CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 161:

  Which of the following can Joe, a security administrator, implement on his network to capture attack details that are occurring while also protecting his production network?

  A. Security logs

  B. Protocol analyzer

  C. Audit logs

  D. Honeypot

  Correct Answer: D

  A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies.

  According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes:

  The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the

  system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.

  There are two main types of honeypots:

  Production - A production honeypot is one used within an organization's environment to help mitigate risk. Research A research honeypot add value to research in computer security by providing a platform to study the threat.

  Incorrect Answers:

  A: Security logs record security events such as logon and logoff events. Security logs can be used to monitor failed logon events which could indicate an attack. However, logon attempts are just one form of attack. A honeypot can be used to

  monitor all sorts of attack. Therefore, a honeypot is a better answer so this answer is incorrect.

  B: A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. It would be difficult to monitor attacks by analyzing network

  communications. Therefore, a honeypot is a better answer so this answer is incorrect.

  C: Audit logs record events such as file access (successful or unsuccessful) or Active Directory modifications. Audit logs could be used monitor failed attempts to access files which could indicate an attack. However, file access attempts are

  just one form of attack. A honeypot can be used to monitor all sorts of attack.

  Therefore, a honeypot is a better answer so this answer is incorrect.

  References: https://ethics.csc.ncsu.edu/abuse/hacking/honeypots/study.php

• Question 162:

  Joe, an administrator, installs a web server on the Internet that performs credit card transactions for customer payments. Joe also sets up a second web server that looks like the first web server. However, the second server contains fabricated files and folders made to look like payments were processed on this server but really were not. Which of the following is the second server?

  A. DMZ

  B. Honeynet

  C. VLAN

  D. Honeypot

  Correct Answer: D

  In this scenario, the second web server is a `fake' webserver designed to attract attacks. We can then monitor the second server to view the attacks and then ensure that the `real' web server is secure against such attacks. The second web

  server is a honeypot.

  A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies.

  According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes:

  The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the

  system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.

  There are two main types of honeypots:

  Production - A production honeypot is one used within an organization's environment to help mitigate risk. Research A research honeypot add value to research in computer security by providing a platform to study the threat.

  Incorrect Answers:

  A: A DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet.

  The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node only has direct access to equipment in the DMZ, rather than any other part of the network. The name is

  derived from the term "demilitarized zone", an area between nation states in which military operation is not permitted. The second web server described in this question is not a DMZ.

  Therefore, this answer is incorrect.

  B: A honeynet is a network set up with intentional vulnerabilities; its purpose is to invite attack, so that an attacker's activities and methods can be studied and that information used to increase network security. In this question, we have a

  second single server rather than a network set up to be attacked. The server is a honeypot, not a honeynet. Therefore, this answer is incorrect.

  C: In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred

  to as a virtual local area network, virtual LAN or VLAN. This is usually achieved on switch or router devices. Simpler devices only support partitioning on a port level (if at all), so sharing VLANs across devices requires running dedicated

  cabling for each VLAN. More sophisticated devices can mark packets through tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs. Grouping hosts with a common set of requirements regardless of

  their physical location by VLAN can greatly simplify network design. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together more easily even if they are not on the same

  network switch. The second web server described in this question is not a VLAN. Therefore, this answer is incorrect.

  References:

  https://ethics.csc.ncsu.edu/abuse/hacking/honeypots/study.php http://en.wikipedia.org/wiki/DMZ_%28computing%29 http://searchsecurity.techtarget.com/definition/honeynet http://en.wikipedia.org/wiki/Virtual_LAN

• Question 163:

  Based on information leaked to industry websites, business management is concerned that unauthorized employees are accessing critical project information for a major, well-known new product. To identify any such users, the security administrator could:

  A. Set up a honeypot and place false project documentation on an unsecure share.

  B. Block access to the project documentation using a firewall.

  C. Increase antivirus coverage of the project servers.

  D. Apply security updates and harden the OS on all project servers.

  Correct Answer: A

  In this scenario, we would use a honeypot as a `trap' to catch unauthorized employees who are accessing critical project information. A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack

  to research current attack methodologies. According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes:

  The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the

  system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.

  There are two main types of honeypots:

  Production - A production honeypot is one used within an organization's environment to help mitigate risk. Research A research honeypot add value to research in computer security by providing a platform to study the threat.

  Incorrect Answers:

  B: Blocking access to the project documentation by using a firewall would block all access to the documentation including access to authorized employees. It would not help to determine which unauthorized employees are attempting to access the documentation. Therefore, this answer is incorrect.

  C: Antivirus software is used to scan a system for known virus threats. It would not detect unauthorized users attempting to access the project documentation. Therefore, this answer is incorrect.

  D: Applying security updates to harden a server is always a good idea. However, security updates would not detect unauthorized users attempting to access the project documentation. Therefore, this answer is incorrect.

  References: https://ethics.csc.ncsu.edu/abuse/hacking/honeypots/study.php

• Question 164:

  Which of the following should an administrator implement to research current attack methodologies?

  A. Design reviews

  B. Honeypot

  C. Vulnerability scanner

  D. Code reviews

  Correct Answer: B

  A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies. According to the Wepopedia.com, a Honeypot luring a hacker into a system has several

  main purposes:

  The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the

  system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.

  There are two main types of honeypots:

  Production - A production honeypot is one used within an organization's environment to help mitigate risk. Research A research honeypot add value to research in computer security by providing a platform to study the threat.

  Incorrect Answers:

  A: Reviewing the design of a system would not help to determine current attack methodologies. You would use a honeypot to determine current attack methodologies. You might then have a design review to counteract the threats.

  C: A vulnerability scanner scans a system or network for known vulnerabilities. It is not used to determine new attack methodologies.

  D: Reviewing the code of an application would not help to determine current attack methodologies. You would use a honeypot to determine current attack methodologies. You might then have a code review to counteract the threats.

  References: https://ethics.csc.ncsu.edu/abuse/hacking/honeypots/study.php

• Question 165:

  Which of the following would be used to identify the security posture of a network without actually exploiting any weaknesses?

  A. Penetration test

  B. Code review

  C. Vulnerability scan

  D. Brute Force scan

  Correct Answer: C

  A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.

  Incorrect Answers:

  A: Penetration testing evaluates an organization's ability to protect its networks, applications, computers and users from attempts to circumvent its security controls to gain unauthorized or privileged access to protected assets. The difference between a vulnerability scan and a penetration test is that by performing a penetration test, you are actually trying to access a system by exploiting a weakness in the system. Therefore, this answer is incorrect.

  B: A code review is the process of reviewing the programming code in an application. It is not used to identify the security posture of a network. Therefore, this answer is incorrect.

  D: A brute force scan is similar to a penetration test in that you are actually trying to access a system by exploiting a weakness in the system. Therefore, this answer is incorrect.

  References: http://www.webopedia.com/TERM/V/vulnerability_scanning.html

• Question 166:

  An administrator is concerned that a company's web server has not been patched. Which of the following would be the BEST assessment for the administrator to perform?

  A. Vulnerability scan

  B. Risk assessment

  C. Virus scan

  D. Network sniffer

  Correct Answer: A

  A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. Vulnerabilities include computer systems that do not have the latest security patches installed. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.

  Incorrect Answers:

  B: A risk assessment is the process of determining risk. A risk assessment alone would not determine if a web server has been patched. A vulnerability scan should be performed first. The results of the vulnerability scan can then be used in a risk assessment. Therefore, this answer is incorrect.

  C: A virus scan will scan a computer for known viruses. It is not used to determine if a system has been patched. Therefore, this answer is incorrect.

  D: A network sniffer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. It is not used to determine if a system has been patched. Therefore, this answer is incorrect.

  References: http://www.webopedia.com/TERM/V/vulnerability_scanning.html

• Question 167:

  Which of the following would a security administrator implement in order to discover comprehensive security threats on a network?

  A. Design reviews

  B. Baseline reporting

  C. Vulnerability scan

  D. Code review

  Correct Answer: C

  A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. Vulnerabilities include computer systems that do not have the latest security patches installed. The threats and vulnerabilities are then evaluated in a risk assessment and the necessary actions taken to resolve and vulnerabilities. A vulnerability scan is the automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened. While public servers are important for communication and data transfer over the Internet, they open the door to potential security breaches by threat agents, such as malicious hackers. Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security. Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet but can also refer to system audits on internal networks that are not connected to the Internet in order to assess the threat of rogue software or malicious employees in an enterprise.

  Incorrect Answers:

  A: A design review is not performed primarily to detect security threats on a network. Reviewing the design of a system or network can be performed for many reasons including performance, availability etc. whereas a vulnerability scan is

  performed specifically to discover security threats on a network. Therefore, this answer is incorrect.

  B: As the name implies, baseline reporting checks to make sure that things are operating status quo, and change detection is used to alert administrators when modifications are made. A changes-from-baseline report can be run to pinpoint

  security rule breaches quickly. This is often combined with gap analysis to measure the controls at a particular company against industry standards.

  Baseline reporting may alert the security administrator to any changes in the security posture compared to the original baseline configuration. However, a vulnerability scan is performed specifically to discover security threats on a network and

  is therefore a better answer. Therefore, this answer is incorrect.

  D: A code review is the process of reviewing the programming code in an application. It is not used to discover security threats on a network. Therefore, this answer is incorrect.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 345

• Question 168:

  Which of the following security architecture elements also has sniffer functionality? (Select TWO).

  A. HSM

  B. IPS

  C. SSL accelerator

  D. WAP

  E. IDS

  Correct Answer: BE

  Sniffer functionality means the ability to capture and analyze the content of data packets as they are transmitted across the network. IDS and IPS systems perform their functions by capturing and analyzing the content of data packets.

  An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of "flavors" and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization. IDPSes typically record information related to observed events, notify security administrators of important observed events and produce reports. Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g. reconfiguring a firewall) or changing the attack's content.

  Incorrect Answers:

  A: A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. An HSM does not have sniffer functionality. Therefore, this answer is incorrect.

  C: SSL acceleration is a method of offloading the processor-intensive public-key encryption algorithms involved in SSL transactions to a hardware accelerator. An SSL accelerator does not have sniffer functionality. Therefore, this answer is incorrect.

  D: A WAP (Wireless Access Point) is a device used to create a wireless network. A WAP receives and transmits data packets over a wireless network connection. However, a WAP does not have sniffer functionality. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Intrusion_detection_system http://en.wikipedia.org/wiki/Hardware_security_module http://en.wikipedia.org/wiki/SSL_acceleration

• Question 169:

  Which of the following BEST allows Pete, a security administrator, to determine the type, source, and flags of the packet traversing a network for troubleshooting purposes?

  A. Switches

  B. Protocol analyzers

  C. Routers

  D. Web security gateways

  Correct Answer: B

  A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. By capturing and analyzing the packets, Pete will be able to determine the

  type, source, and flags of the packets traversing a network for troubleshooting purposes.

  Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).

  Incorrect Answers:

  A: A switch is a network device that Ethernet cables plug in to. The switch will direct traffic received on one switch port out on one or more other switch ports based on the MAC address of the destination computer(s). A switch receives and transmits network packets. It is not used to examine the contents of the packets to view the type, source, and flags of the packets. Therefore, this answer is incorrect.

  C: A router is a network device that routes data traffic according to the IP address of the destination computer(s). A router receives and transmits network packets. It is not used to examine the contents of the packets to view the type, source, and flags of the packets. Therefore, this answer is incorrect.

  D: A web security gateway can be thought of as a proxy server (performing proxy and caching functions) with web protection software built in. Depending on the vendor, the "web protection" can range from a standard virus scanner on incoming packets to monitoring outgoing user traffic for red flags as well. Potential red flags that the gateway can detect and/or prohibit include inappropriate content, trying to establish a peer-to-peer connection with a file-sharing site, instant messaging, and unauthorized tunneling. You can configure most web security gateways to block known HTTP/HTML exploits, strip ActiveX tags, strip Java applets, and block/strip cookies. A web security gateway is not used to examine the contents of the packets to view the type, source, and flags of the packets. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Wireshark Comptia Security + Study Guide. Page 103 Web Security Gateway

• Question 170:

  Joe, the security administrator, has determined that one of his web servers is under attack. Which of the following can help determine where the attack originated from?

  A. Capture system image

  B. Record time offset

  C. Screenshots

  D. Network sniffing

  Correct Answer: D

  Network sniffing is the process of capturing and analyzing the packets sent between systems on the network. A network sniffer is also known as a Protocol Analyzer. A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing and analyzing the packets sent to the web server will help determine the source IP address of the system sending the packets. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).

  Incorrect Answers:

  A: Capturing an image of the system is the process of making an exact copy of the contents of the hard drive in the system. This would not help in determining the source of an attack on the system. Therefore, this answer is incorrect.

  B: Recording the time offset of the system will determine the difference between the time on the system compared to the actual current time. This would not help in determining the source of an attack on the system. Therefore, this answer is incorrect.

  C: Taking screenshots of the system will not help in determining the source of an attack on the system. A screenshot is a copy of what is displayed on the computer screen at the time of the screenshot. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Wireshark