment of honeynets. In addition to the honey pots, a honeynet usually has real applications and services so that it seems like a normal network and a worthwhile target. However, because the honeynet doesn't actually serve any authorized users, any attempt to contact the network from without is likely an illicit attempt to breach its security, and any outbound activity is likely evidence that a system has been compromised. For this reason, the suspect information is much more apparent than it would be in an actual network, where it would have to be found amidst all the legitimate network data. Applications within a honeynet are often given names such as "Finances" or "Human Services" to make them sound appealing to the attacker.

  A virtual honeynet is one that, while appearing to be an entire network, resides on a single server.

  Incorrect Answers:

  A: Penetration testing evaluates an organization's ability to protect its networks, applications, computers and users from attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. You perform a penetration test by attempting to gain access to the system. However, to do this, you are trying to exploit weaknesses that you know about. An attacker might use a different method. To view all methods used by attackers, you need to set up a honeynet. Therefore, this answer is incorrect.

  C: A vulnerability scanner is software designed to assess computers, computer systems, networks or applications for weaknesses. A vulnerability scan will scan for weaknesses (vulnerabilities) in a system but it does not provide information about the methods attackers are using. Therefore, this answer is incorrect.

  D: Baseline reporting will alert the security manager to any changes in the security posture compared to the original baseline configuration. Baseline reporting does not provide information about the methods attackers are using. Therefore, this answer is incorrect.

  References: http://searchsecurity.techtarget.com/definition/honeynet

• Question 158:

  Jane, a security analyst, is reviewing logs from hosts across the Internet which her company uses to gather data on new malware. Which of the following is being implemented by Jane's company?

  A. Vulnerability scanner

  B. Honeynet

  C. Protocol analyzer

  D. Port scanner

  Correct Answer: B

  The Internet hosts used to gather data on new malware are known as honeypots. A collection of honeypots is known as a honeynet. A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increase network security. A honeynet contains one or more honey pots, which are computer systems on the Internet expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems. Although the primary purpose of a honeynet is to gather information about attackers' methods and motives, the decoy network can benefit its operator in other ways, for example by diverting attackers from a real network and its resources. The Honeynet Project, a non-profit research organization dedicated to computer security and information sharing, actively promotes the deployment of honeynets. In addition to the honey pots, a honeynet usually has real applications and services so that it seems like a normal network and a worthwhile target. However, because the honeynet doesn't actually serve any authorized users, any attempt to contact the network from without is likely an illicit attempt to breach its security, and any outbound activity is likely evidence that a system has been compromised. For this reason, the suspect information is much more apparent than it would be in an actual network, where it would have to be found amidst all the legitimate network data. Applications within a honeynet are often given names such as "Finances" or "Human Services" to make them sound appealing to the attacker.

  A virtual honeynet is one that, while appearing to be an entire network, resides on a single server.

  Incorrect Answers:

  A: A vulnerability scanner is software designed to assess computers, computer systems, networks or applications for weaknesses. This includes applications or default configurations posing a security risk. In this question, we have computers

  set up with the aim of being attacked to enable Jane to gather data on new malware. The question is asking about the computers themselves, not the tools used to assess the computers. These computers form a honeynet.

  Therefore, this answer is incorrect.

  C: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. This is not what is described in this question. Therefore, this answer is

  incorrect.

  D: A port scanner is typically a software application used to scan a system such as a computer or firewall for open ports. A malicious user would attempt to access a system through an open port. A security administrator would compare the

  list of open ports against a list of ports that need to be open so that unnecessary ports can be closed thus reducing the vulnerability of the system. This is not what is described in this question. Therefore, this answer is incorrect.

  References: http://searchsecurity.techtarget.com/definition/honeynet

• Question 159:

  The security team would like to gather intelligence about the types of attacks being launched against the organization. Which of the following would provide them with the MOST information?

  A. Implement a honeynet

  B. Perform a penetration test

  C. Examine firewall logs

  D. Deploy an IDS

  Correct Answer: A

  A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increase network security. A honeynet contains one or more honey pots, which are computer systems on the Internet expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems. Although the primary purpose of a honeynet is to gather information about attackers' methods and motives, the decoy network can benefit its operator in other ways, for example by diverting attackers from a real network and its resources. The Honeynet Project, a non-profit research organization dedicated to computer security and information sharing, actively promotes the deployment of honeynets. In addition to the honey pots, a honeynet usually has real applications and services so that it seems like a normal network and a worthwhile target. However, because the honeynet doesn't actually serve any authorized users, any attempt to contact the network from without is likely an illicit attempt to breach its security, and any outbound activity is likely evidence that a system has been compromised. For this reason, the suspect information is much more apparent than it would be in an actual network, where it would have to be found amidst all the legitimate network data. Applications within a honeynet are often given names such as "Finances" or "Human Services" to make them sound appealing to the attacker.

  A virtual honeynet is one that, while appearing to be an entire network, resides on a single server. Incorrect Answers:

  B: Penetration testing evaluates an organization's ability to protect its networks, applications, computers and users from attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. You perform a

  penetration test by attempting to gain access to the system. However, to do this, you are trying to exploit weaknesses that you know about. An attacker might use a different method. To view all methods used by attackers, you need to set up

  a honeynet. Therefore, this answer is incorrect.

  C: The firewall logs will provide information about network connections that are allowed or blocked. However, an attacker would connect to the network by using an allowed port. Therefore, the firewall logs will not provide information about

  methods of attack. Therefore, this answer is incorrect.

  D: An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of "flavors"

  and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may attempt to stop an intrusion attempt but this is neither required

  nor expected of a monitoring system.

  An IDS can monitor malicious activities. However, an attacker may use a method that is not detected by the IDS as an intrusion attempt. This question is asking for the BEST answer. A honeypot is a better answer because it is designed to be

  attacked to enable you to view the methods used for the attacks. Therefore, this answer is incorrect.

  References:

  http://searchsecurity.techtarget.com/definition/honeynet http://en.wikipedia.org/wiki/Intrusion_detection_system

• Question 160:

  What is a system that is intended or designed to be broken into by an attacker?

  A. Honeypot

  B. Honeybucket

  C. Decoy

  D. Spoofing system

  Correct Answer: A

  A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies.

  According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes:

  The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the

  system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.

  There are two main types of honeypots:

  Production - A production honeypot is one used within an organization's environment to help mitigate risk. Research - A research honeypot add value to research in computer security by providing a platform to study the threat.

  Incorrect Answers:

  B: A honey bucket is not an IT term. It's a term for a waterless toilet. A honeypot is a system designed to be attacked. Therefore, this answer is incorrect.

  C: A honeypot could be described as a decoy. It is a system often imitating another system but designed to be attacked. However, a honeypot is the specific name for a system designed to be attacked. Therefore, this answer is incorrect.

  D: Spoofing system is not the correct term for a system that is designed to be attacked. A honeypot could be described as a spoofing system in that a honeypot often imitates another system. However, a honeypot is the specific name for a

  system designed to be attacked.

  Therefore, this answer is incorrect.

  References: https://ethics.csc.ncsu.edu/abuse/hacking/honeypots/study.php