CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 171:

  Which of the following tools would allow Ann, the security administrator, to be able to BEST quantify all traffic on her network?

  A. Honeypot

  B. Port scanner

  C. Protocol analyzer

  D. Vulnerability scanner

  Correct Answer: C

  A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. By capturing and analyzing the packets sent between the systems on the network, Ann would be able to quantify the amount of traffic on the network. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).

  Incorrect Answers:

  A: A honeypot is a system whose purpose it is to be attacked. An administrator can watch and study the attack to research current attack methodologies. A honeypot is not used to monitor device security. It is not used to calculate the volume of traffic on a network. Therefore, this answer is incorrect.

  B: A port scanner is typically a software application used to scan a system such as a computer or firewall for open ports. A malicious user would attempt to access a system through an open port. A security administrator would compare the list of open ports against a list of ports that need to be open so that unnecessary ports can be closed thus reducing the vulnerability of the system. A port scanner is not used to calculate the volume of traffic on a network. Therefore, this answer is incorrect.

  D: A vulnerability scanner is software designed to assess computers, computer systems, networks or applications for weaknesses. This includes applications or default configurations posing a security risk. A vulnerability scanner is not used to calculate the volume of traffic on a network. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Wireshark

• Question 172:

  Which of the following would a security administrator implement in order to identify a problem between two applications that are not communicating properly?

  A. Protocol analyzer

  B. Baseline report

  C. Risk assessment

  D. Vulnerability scan

  Correct Answer: A

  A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing and analyzing the packets sent between applications on systems

  that are not communicating properly could help determine the cause of the issue.

  Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).

  Incorrect Answers:

  B: A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline). It is not used to troubleshoot communication issues between

  applications. Therefore, this answer is incorrect.

  C: A risk assessment is the process of evaluating threats and vulnerabilities to the network and/or I.T. infrastructure. It is not used to troubleshoot communication issues between two applications.

  Therefore, this answer is incorrect.

  D: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment. It is not used to troubleshoot communication issues

  between two applications.

  Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Wireshark

• Question 173:

  Which of the following is BEST used to capture and analyze network traffic between hosts on the same network segment?

  A. Protocol analyzer

  B. Router

  C. Firewall

  D. HIPS

  Correct Answer: A

  A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing and analyzing the packets sent from two systems that are not communicating properly could help determine the cause of the issue. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).

  Incorrect Answers:

  B: A router is used to route traffic between hosts on different networks. It is not used to capture and analyze network traffic.

  C: A firewall is used to block unauthorized traffic from accessing hosts on a network. It is not used to capture and analyze network traffic.

  D: A HIPS (Host Intrusion Prevention System) is software installed on a host which monitors the host for suspicious activity by analyzing events occurring within that host with the aim of detecting and preventing intrusion. It is not used to capture and analyze network traffic.

  References: http://en.wikipedia.org/wiki/Wireshark

• Question 174:

  Which of the following would a security administrator implement in order to identify a problem between two systems that are not communicating properly?

  A. Protocol analyzer

  B. Baseline report

  C. Risk assessment

  D. Vulnerability scan

  Correct Answer: A

  A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing and analyzing the packets sent from two systems that are not communicating properly could help determine the cause of the issue. Well known software protocol analyzers include Message Analyzer (formerly Network Monitor) from Microsoft and Wireshark (formerly Ethereal).

  Incorrect Answers:

  B: A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline). It is not used to troubleshoot communication issues between two systems.

  C: A risk assessment (in this context) is the process of evaluating threats and vulnerabilities to the network and/or I.T. infrastructure. It is not used to troubleshoot communication issues between two systems.

  D: A vulnerability scan is the process of scanning the network and/or I.T. infrastructure for threats and vulnerabilities. The threats and vulnerabilities are then evaluated in a risk assessment. It is not used to troubleshoot communication issues between two systems.

  References: http://en.wikipedia.org/wiki/Wireshark

• Question 175:

  Which of the following tools will allow a technician to detect security-related TCP connection anomalies?

  A. Logical token

  B. Performance monitor

  C. Public key infrastructure

  D. Trusted platform module

  Correct Answer: B

  Performance Monitor in a Windows system can monitor many different `counters'. For TCP network connections, you can monitor specific TCP related counters including the following: Connection Failures Connections Active Connections Established Connections Passive Connections Reset Segments Received/sec Segments Retransmitted/sec Segments Sent/sec Total Segments/sec

  By monitoring the counters listed above, you will be able to detect security-related TCP connection anomalies.

  Incorrect Answers:

  A: A logical token is used in Token Ring networks. A logical token is not a tool that would provide information regarding TCP connection anomalies. Therefore, this answer is incorrect.

  C: A Public key infrastructure (PKI) describes a system of providing certificates for public key cryptography. For example, a Certificate Authority would provide digital certificates to computers or users in the network for secured communications. A PKI is not a tool that would provide information regarding TCP connection anomalies. Therefore, this answer is incorrect.

  D: A Trusted platform module is a chip that securely stores cryptographic keys and other data. It is not a tool that would provide information regarding TCP connection anomalies. Therefore, this answer is incorrect.

• Question 176:

  Jane, a security administrator, has observed repeated attempts to break into a server. Which of the following is designed to stop an intrusion on a specific server?

  A. HIPS

  B. NIDS

  C. HIDS

  D. NIPS

  Correct Answer: A

  This question is asking which of the following is designed to stop an intrusion on a specific server. To stop an intrusion on a specific server, you would use a HIPS (Host Intrusion Prevention System). The difference between a HIPS and other intrusion prevention systems is that a HIPS is a software intrusion prevention systems that is installed on a `specific server'.

  Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it. A HIPS (Host Intrusion Prevention System) is software installed on a host which monitors the host for suspicious activity by analyzing events occurring within that host with the aim of detecting and preventing intrusion.

  Incorrect Answers:

  B: A NIDS (Network Intrusion Detection System) is typically a hardware device designed to detect intrusion attempts to the network, not a specific host. Therefore, this answer is incorrect.

  C: A HIDS (Host Intrusion Detection System) is a host based system. However it is a `detection' system not a prevention system. Therefore it will only detect intrusion attempts; it will not stop them. Therefore, this answer is incorrect.

  D: A NIPS (Network Intrusion Prevention System) is typically a hardware device designed to prevent intrusion attempts to the network, not a specific host. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Intrusion_prevention_system

• Question 177:

  Suspicious traffic without a specific signature was detected. Under further investigation, it was determined that these were false indicators. Which of the following security devices needs to be configured to disable future false alarms?

  A. Signature based IPS

  B. Signature based IDS

  C. Application based IPS

  D. Anomaly based IDS

  Correct Answer: D

  Most intrusion detection systems (IDS) are what is known as signature-based. This means that they operate in much the same way as a virus scanner, by searching for a known identity - or signature - for each specific intrusion event. And, while signature-based IDS is very efficient at sniffing out known s of attack, it does, like anti-virus software, depend on receiving regular signature updates, to keep in touch with variations in hacker technique. In other words, signature-based IDS is only as good as its database of stored signatures. Any organization wanting to implement a more thorough - and hence safer - solution, should consider what we call anomaly-based IDS. By its nature, anomaly-based IDS is a rather more complex creature. In network traffic terms, it captures all the headers of the IP packets running towards the network. From this, it filters out all known and legal traffic, including web traffic to the organization's web server, mail traffic to and from its mail server, outgoing web traffic from company employees and DNS traffic to and from its DNS server.

  There are other equally obvious advantages to using anomaly-based IDS. For example, because it detects any traffic that is new or unusual, the anomaly method is particularly good at identifying sweeps and probes towards network hardware. It can, therefore, give early warnings of potential intrusions, because probes and scans are the predecessors of all attacks. And this applies equally to any new service installed on any item of hardware - for example, Telnet deployed on a network router for maintenance purposes and forgotten about when the maintenance was finished. This makes anomaly-based IDS perfect for detecting anything from port anomalies and web anomalies to mis-formed attacks, where the URL is deliberately mis- typed.

  Incorrect Answers:

  A: The question states that suspicious traffic without a specific signature was detected. Therefore, a signature based IDS would not detect the suspicious traffic. The traffic must have been detected by an anomaly based device. The fact that the traffic was `detected' rather than `prevented' suggest the anomaly based device was an IDS rather than an IPS. Therefore, this answer is incorrect.

  B: The question states that suspicious traffic without a specific signature was detected. Therefore, a signature based IPS would not detect the suspicious traffic. The traffic must have been detected by an anomaly based device. The fact that the traffic was `detected' rather than `prevented' suggest the anomaly based device was an IDS rather than an IPS. Therefore, this answer is incorrect.

  C: The question states that suspicious traffic without a specific signature was detected. The fact that the traffic was `detected' rather than `prevented' suggest the anomaly based device was an IDS rather than an IPS. Therefore, this answer is incorrect.

  References:

  http://www.scmagazine.com/signature-based-or-anomaly-based-intrusion-detection-the-practice- and-pitfalls/article/30471/

• Question 178:

  A security manager must remain aware of the security posture of each system. Which of the following supports this requirement?

  A. Training staff on security policies

  B. Establishing baseline reporting

  C. Installing anti-malware software

  D. Disabling unnecessary accounts/services

  Correct Answer: B

  The IT baseline protection approach is a methodology to identify and implement computer security measures in an organization. The aim is the achievement of an adequate and appropriate level of security for IT systems. This is known as a baseline. A baseline report compares the current status of network systems in terms of security updates, performance or other metrics to a predefined set of standards (the baseline).

  Incorrect Answers:

  A: Training staff on security policies is always a good idea. However, this will not provide a mechanism for making the security manager aware of the security posture of each system.

  C: Anti-malware is required to remove any existing malware and prevent malware being installed in the future. However, anti-malware does not provide a mechanism for making the security manager aware of the security posture of each system.

  D: Disabling unnecessary accounts/services is a good practice for reducing the attack surface of a computer system. However, it does not provide a mechanism for making the security manager aware of the security posture of each system.

  References: http://en.wikipedia.org/wiki/IT_baseline_protection

• Question 179:

  Which of the following is a notification that an unusual condition exists and should be investigated?

  A. Alert

  B. Trend

  C. Alarm

  D. Trap

  Correct Answer: A

  We need to look carefully at the wording of the question to determine the answer. This question is asking about an "unusual condition" that should be investigated.

  There are different levels of alerts from Critical to Warning to Information only.

  An Alarm would be triggered by a serious definite problem that needs resolving urgently. An "unusual condition" probably wouldn't trigger an alarm; it is more likely to trigger an Alert.

  Incorrect Answers:

  B: A trend signifies the ongoing status of something. An "unusual condition" may or may not change the trend whereas an alert is likely to be triggered. Therefore, this answer is incorrect.

  C: An Alarm would be triggered by a serious definite problem that needs resolving urgently. An "unusual condition" probably wouldn't trigger an alarm; it is more likely to trigger an Alert. Therefore, this answer is incorrect.

  D: A trap is something that is triggered by an event that meets the conditions to trigger to trap. An "unusual condition" is unlikely to trigger a trap whereas an alert is likely to be triggered. Therefore, this answer is incorrect.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 69, 470

• Question 180:

  Which of the following is an indication of an ongoing current problem?

  A. Alert

  B. Trend

  C. Alarm

  D. Trap

  Correct Answer: C

  An alarm indicates that something is wrong and needs to be resolved as soon as possible. Alarms usually continue to sound until the problem is resolved or the alarm is manually silenced. Incorrect Answers:

  A: An alert does indicate that something is wrong. However this question asks about an ONGOING problem. An alert will usually just trigger at the beginning of a problem whereas an alarm will sound for the duration of the problem. Therefore,

  this answer is incorrect.

  B: A trend signifies the ongoing status of something. That status may change during an ongoing problem so the trend will indicate that the current status is different than normal. However, an alarm is specifically design to indicate that there is

  currently a problem and is a better answer.

  Therefore, this answer is incorrect.

  C: A trap is something that is triggered by an event. The `problem' may cause the trap to trigger. However this question asks about an ONGOING problem. A trap will usually just trigger at the beginning of a problem whereas an alarm will

  sound for the duration of the problem. Therefore, this answer is incorrect.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 69, 470