CompTIA CompTIA Security+ JK0-022 Questions & Answers

• Question 201:

  Ann, the security administrator, received a report from the security technician, that an unauthorized new user account was added to the server over two weeks ago. Which of the following could have mitigated this event?

  A. Routine log audits

  B. Job rotation

  C. Risk likelihood assessment

  D. Separation of duties

  Correct Answer: A

  When a new user account is created, an entry is added to the Event Logs. By routinely auditing the event logs, you would know that an account has been created.

  Incorrect Answers:

  B: Job rotation is a concept that has employees rotating through different jobs to learn the procedures and processes in each. From a security perspective, job rotation helps to prevent or expose dangerous shortcuts or even fraudulent activity. Knowledge is shared with multiple people, and no one person can retain explicit control of any process or data. Job rotation would not mitigate against an unauthorized new user account being created. Therefore, this answer is incorrect.

  C: Assessing the likelihood of risk may determine the likelihood of an unauthorized new user account being created. However, it would not tell you that an unauthorized account had been created. Therefore, this answer is incorrect.

  D: Separation of duties is the process of ensuring that functions of a role are carried out by multiple users. This is to prevent fraud and restricts the amount of power held by any one individual. Separation of duties would not mitigate against an unauthorized new user account being created. Therefore, this answer is incorrect.

  References: http://en.wikipedia.org/wiki/Job_rotation

• Question 202:

  Which of the following types of logs could provide clues that someone has been attempting to compromise the SQL Server database?

  A. Event

  B. SQL_LOG

  C. Security

  D. Access

  Correct Answer: A

  Event logs include Application logs, such as those where SQL Server would write entries. This is where you would see logs with details of someone trying to access a SQL database.

  Incorrect Answers:

  B: This log does not contain information that would provide clues that someone has been attempting to compromise the SQL Server database. Therefore, this answer is incorrect.

  C: This log does not contain information that would provide clues that someone has been attempting to compromise the SQL Server database although the Security Event Log in Windows does contain information about attempted logins to a system. However, as another answer specifies an "Event" log, that answer is correct. Therefore, this answer is incorrect.

  D: This log does not contain information that would provide clues that someone has been attempting to compromise the SQL Server database. Therefore, this answer is incorrect.

  References:

  Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 68, 469

• Question 203:

  How often, at a MINIMUM, should Sara, an administrator, review the accesses and rights of the users on her system?

  A. Annually

  B. Immediately after an employee is terminated

  C. Every five years

  D. Every time they patch the server

  Correct Answer: A

  Reviewing the accesses and rights of the users on a system at least annually is acceptable practice. More frequently would be desirable but too frequently would be a waste of administrative time.

  Incorrect Answers:

  B: You could check that a user hasn't accessed your system after the user has been terminated. However, this question is asking about all users. It is unnecessary to check the accesses and rights of all users every time one user is terminated. Therefore, this answer is incorrect.

  C: Every five years is too long. You should check the accesses and rights of the users on a system at least annually. Therefore, this answer is incorrect.

  D: It is unnecessary to check the accesses and rights of the users on a system every time the system is patched. This would be a waste of administrative time. Therefore, this answer is incorrect.

• Question 204:

  Joe, a user, in a coffee shop is checking his email over a wireless network. An attacker records the temporary credentials being passed to Joe's browser. The attacker later uses the credentials to impersonate Joe and creates SPAM messages. Which of the following attacks allows for this impersonation?

  A. XML injection

  B. Directory traversal

  C. Header manipulation

  D. Session hijacking

  Correct Answer: D

  In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session--sometimes also called a session key--to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer.

  Incorrect Answers:

  A: When a web user takes advantage of a weakness with SQL by entering values that they should not, it is known as a SQL injection attack. Similarly, when the user enters values that query XML (known as XPath) with values that take advantage of exploits, it is known as an XML injection attack. XPath works in a similar manner to SQL, except that it does not have the same levels of access control, and taking advantage of weaknesses within can return entire documents. The best way to prevent XML injection attacks is to filter the user's input and sanitize it to make certain that it does not cause XPath to return more data than it should. This is not what is described in this question. This answer is therefore incorrect.

  B: Directory traversal is a form of HTTP exploit in which a hacker uses the software on a Web server to access data in a directory other than the server's root directory. If the attempt is successful, the hacker can view restricted files or even execute commands on the server. Although some educated guesswork is involved in finding paths to restricted files on a Web server, a skilled hacker can easily carry out this type of attack on an inadequately protected server by searching through the directory tree. The risk of such attacks can be minimized by careful Web server programming, the installation of software updates and patches, filtering of input from browsers, and the use of vulnerability scanners. This is not what is described in this question. This answer is therefore incorrect.

  C: A header manipulation attack uses other methods (hijacking, cross-site forgery, and so forth) to change values in HTTP headers and falsify access. When used with XSRF, the attacker can even change a user's cookie. Internet Explorer 8 and above include InPrivate Filtering to help prevent some of this. By default, your browser sends information to sites as they need it--think of requesting a map from a site; it needs to know your location in order to give directions. With InPrivate Filtering, you can configure the browser not to share information that can be captured and manipulated. This is not what is described in this question. This answer is therefore incorrect.

  References: http://en.wikipedia.org/wiki/Session_hijacking Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 337, 340 http://searchsecurity.techtarget.com/definition/directory-traversal

• Question 205:

  Matt, an IT administrator, wants to protect a newly built server from zero day attacks. Which of the following would provide the BEST level of protection?

  A. HIPS

  B. Antivirus

  C. NIDS

  D. ACL

  Correct Answer: A

  Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it.

  Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in- line and are able to actively prevent/ block intrusions that are detected. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/ or blocking the traffic from the offending IP address. An IPS can also correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options. Host-based intrusion prevention system (HIPS) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. A Host-based intrusion prevention system (HIPS) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. As a zero-day attack is an unknown vulnerability (a vulnerability that does not have a fix or a patch to prevent it), the best defence would be an intrusion prevention system.

  Incorrect Answers:

  B: Antivirus software provides protection against KNOWN viruses. As a zero-day attack is an unknown vulnerability (a vulnerability that does not have a fix or a patch to prevent it) antivirus software cannot protect against it. This answer is therefore incorrect.

  C: NIDS (network intrusion detection systems) are designed to detect attempts to gain access to the network. We need to protect a server from zero day attacks, not the network. This answer is therefore incorrect.

  D: This question asks for the BEST option. A HIPS may be able to detect a zero day attack and is therefore a better option. An ACL (access control list) can only restrict access to resources. This answer is therefore incorrect.

  References: http://en.wikipedia.org/wiki/Intrusion_prevention_system

• Question 206:

  Which of the following may cause Jane, the security administrator, to seek an ACL work around?

  A. Zero day exploit

  B. Dumpster diving

  C. Virus outbreak

  D. Tailgating

  Correct Answer: A

  A zero day vulnerability is an unknown vulnerability so there is no fix or patch for it. One way to attempt to work around a zero day vulnerability would be to restrict the permissions by using an ACL (Access Control List)

  A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it--this exploit is called a zero day attack. Uses of zero day

  attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the

  vulnerability becomes known, a race begins for the developer, who must protect users.

  Incorrect Answers:

  B: Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an

  attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or

  organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. To prevent dumpster divers from learning anything valuable from your trash, experts recommend that your company

  establish a disposal policy where all paper, including print-outs, is shredded in a cross- cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash. Using proximity card

  readers instead of the traditional key punch doors would not prevent dumpster diving.

  You cannot prevent dumpster diving by using an ACL. This answer is therefore incorrect.

  C: A virus outbreak is a virus spreading around multiple computers. A virus can be stopped by using antivirus software. A virus could possibly be restricted by an ACL on a single computer but it would be difficult to configure ACLs quickly on

  several computers. Therefore, this answer is incorrect.

  D: Tailgating in IT security would be an unauthorized person following and authorized person into a building or room such as a datacenter. If a building has a card reader where an authorized person can hold up a card to the reader to unlock

  the door, someone tailgating could follow the authorized person into the building by walking through the door before it closes and locks. You cannot prevent tailgating by using an ACL. This answer is therefore incorrect.

  References:

  http://www.pctools.com/security-news/zero-day-vulnerability/ http://searchsecurity.techtarget.com/definition/dumpster-diving

• Question 207:

  Which of the following types of application attacks would be used to identify malware causing security breaches that have NOT yet been identified by any trusted sources?

  A. Zero-day

  B. LDAP injection

  C. XML injection

  D. Directory traversal

  Correct Answer: A

  The security breaches have NOT yet been identified. This is zero day vulnerability. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it--this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.

  Incorrect Answers:

  B: LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection. LDAP injection is not a term used for an unknown security breach. This answer is therefore incorrect.

  C: When a web user takes advantage of a weakness with SQL by entering values that they should not, it is known as a SQL injection attack. Similarly, when the user enters values that query XML (known as XPath) with values that take advantage of exploits, it is known as an XML injection attack. XPath works in a similar manner to SQL, except that it does not have the same levels of access control, and taking advantage of weaknesses within can return entire documents. The best way to prevent XML injection attacks is to filter the user's input and sanitize it to make certain that it does not cause XPath to return more data than it should. XML injection is not a term used for an unknown security breach. This answer is therefore incorrect.

  D: Directory traversal is a form of HTTP exploit in which a hacker uses the software on a Web server to access data in a directory other than the server's root directory. If the attempt is successful, the hacker can view restricted files or even execute commands on the server. Although some educated guesswork is involved in finding paths to restricted files on a Web server, a skilled hacker can easily carry out this type of attack on an inadequately protected server by searching through the directory tree. The risk of such attacks can be minimized by careful Web server programming, the installation of software updates and patches, filtering of input from browsers, and the use of vulnerability scanners. Directory

  traversal is not a term used for an unknown security breach. This answer is therefore incorrect.

  References:

  http://www.pctools.com/security-news/zero-day-vulnerability/ https://www.owasp.org/index.php/LDAP_injection Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 337 http://

  searchsecurity.techtarget.com/definition/directory-traversal

• Question 208:

  The security administrator is observing unusual network behavior from a workstation. The workstation is communicating with a known malicious destination over an encrypted tunnel. A full antivirus scan, with an updated antivirus definition file,

  does not show any signs of infection.

  Which of the following has happened on the workstation?

  A. Zero-day attack

  B. Known malware infection

  C. Session hijacking

  D. Cookie stealing

  Correct Answer: A

  The vulnerability was unknown in that the full antivirus scan did not detect it. This is zero day vulnerability. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it--this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.

  Incorrect Answers:

  B: This is not a known malware infection. The vulnerability was unknown because the full antivirus scan did not detect it. Therefore, this answer is incorrect.

  C: In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session--sometimes also called a session key--to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. This is not what is described in this question. Therefore, this answer is incorrect.

  D: Cookie stealing is another name for session hijacking. In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session--sometimes also called a session key--to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. This is not what is described in this question. Therefore, this answer is incorrect.

  References:

  http://www.pctools.com/security-news/zero-day-vulnerability/ http://en.wikipedia.org/wiki/Session_hijacking

• Question 209:

  Which of the following can only be mitigated through the use of technical controls rather that user security training?

  A. Shoulder surfing

  B. Zero-day

  C. Vishing

  D. Trojans

  Correct Answer: B

  A zero day vulnerability is an unknown vulnerability in a software application. This cannot be prevented by user security training. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it--this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.

  Incorrect Answers:

  A: Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to

  someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To

  prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand. Shoulder surfing can be mitigated through the use of user security training. Therefore, this answer is

  incorrect.

  C: Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities. Vishing works like phishing but does not always occur over the

  Internet and is carried out using voice technology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone.

  The potential victim receives a message, often generated by speech synthesis, indicating that suspicious activity has taken place in a credit card account, bank account, mortgage account or other financial service in their name. The victim is

  told to call a specific telephone number and provide information to "verify identity" or to "ensure that fraud does not occur." If the attack is carried out by telephone, caller ID spoofing can cause the victim's set to indicate a legitimate source,

  such as a bank or a government agency.

  Vishing can be mitigated through the use of user security training. Therefore, this answer is incorrect.

  D: In computers, a Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file

  allocation table on your hard disk. In one celebrated case, a Trojan horse was a program that was supposed to find and destroy computer viruses. A Trojan horse may be widely redistributed as part of a computer virus. Trojans can be

  mitigated through the use of user security training. Therefore, this answer is incorrect.

  References:

  http://www.pctools.com/security-news/zero-day-vulnerability/ http://searchsecurity.techtarget.com/definition/shoulder-surfing http:// searchunifiedcommunications.techtarget.com/definition/vishing http://searchsecurity.techtarget.com/definition/

  Trojan-horse

• Question 210:

  An attacker used an undocumented and unknown application exploit to gain access to a file server. Which of the following BEST describes this type of attack?

  A. Integer overflow

  B. Cross-site scripting

  C. Zero-day D. Session hijacking

  E. XML injection

  Correct Answer: C

  The vulnerability is undocumented and unknown. This is zero day vulnerability. A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it--this exploit is called a zero day attack. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. The term "zero day" refers to the unknown nature of the hole to those outside of the hackers, specifically, the developers. Once the vulnerability becomes known, a race begins for the developer, who must protect users.

  Incorrect Answers:

  A: Integer overflow is the result of an attempt by a CPU to arithmetically generate a number larger than what can fit in the devoted memory storage space. Arithmetic operations always have the potential of returning unexpected values, which

  may cause an error that forces the whole program to shut down. For this reason, most programmers prefer to perform mathematical operations inside an exception frame, which returns an exception in the case of integer overflow instead.

  This is not what is described in this question. Therefore, this answer is incorrect.

  B: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.

  Cross-site scripting uses known vulnerabilities in web-based applications, their servers, or plug- in systems on which they rely. Exploiting one of these, attackers fold malicious content into the content being delivered from the compromised

  site. When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system. By finding ways of injecting malicious scripts

  into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. This is not what is described in this question.

  Therefore, this answer is incorrect.

  D: In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session--sometimes also called a session key--to gain unauthorized access to information or services in a computer

  system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be

  easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. This is not what is described in this question. Therefore, this answer is incorrect.

  E: When a web user takes advantage of a weakness with SQL by entering values that they should not, it is known as a SQL injection attack. Similarly, when the user enters values that query XML (known as XPath) with values that take

  advantage of exploits, it is known as an XML injection attack. XPath works in a similar manner to SQL, except that it does not have the same levels of access control, and taking advantage of weaknesses within can return entire documents.

  The best way to prevent XML injection attacks is to filter the user's input and sanitize it to make certain that it does not cause XPath to return more data than it should. This is not what is described in this question. Therefore, this answer is

  incorrect.

  References: http://www.pctools.com/security-news/zero-day-vulnerability/ http://www.techopedia.com/definition/14427/integer-overflow http://en.wikipedia.org/wiki/Cross- site_scripting http://en.wikipedia.org/wiki/Session_hijacking Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 337